Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i want to upgrade to windows 7 from xp computer hit by malware/virus


  • Please log in to reply
10 replies to this topic

#1 krzyzmo

krzyzmo

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 13 August 2014 - 03:33 PM

My Panasonic Toughbook cf-29 running xp 32 bit got hit by something really nasty which disbled my cd rom from reading there is a disc loaded , can't get "factory restore" to work, cant open or transfer files, can't add a program to fix the problem, etc......   

 

I am giving up trying to save the files and want to load Windows 7 which i have a disc and key for and move on.

I am looking to completely wipe the HDD and load Windows 7;  I did run "rkill" and got the following information from it on the current status of the computer running XP:

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/13/2014 03:23:35 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\system32\fpapli.exe (PID: 1864) [WD-HEUR]
 * C:\WINDOWS\system32\igfxtray.exe (PID: 1888) [WD-HEUR]
 * C:\WINDOWS\system32\rundll32.exe (PID: 1916) [WD-HEUR]
 * C:\WINDOWS\system32\Tprbtn.exe (PID: 1952) [WD-HEUR]
 * C:\WINDOWS\AGRSMMSG.exe (PID: 1984) [WD-HEUR]
 * C:\WINDOWS\system32\dmwu.exe (PID: 388) [Sweetpacks-Adware]

6 proccesses terminated!

Possibly Patched Files.

 * C:\WINDOWS\system32\services.exe
 * C:\WINDOWS\system32\lsass.exe
 * C:\WINDOWS\System32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\svchost.exe
 * C:\WINDOWS\system32\ctfmon.exe
 * C:\WINDOWS\system32\svchost.exe

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

Checking Windows Service Integrity:

 * @%SystemRoot%\system32\cryptsvc.dll,-1001 (CryptSvc) is not Running.
   Startup Type set to: Automatic

 * @comres.dll,-2450 (EventSystem) is not Running.
   Startup Type set to: Automatic

 * @%SystemRoot%\system32\netman.dll,-109 (Netman) is not Running.
   Startup Type set to: Manual

 * System Restore Service (srservice) is not Running.
   Startup Type set to: Automatic

 * @%Systemroot%\system32\wbem\wmisvc.dll,-205 (winmgmt) is not Running.
   Startup Type set to: Automatic

 * @%SystemRoot%\System32\wscsvc.dll,-200 (wscsvc) is not Running.
   Startup Type set to: Automatic

 * @%systemroot%\system32\wuaueng.dll,-105 (wuauserv) is not Running.
   Startup Type set to: Manual

 * CryptSvc => %SystemRoot%\system32\svchost.exe -k NetworkService [Incorrect ImagePath]
 * EventSystem => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImagePath]
 * Netman => %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted [Incorrect ImagePath]
 * wscsvc => %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]

 * wuauserv => %systemroot%\system32\wuaueng.dll [Incorrect ServiceDLL]

 

 

 

Thanks in Advanced,



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 PM

Posted 13 August 2014 - 04:11 PM

If possible first run the Windows 7 upgrade advisor to see if the computer can run Windows 7. There may be driver issues if the computer is old enough.

 

http://www.microsoft.com/en-us/download/details.aspx?id=20

 

After you ran Rkill (do not reboot) did you do a scan with Malwarebytes?

 

You may also want to do a scan with Hitman Pro.

 

 

Edit: You may be able to get to Factory Restore by press Ctrl+F11 at boot if getting to it from Windows was not successful.


Edited by JohnC_21, 13 August 2014 - 04:12 PM.


#3 krzyzmo

krzyzmo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 13 August 2014 - 05:42 PM

One more issue i am having, cant =install anything   i get a message the windows installer could not be accessed.

If it try it in safe mode, get a message that the administrator wont allow the install.   Tried to go through the command prompt and get the same messages.

Whatever this malware was totally deleted my netweork files so i can't get on the internet either.   Had to add a few registry dll's just to get this much functionality.   every restore option i have tried is met with the message that restore cant protect my computer   you must restart.



#4 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 PM

Posted 13 August 2014 - 05:48 PM

I would try Ctrl+F11 at boot to see if it can access the recovery partition if it is still intact. Do you see a recovery partition in Disk Management?

#5 krzyzmo

krzyzmo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 13 August 2014 - 05:55 PM

ctr f11 wont work   the computer just keeps going on to boot up windows.   don't have a d drive, so not sure if it hidden or not.



#6 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 PM

Posted 13 August 2014 - 05:59 PM

How many partitions show up in Disk Management, only one? There may be another without a drive letter.

Edited by JohnC_21, 13 August 2014 - 06:00 PM.


#7 krzyzmo

krzyzmo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 13 August 2014 - 06:06 PM

a "D drive has appeared back in my computer.   Was not thhere before, at least visible.  Been trying a bunch of diferent tasks. 

So i guess i do have a "D" drive and it has a recovery partition in it when i clicked on it.



#8 krzyzmo

krzyzmo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 13 August 2014 - 06:08 PM

and now it's gone again.   it was a minute ago right next to the C drive in the hard disk drives section



#9 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:36 PM

Posted 13 August 2014 - 06:22 PM

It may be a hard drive problem. There is one thing that may work and that would be making the partition active. It can be done using diskpart but it is easier using a boot disk of partition wizard and the boot disk which is based on linux might have a better time picking it up.

 

Backup any of your important data first. Download the bootable version of Partition Wizard. Burn the iso file with either Imgburn if using XP or by double clicking the iso file in Windows 7 which will use the native burner of 7. Boot Partition Wizard. Select the Recovery Partition and make it Active. Reboot the computer and hopefully the Partition Recovery Manager will run. If it does not work, you will have to boot Partition Wizard again and make your System Partition Active so you will be able to boot windows again.

 

If you have a linux disk with Gparted you can do it with that program by selecting the Recovery Partition and then selecting Partition in the Menu Bar > Manage Flags > Boot 

 

http://gparted.org/display-doc.php?name=help-manual#gparted-manage-partition-flags



#10 cmptrgy

cmptrgy

  • Members
  • 1,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:05:36 PM

Posted 13 August 2014 - 08:28 PM

You cannot connect to the Internet, use your DVD drive, have some kind of issues with drive D

I’d also be concerned that a possible rook kit problem from whatever infected your computer

 

I know there are already some excellent recommendations posted but in case you run into roadblocks consider some manual procedures to see if you can connect preferably in Safe Mode so you can run the Windows 7 Windows 7 Upgrade Advisor as already mentioned

 

Even though the computer doesn’t connect to the Internet at this time, make absolutely sure it is actually disconnect so it can’t connect when you trying the following ideas

 

Since you are using XP, go into add/remove and uninstall any suspicious programs if any

--- Record what you do uninstall if any

 

Go into the startup list and uncheck anything that isn’t needed

--- The idea is to eliminate any entries of malware from calling home shortly after startup

--- The only item that should be checked in is the real time security program that in use

Shut down and start the computer back up still unconnected from the Internet

 

Go into Internet Options and clear out the browsing history with Delete browsing history checked in. Click on Delete. On the following page, ensure Cookies and website data is checked in. Click on Delete at the bottom. Delete browsing history will follow

--- Later on when the computer is safe and secure, uncheck Cookies and website data can be unchecked

 

It’s a good idea to set cookie control in Advanced Privacy Settings

--- In Internet Options, click on the Privacy tab

--- In the Settings section, click on Advanced

--- On the Advanced Privacy Settings window click on the following items

------ Override automatic cookie handling

------ First party cookies: Accept

------ Third party cookies: Block

------ Always allow session cookies

--- Click on OK

 

Run Disk Cleanup

 

Clean out whatever .tmp files you can.

Click on Start, then Search, Files and Folders, in the All or part of a file name box type *.tmp, click on Search, upon the search results delete whatever is possible: some may not delete because the underlying program is in use

 

Shut down the computer

Connect the computer with an Ethernet cable to your ISP provided modem/router

--- If you normally connect wirelessly, you can still do so but I would trust connecting as mentioned first

--- Start the computer up preferably in Safe Mode with Networking

--- Back up your data

--- If you can’t back up your data in Safe Mode, restart the computer in Normal Mode

--- Run your malware & maintenance programs to ensure the computer is in fact good and clean

--- Run the Windows 7 Upgrade Advisor

http://www.microsoft.com/en-us/download/details.aspx?id=20

Post back on your results once you get this far

BTW, if the computer passes the Windows 7 Upgrade Advisor, I suspect it would be a good idea to run CHKDSK

Good luck



#11 krzyzmo

krzyzmo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 13 August 2014 - 08:40 PM

will try   thanks for the help






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users