Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Help Getting Logs Compromised PC

2 views
Skip to first unread message

~Sage

unread,
Oct 31, 2009, 1:30:50 AM10/31/09
to
Hi All, I'm trying to help a friend who's XP PC is compromised enough
that I'm going to post to AumHa with her logs, but I'm not sure of the
safest method to get them, I have the PC unplugged from the internet,
and am wondering if I could copy those text files (notepad) to a
floppy (it has an A: drive), put the floppy in an older Win98 PC of
mine, burn them or email them to myself (scan them) and then put them
in my main PC for the post? I've battled Pump.exe, Police Pro and
other *goodies* and can't get rid of waeey.exe., and I'm afraid of
compromising my PC and I don't really think the text files or the
floppy would be safe, but I'm hoping you can tell me something good?
Any help or suggestions will be very much appreciated.

~Sage

PA Bear [MS MVP]

unread,
Oct 31, 2009, 3:39:58 AM10/31/09
to
If she had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or her subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time: Back-up any personal data (none of which
should be considered 100% trustworthy at this point) then do a format &
clean install of Windows.

Please note that a Repair Install (AKA in-place upgrade) will NOT fix this!

cf. http://michaelstevenstech.com/cleanxpinstall.html#steps

After the clean install, you'll have the equivalent of a "new computer" so
take care of everything on the following page before otherwise connecting
the machine to the internet or a network and before using a USB key that
isn't brand-new or hasn't been freshly formatted:

5 steps to help protect your new computer before you go online
http://www.microsoft.com/protect/computer/advanced/xppc.mspx

Other helpful references include:

HOW TO get a computer running WinXP Gold (no Service Packs) fully patched
(after a clean install)
http://groups.google.com/group/microsoft.public.windowsupdate/msg/3f5afa8ed33e121c

HOW TO get a computer running WinXP SP1(a) or SP2 fully patched (after a
clean install)
http://groups.google.com/group/microsoft.public.windowsxp.general/msg/a066ae41add7dd2b

Also see:

Steps To Help Prevent Spyware
http://www.microsoft.com/security/spyware/prevent.aspx

Steps to Help Prevent Computer Worms
http://www.microsoft.com/security/worms/prevent.aspx

Avoid Rogue Security Software!
http://www.microsoft.com/security/antivirus/rogue.aspx
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
AumHa Forums VSOP & Admin

~Sage

unread,
Oct 31, 2009, 5:04:13 AM10/31/09
to
Pa Bear, thank you so much for responding, I've *listened* to you many
times and have complete trust and respect for you. She was running AVG
8.5, updated Oct.20th, also had Spybot S&D, last Windows patch was Oct.
15th, she brought me her pc on Oct 23. Security Service was off when
she brought it but Update was working at least until the 15th,
(suspect a virus did that). Is it up to snuff enough or not?

I've done all the prep work for your AumHa rules, but won't post there
if you tell me not to, and I know you won't tell me that unless format
and reinstall is all we can do. She has Family Tree (Microsoft Word
documents and .jpg's that are very important to her), I hate to see
her lose them, but I won't compromise my PC to post the logs. So what
do you think?

Thank You,

~Sage

On Oct 31, 2:39 am, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
> If she had no anti-virus application installed or the subscription had
> expired *when the machine first got infected* and/or her subscription has
> since expired and/or the machine's not been kept fully-patched at Windows
> Update, don't waste your time: Back-up any personal data (none of which
> should be considered 100% trustworthy at this point) then do a format &
> clean install of Windows.
>
> Please note that a Repair Install (AKA in-place upgrade) will NOT fix this!
>

>      cf.http://michaelstevenstech.com/cleanxpinstall.html#steps


>
> After the clean install, you'll have the equivalent of a "new computer" so
> take care of everything on the following page before otherwise connecting
> the machine to the internet or a network and before using a USB key that
> isn't brand-new or hasn't been freshly formatted:
>
>      5 steps to help protect your new computer before you go online
>      http://www.microsoft.com/protect/computer/advanced/xppc.mspx
>
> Other helpful references include:
>
> HOW TO get a computer running WinXP Gold (no Service Packs) fully patched

> (after a clean install)http://groups.google.com/group/microsoft.public.windowsupdate/msg/3f5...


>
> HOW TO get a computer running WinXP SP1(a) or SP2 fully patched (after a

> clean install)http://groups.google.com/group/microsoft.public.windowsxp.general/msg...
>
> Also see:
>
> Steps To Help Prevent Spywarehttp://www.microsoft.com/security/spyware/prevent.aspx


>
> Steps to Help Prevent Computer Wormshttp://www.microsoft.com/security/worms/prevent.aspx
>

> Avoid Rogue Security Software!http://www.microsoft.com/security/antivirus/rogue.aspx


> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Client - since 2002
> AumHa Forums VSOP & Admin
>
>
>
> ~Sage wrote:
> > Hi All, I'm trying to help a friend who's XP PC is compromised enough
> > that I'm going to post to AumHa with her logs, but I'm not sure of the
> > safest method to get them, I have the PC unplugged from the internet,
> > and am wondering if I could copy those text files (notepad) to a
> > floppy (it has an A: drive), put the floppy in an older Win98 PC of
> > mine, burn them or email them to myself (scan them) and then put them
> > in my main PC for the post?  I've battled Pump.exe, Police Pro and
> > other *goodies* and can't get rid of waeey.exe., and I'm afraid of
> > compromising my PC and I don't really think the text files or the
> > floppy would be safe, but I'm hoping you can tell me something good?

> > Any help or suggestions will be very much appreciated.- Hide quoted text -
>
> - Show quoted text -

Paul

unread,
Oct 31, 2009, 12:50:20 PM10/31/09
to
~Sage wrote:
> Pa Bear, thank you so much for responding, I've *listened* to you many
> times and have complete trust and respect for you. She was running AVG
> 8.5, updated Oct.20th, also had Spybot S&D, last Windows patch was Oct.
> 15th, she brought me her pc on Oct 23. Security Service was off when
> she brought it but Update was working at least until the 15th,
> (suspect a virus did that). Is it up to snuff enough or not?
>
> I've done all the prep work for your AumHa rules, but won't post there
> if you tell me not to, and I know you won't tell me that unless format
> and reinstall is all we can do. She has Family Tree (Microsoft Word
> documents and .jpg's that are very important to her), I hate to see
> her lose them, but I won't compromise my PC to post the logs. So what
> do you think?
>
> Thank You,
>
> ~Sage
>

If you want to do file recovery, find some other OS to boot to do it.
For example, a Linux LiveCD makes it possible to copy files from
either NTFS or FAT32 partitions.

If you want to scan for viruses, from a Linux CD, some of the
AV companies provide downloads for that. These are in ISO9660
format, so you use a tool like Nero, to convert the ISO9660
into a bootable CD. There are some free burning applications
as well, so you don't need Nero to do it.

Bitdefender (Linux, bootable) CD.

http://download.bitdefender.com/rescue_cd/

http://download.bitdefender.com/rescue_cd/BitDefenderRescueCD_v2.0.0_3_08_2009.iso (260MB)

Kaspersky (Linux, bootable) CD.

http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/ (114MB)

I only have limited experience with the Kaspersky one.

When the CD boots, after a few seconds it'll indicate it is downloading
AV definitions from the Kaspersky site. For that to work, the networking
has to be up and running (ADSL or cable modem already configured and
working). If all is well, the Kaspersky interface is pretty
simple.

There are some sequentially lettered partitions shown in the interface,
as in C,D,E,F etc. They aren't the real drive letters, and are just
a numbering scheme. You have to figure out which one corresponds to the
"real C" drive, and make sure at least that partition is selected for
scanning.

If Kaspersky finds something, it should pop up a notification on the
screen. Scanning speed starts out at a pretty good rate, but slows
down as time goes by. You can stop and restart the tool, and it'll pick
up where it left off. And be a bit faster as a result.

More details here on using the Kaspersky, if you want them.

http://groups.google.ca/group/microsoft.public.windowsxp.general/msg/ea4db0cef1555973?dmode=source

*******

For simple maintenance work, like copying files off, a regular Linux
LiveCD can work. But this is no good, if you suspect you're going
to be copying something over which is infected. Anything virulent
will remain that way (like copying an infected EXE file). The
version of this I like the best, is 5.3.1, but it is a large
download, of over 2GB. It can mount NTFS or FAT32 partitions,
and the disk icons on the desktop are read-only, until
you do "Properties" on them, and change the tick box to
"read/write". Then you can move files around graphically,
from the file manager. Or, use the command prompt, and
the regular "cp" type commands.

http://en.wikipedia.org/wiki/Knoppix

There is a remastered version of 5.3.1, that some people in
Japan did, and it fits onto a CD, and is about a 700MB download.
So that comes closest to a good compromise between size and function.
I don't use that one regularly, since I got the DVD sized one
first, and continue to use it.

HTH
Paul

Ron Badour

unread,
Oct 31, 2009, 4:30:08 PM10/31/09
to
Assuming it is a desktop PC, pull the hard drive from her machine and set it
up as a slave on another (your?) PC. Since the other PC will continue to
start from its own system, the badies on her drive will not be started at
boot. The first thing to do is copy all the needed files to a folder on
your (?) drive. Then use your anti virus programs and MBAM to clean off her
drive. The registry entries will not be cleaned out because your registry
is the one being used by the system. When you get rid of the bad files,
then put the drive back in her PC and run AVG, MBAM and S&D to get rid of
the rest of the problems and clean the registry. You can also do some
on-line scans with other free on-line AV scan programs. I used these
procedures dozens of times to clean badly (400+) infected hard drives. Only
once (a laptop) out of maybe 50 times did I have to format the drive and
start over. MBAM = Malwarebyte's Anti-Malware which is a very good free
program, that can be downloaded from here:

http://www.download.com/Malwarebytes-Anti-Malware/3000-18510_4-10804572.html?part=dl-10804572&subj=dl&tag=button&cdlPid=10997763


--
Regards

Ron Badour

"~Sage" <sagel...@my-deja.com> wrote in message
news:8eb11ae3-5252-4fd6...@p8g2000yqb.googlegroups.com...

PA Bear [MS MVP]

unread,
Nov 1, 2009, 7:43:22 PM11/1/09
to
Feel free to post in http://aumha.net/viewforum.php?f=30 or other
appropriate forum (e.g.,
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php) for assistance.

You will not want to access the forum using the computer in question, of
course.

NB: Running MBAM or any other utility alone may not be enough, despite Ron's
experience. I would highly recommend assistance from an expert in such
matters.

On the other hand, a "wipe & reload" may be the fastest way to resolve the
situation. Back-up any personal data prior to formatting and scan the data
before reintroducing it to the cleaned machine.

Tip: I would *not* recommend AVG Free whatsoever.

~Sage

unread,
Nov 2, 2009, 1:25:39 AM11/2/09
to
Thank You Pa Bear, and thanks to Paul and Ron too! They both had good
ideas but I've yet to play with Linux and haven't done a lot of HD
shifting around. I had already run MBAM, Spybot, SAS, MSRT, AVG
before I posted, but finding that darn weaay.exe in running tasks told
me all is not well, plus the slowness, enough to make you pull your
hair out just knowing *something* is in there and she only has 256MB
RAM in the thing! I will be posting to AumHa as soon as I can get the
logs out. If I can get a printer running I could print the logs and
scan them into my PC..*IF*.

As for AVG, is it missing too many things? Too many false positives?
I began to dislike it with 8.5 and the Network Scanner Service. I'm
not crazy about Ad-aware anymore either! I had a notice last night
that AVG wants to upgrade to 9 now. I'm ready to move on to something
else (freebie of course), What do you think is best and the least
invasive as far as trying to run your PC *for* you?

Thank You!

~Sage

On Nov 1, 6:43 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
> Feel free to post inhttp://aumha.net/viewforum.php?f=30or other
> appropriate forum (e.g.,http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,http://www.spywarewarrior.com/viewforum.php?f=5,http://www.dslreports.com/forum/cleanup,http://www.bluetack.co.uk/forums/index.php) for assistance.

> >> - Show quoted text -- Hide quoted text -

Elmo

unread,
Nov 2, 2009, 9:44:49 AM11/2/09
to

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no
problem. With an .iso file, you need software that will "Burn the image".

--
Joe =o)

0 new messages