If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
Ads |
#32
|
|||
|
|||
From: "bryan"
| Good Evening, | Right-on Cquirke regarding your point #2: reinstalling would have | resulted in spinning my wheels since I strongly felt that the problem was on | the computer 'out of the box' - which it was. I followed the help file | instructions in order to disable DEP for IE. Everything is now working - | even Access. Before disabling DEP, I created a 3 line wordpad file consisting | of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING | DAVID's AV arsenal: If I need to run this series of AV programs in the future | (I hope not!!!!!), should I re-download the files in order to get the latest | definitions? Thanks again to all of you. Bryan | Bryan: The scripts will automatically download new AV signature and scanner files as needed. If you want to do another "On Demand" scan, just choose a AV vendor module (McAfee, Trend or Sophos). Ocassionally I do post new versions of the Multi_AV.exe file. Every so often you can download a new version and execute it to update your version. Version information is kept in; C:\AV-CLS\readme.txt The present version is; v2.26 -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#33
|
|||
|
|||
Hi David,
I just wanted to take a moment to thank you again for your assistance. Take care. "David H. Lipman" wrote: From: "bryan" | Good Evening, | Right-on Cquirke regarding your point #2: reinstalling would have | resulted in spinning my wheels since I strongly felt that the problem was on | the computer 'out of the box' - which it was. I followed the help file | instructions in order to disable DEP for IE. Everything is now working - | even Access. Before disabling DEP, I created a 3 line wordpad file consisting | of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING | DAVID's AV arsenal: If I need to run this series of AV programs in the future | (I hope not!!!!!), should I re-download the files in order to get the latest | definitions? Thanks again to all of you. Bryan | Bryan: The scripts will automatically download new AV signature and scanner files as needed. If you want to do another "On Demand" scan, just choose a AV vendor module (McAfee, Trend or Sophos). Ocassionally I do post new versions of the Multi_AV.exe file. Every so often you can download a new version and execute it to update your version. Version information is kept in; C:\AV-CLS\readme.txt The present version is; v2.26 -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#34
|
|||
|
|||
From: "bryan"
| Hi David, | I just wanted to take a moment to thank you again for your assistance. | Take care. You are most welcome Bryan. That includes emailing me. Just remove ~nospam~ from either of the below email addresses... -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#35
|
|||
|
|||
Leythos,
I located the article in the Microsoft Knowledgebase; You receive a "Data Execution Prevention" error message in Windows XP Service Pack 2 or in Windows XP Tablet PC Edition 2005 (875351) - Describes the Data Execution Prevention feature in Windows XP Service Pack 2 and why the feature may generate an error message. http://support.microsoft.com/default...b;en-us;875351 "Leythos" wrote: In article , says... Good Evening, Right-on Cquirke regarding your point #2: reinstalling would have resulted in spinning my wheels since I strongly felt that the problem was on the computer 'out of the box' - which it was. I followed the help file instructions in order to disable DEP for IE. Everything is now working - even Access. Before disabling DEP, I created a 3 line wordpad file consisting of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING DAVID's AV arsenal: If I need to run this series of AV programs in the future (I hope not!!!!!), should I re-download the files in order to get the latest definitions? Thanks again to all of you. Bryan I hate to say this, but if you had to modify DEP to get Wordpad to work, then you still have problems with your computer - something is definitely NOT right with it. I've never seen a computer yet that required any changes to DEP, and we've got more than 1000 of them running XP with SPS2. Since AV wasn't your issue, and since you still don't know what the actual problem is, I would suggest that in order to prevent additional problems that you do a factory restore on the machine. We've got tons of Dell systems and, again, nothing with DEP had/has to be changed. Before you write back and say it's working fine - consider what you actually did and why you had to do it with Wordpad, and remember that no one has reported needing to modify DEP for Wordpad that I've read anywhere. -- remove 999 in order to email me |
#36
|
|||
|
|||
On Fri, 19 Aug 2005 16:49:37 GMT, Leythos wrote:
says... Right-on Cquirke regarding your point #2: reinstalling would have resulted in spinning my wheels since I strongly felt that the problem was on the computer 'out of the box' - which it was. I followed the help file instructions in order to disable DEP for IE. Everything is now working - even Access. Before disabling DEP, I created a 3 line wordpad file consisting of ABC, testing and 123. DEP even shutdown this file. I hate to say this, but if you had to modify DEP to get Wordpad to work, then you still have problems with your computer - something is definitely NOT right with it. Are you thinking of a hardware issue, then? I still think this could be av, in that av will be active whenever you "open" anything. If the way the av handles material picks a fight with DEP, you may see problems - or just spontaneously restart, if the duhfault XP "Restart on system errors" setting's still in effect. I've never seen a computer yet that required any changes to DEP, and we've got more than 1000 of them running XP with SPS2. It's been one of the themes post-SP2. Not as common as some problems, but common enough to come to mind. As to 1000 PCs, it's a bit like a comment I heard between two academic professionals discussing a third: - "He's been in that post for 12 years, so he has the experience..." - ' Yes, but is that 12 years' experience, or 1 year 12 times? ' IOW, if those 1000 PCs are all in one corporate network with tightly-controlled settings, aopps, the same av rolled out throughout the organisation, same hardware vendors, etc. then there may be plenty of configurations you haven't had experience with. That's certainly my case; none of the kit I use is currently DEP-capable, so understandably I haven't seen the issue first-hand. Since AV wasn't your issue, How do you conclude that? I don't remember really seeing that excluded, though I may have missed something. and since you still don't know what the actual problem is, I would suggest that in order to prevent additional problems that you do a factory restore on the machine. Nah, I still think that's one of the worst ideas I've heard so far. Earlier on, it sounded as if you suspected an underlying hardware problem - in which case, this is a recipe for disaster; you go from a code base that mainly predates the start of the hardware issues, and replace it with a code base 100% subjected to those issues. As to malware, falling back to unpatched status is likely to make re-infection a lot easier too. As to DEP, then falling back to pre-SP2 code is going to "fix the problem" the same way as disabling DEP would do, but with FAR more side-effects and lost protection. Disabling DEP leaves him with an SP2 code base and no DEP, whereas your "solution" drops him back to who knows what exploitable patch level. We've got tons of Dell systems and, again, nothing with DEP had/has to be changed. Dell are Intel, whereas AMD were the initiators of DEP hardware support, with Intel recently catching up. So experience on Dell systems up to a year ago isn't going to expose you to DEP issues. Before you write back and say it's working fine - consider what you actually did and why you had to do it with Wordpad, and remember that no one has reported needing to modify DEP for Wordpad that I've read anywhere. Hint: Background tasks :-) It's not Wordpad that's likely to be crashing on DEP, as much as the av that scans Wordpad when it starts, and the document file that Wordpad opens and closes - especially if that's a .doc Really, if using the relevant Boot.ini parameter to suppress DEP support solves the problem, then he's in good company with a familiar issue, and the fix is a lot cleaner than "just" re-install. Let's Google this stuff... Google(XP SP2 DEP): http://www.microsoft.com/technet/pro.../sp2mempr.mspx http://support.microsoft.com/kb/875352 http://www.tech-recipes.com/windows_tips566.html Zone Alarm has some issues with DEP: http://www.zonelabs.com/store/conten...id=ts_xpsp2faq ProTools has problems with DEP: http://www.digidesign.com/compato/xp/os.cfm F-Secure has problems with DEP: http://support.f-secure.com/enu/corp...al/xpsp2.shtml Kaspersky av and DEP: http://gladiator-antivirus.com/forum...howtopic=17753 Dongles screw up on DEP: http://www.scala.com/miscellaneous-f...faq-index.html OK... I think we see the trend here; usually new versions from vendors to fix issues with DEP. So what I'd do is: - build a list of what software's running on the box (especially underfootware) - test suppressing these in MSConfig - if offender's identified, check that vendor's FAQs etc. on DEP - stay off the 'net while firewall and av are disabled You may need more than MSConfig on this, as that doesn't cover all possible underfootware integration points. You can use HiJackThis, SystemInternals tools, Faber Toys or NirSoft's utilities to get a better handle on what's running in the background, or as a side-effect of (say) listing files in Explorer or even a File Open dialog box. ------------ ----- ---- --- -- - - - - The most accurate diagnostic instrument in medicine is the Retrospectoscope ------------ ----- ---- --- -- - - - - |
#37
|
|||
|
|||
OK... I think we see the trend here; usually new versions from vendors
to fix issues with DEP. So what I'd do is: - build a list of what software's running on the box (especially underfootware) - test suppressing these in MSConfig - if offender's identified, check that vendor's FAQs etc. on DEP - stay off the 'net while firewall and av are disabled I just need some clarification on your suggestion. DEP was shutting down notepad, wordpad, word and Access. When I disabled DEP for IE, all programs worked fine. Before disabling DEP, I created a notepad file with 2 lines: abc and 123. I saved it and re-opened it. DEP then shut it down. If DEP is supposed to detect code of malware, what could it have detected between abc and 123? If you really feel that I could be infected despite the fact that everything is working fine, I am happy to conduct more tests. Please be kind enough to be as non-technical as possible. And thank you very much for your support. Bryan "Leythos" wrote: In article , says... IOW, if those 1000 PCs are all in one corporate network with tightly-controlled settings, aopps, the same av rolled out throughout the organisation, same hardware vendors, etc. then there may be plenty of configurations you haven't had experience with. My experience and depth is based on hundreds of different sites/installations over the last X years. I includes about 90 different platform setups (hardware/software/apps/security/av....) at this time and grows every week. Not to mention all of the friends/family I support what are not in controlled environments by their own choice. -- remove 999 in order to email me |
#38
|
|||
|
|||
On Sat, 20 Aug 2005 22:04:02 -0700, "bryan"
OK... I think we see the trend here; usually new versions from vendors to fix issues with DEP. So what I'd do is: - build a list of what software's running on the box (especially underfootware) - test suppressing these in MSConfig - if offender's identified, check that vendor's FAQs etc. on DEP - stay off the 'net while firewall and av are disabled I just need some clarification on your suggestion. DEP was shutting down notepad, wordpad, word and Access. When I disabled DEP for IE, all programs worked fine. Before disabling DEP, I created a notepad file with 2 lines: abc and 123. I saved it and re-opened it. DEP then shut it down. OK If DEP is supposed to detect code of malware No, that's the intended application of DEP, but that's not what DEP does - it's what we imply from what it does. At a hardware level, it's possible to tell whether a processor is reading instructions or data from RAM - or to put it another way, whether a byte that's read from RAM is going into the program register that interprets it as code, or some other register that will treat it as data. It's the difference between being touched by a spider's foot, or the spider's mandables. Since the days on DOS, programs were supposed to store data in data segments in RAM, and code in code segments. It was considered bad programming practice to mix data and code in the same memory segment, or write "self-modifying" code, i.e. where a program writes different instructions into memory and then runs into them and runs them. But you know what it's like; we aren't supposed to drive on pavements but sometimes we take a short cut or two, or park there for a while. This creates opportunities for malware to break the rules, i.e. enter a system ostensibly as "just data", and yet end up being run as raw code, if they happened to be shaped right. Think of the way we catch fish on baited hooks... if there's a mix of code and data, and my "data" is big enough to run over the next part which is code, then eventually when the processor hits that, it will run me as code. Once I get control, then that exploit code has to enter the body of my code, which is probably held in an area of RAM that's supposed to be for data. It is here that DEP steps in and says "that's not allowed". At least, that's how I think it works... I'd have preferred it to block whatever wrote that spiky data into code space, but AFAIK that's not what it does. Anyway, the effect is similar to pavements suddenly being mined, so whenever sloppy programmers take a "short cut", they get caught out by DEP. The other problem is that certain types of code need to break the rules that DEP enforces, or rather, it used to be SOP for them to do so and now they have to change the way they work. This is where av comes in - because malware code can evade signature recognition in various ways, an av might sample some code into its own data space, break it up into short runs that are safe to run, one piece at a time, and then run it there. If that is seen as "running code in data space" by DEP, then DEP will stomp on that too. So - we have situations where software can fall foul of DEP without any actual malware being involved at all. Why notepad, wordpad, word and Access? Either due to some shared code library common to all of them (i.e. DLLs like Riched.dll, MSVCRT.DLL, MFC42.DLL etc. that are built into the programming language support code that they were written in), or antivirus activity that arises in the course of what these apps do. For example, common to all of these may be MS Office "data" file formats. MS Office is notorious for bringing auto-running macros into "data" files, thus single-handedly creating the space for a whole new generation of malware to play in. Every MS Office data file type can pose this risk, including Access's .mdb "database" files and Word's ..doc "document" files. If the av sees a .doc being touched, whether it's by Word, Wordpad or Notepad, it will take an interest. Macro languages such as used in scripts, HTML and MS Office "data" files are all interpreted, and are simple to write. That means wherever the malware goes, it goes in editable form; it's easy to change it a bit and perhaps cause signature-matching to fail. So it's easy to see that av might "run" these things to look for malicious behavior, rather than just read it as data and compare it to mugshots. But DEP wouldn't kick in if the av was parsing these things as macros, because macros are interpreted in software, not "eaten" by the processor as raw code. Think of being picked up by a spider's leg (data access) and then dropped into its mandables :-) In any event, I'd try these tests: - DEP on, but testing in Safe Mode - DEP on, testing with full MS Config suppression - DEP on, normal Windows, but av disabled (be offline) - DEP on, normal Windows, av active as usual (should fail) If all of those fail, I'd suspect an issue within common shared code libraries - and you may find a damaged .DLL (e.g. that was "fixed" by AutoChk) that's involved, with DEP as simply the messenger. If everything works as long as the av's off, then check av vendor for a patch. When we first saw these issues with SP2, only AMD had processors supporting DEP - that's why experience with Dell may not expose you to this, at first - but now Intel has DEP support as well. There are broadly three kings of DEP: AMD's NX (No eXecute), Intel's new equivalent of NX, and "software DEP" that relies on MS's software logic to figure out what's going on. I don't think these can be selectively disabled, but they may fail in different ways - and if so, with Intel being the newest, we may see new failure patterns. If you really feel that I could be infected despite the fact that everything is working fine, I am happy to conduct more tests. I don't think you're infected, so much as in the teeth of an incompatibility. It's also possible that a broken .DLL was causing a wild jump into data space that hit a RET (Return) statement and carried on working before, but now gets caught in data space by DEP. Please be kind enough to be as non-technical as possible. Ooops And thank you very much for your support. Bryan Thanks! That will make Leythos's flameage easier to bear :-) "Leythos" wrote: says... IOW, if those 1000 PCs are all in one corporate network with tightly-controlled settings, aopps, the same av rolled out throughout the organisation, same hardware vendors, etc. then there may be plenty of configurations you haven't had experience with. My experience and depth is based on hundreds of different sites/installations over the last X years. I includes about 90 different platform setups (hardware/software/apps/security/av....) at this time and grows every week. Not to mention all of the friends/family I support what are not in controlled environments by their own choice. I'm working full time with PCs too, but I don't build AMD (I like the CPUs, but most of the motherboard chipsets give me the creeps) and so I've yet to see any DEP issues first hand. I've come across them when other folks have raised them - at which point I could have either said "bah humbug, I've never seen that" or I could say "tell me more". Intel's doing DEP now, and even the humble Celerons are now doing the 64-bit support thing these days. So soon, I may be personally elightened... lucky me :-/ -------------------- ----- ---- --- -- - - - - Tip Of The Day: To disable the 'Tip of the Day' feature... -------------------- ----- ---- --- -- - - - - |
#39
|
|||
|
|||
On Sun, 21 Aug 2005 16:13:34 GMT, Leythos wrote:
says... Go to any other computer with Win XP and DEP, do the same test, if it doesn't have the same issue then your machine is screwed - that's as simple and non-technical as it can get. Einstein said "things should be made as simple as possible, but no simpler" - and then proceded to stick minute and seemingly-irrelevant factors based on the speed of light into perfectly good Newtonian equations. They only mattered at extremes that were rare on Earth. I've got 8 machines I just checked on and we have no problems. The point is, if his "brand new Dell" is also using a brand new Intel Pentium 4 with hardware DEP support, and he compares mileage with a year-old Dell that lacks hardware DEP support, his mileage will vary alright - but not because his "machine is screwed". --------------- ------- ----- ---- --- -- - - - - When your mind goes blank, remember to turn down the sound --------------- ------- ----- ---- --- -- - - - - |
#40
|
|||
|
|||
On Mon, 22 Aug 2005 02:07:24 GMT, Leythos wrote:
says... The point is, if his "brand new Dell" is also using a brand new Intel Pentium 4 with hardware DEP support, and he compares mileage with a year-old Dell that lacks hardware DEP support, his mileage will vary alright - but not because his "machine is screwed". And if his brand-new Dell can't run Wordpad and IE then there is something wrong, because it didn't ship that way. I'm with you there. Did it ship with XP SP2? Did the original install disable DEP via Boot.ini? Has some non-DEP-compatible app been installed? Is there a code file broken in such a way as to fall foul of DEP? If all of that model did ship this way, we'd have heard about it by now. So it's likely to be something like one of the above, or a subtle hardware issue that's progressively developed since delivery. -------------------- ----- ---- --- -- - - - - Tip Of The Day: To disable the 'Tip of the Day' feature... -------------------- ----- ---- --- -- - - - - |
#41
|
|||
|
|||
Would someone please comment on microsoft's KB article which addresses this
issue? (http://support.microsoft.com/default...b;en-us;875351 ). This article seems to acknowldge a problem with DEP. Now that I disabled it for IE, it is not displaying any signs of malware (i.e. slow speed or any strange behavior). In fact, the download speed is quite impressive for dialup. Thanks. Bryan. "Leythos" wrote: In article , says... Earlier on, it sounded as if you suspected an underlying hardware problem - in which case, this is a recipe for disaster; you go from a code base that mainly predates the start of the hardware issues, and replace it with a code base 100% subjected to those issues. I've never mentioned hardware in this thread, except to suggest a NAT box as a border device - until it was pointed out the OP is on Dial-Up. -- remove 999 in order to email me |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
DELL goes down hill. | Richard Goh | General XP issues or comments | 49 | July 18th 05 05:15 AM |
Reformatting a Dell Dimension 4550 | Cbarton | Windows XP Help and Support | 14 | February 13th 05 05:15 PM |
new dell won't allow dialup after xp upgrade | elaith | Windows XP Help and Support | 2 | November 24th 04 04:49 PM |
Infected files | T | Security and Administration with Windows XP | 2 | September 2nd 04 04:00 AM |
XP SP2 worked great. | The Celtic Warrior | Windows Service Pack 2 | 5 | August 23rd 04 04:39 AM |