Brand new Dell - already infected?

C

cquirke (MVP Windows shell/user)

On Thu, 18 Aug 2005 15:06:06 -0700, "bryan"
I MAY HAVE FOUND THE PROBLEM. There is a program called Data Execution
Prevention (DEP).

Ah! OK - are you on an AMD processor that supports DEP?

DEP isn't a program as such; it's a capability built into some
processors, starting with AMD and now with Intel playing catch-up. XP
understands DEP, starting with SP2 (pre-SP2 had no DEP awareness).

What DEP does, is to bring back an old concept; that data and
instructions should be kept separate, so that data is never executed
as processor instructrions. This kills a common exploit pattern,
where code is contained within malformed data that overruns beyond
where it should be, causing the system to run it as code.

The trouble is, some programs fall foul of this - especially some
antivirus apps that may "sample" material as code to assess it for
potentially malicious behavior.

You can disable SP2's DEP awareness via a parameter entered after the
partition OS loader line in C:\Boot.ini, or add a copy of that line
with the parameter added, so you can choose which mode to start up
with. But do research that syntax carefully; a botched C:\BOOT.INI
can prevent XP from booting at all, and that's bad news on NTFS.


--------------- ----- ---- --- -- - - -
Who is General Failure and
why is he reading my disk?
 
L

Leythos

2) It takes longer to troubleshoot a recurrance

If you "just" wipe and re-install everything, and then promptly get
re-infected, then what are you going to do - what I did in the first
place? Or are you going to live "Groundhog Day" forever?

If I have to spend time, and can do so in two different ways, I'll
choose the way that teaches me something, and that makes it less
likely for me to have to fight the same battle all over again ;-)

Well, the OP has been given TONS of advice in this thread and now has
about 1000000 AV scanners at his disposal, in addition to having things
explained to him about security.

There is a good chance, if the OP were to follow the instructions in
this thread, that he would not get compromised again - did you miss all
of it and just come in at the end of the thread?
 
G

Guest

Good Evening,
Right-on Cquirke regarding your point #2: reinstalling would have
resulted in spinning my wheels since I strongly felt that the problem was on
the computer 'out of the box' - which it was. I followed the help file
instructions in order to disable DEP for IE. Everything is now working -
even Access. Before disabling DEP, I created a 3 line wordpad file consisting
of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING
DAVID's AV arsenal: If I need to run this series of AV programs in the future
(I hope not!!!!!), should I re-download the files in order to get the latest
definitions? Thanks again to all of you. Bryan
 
M

MAP

There is a good chance, if the OP were to follow the instructions in
this thread, that he would not get compromised again - did you miss all
of it and just come in at the end of the thread?

My God man the op never was compromised in the first place!
 
D

David H. Lipman

From: "bryan" <[email protected]>

| Good Evening,
| Right-on Cquirke regarding your point #2: reinstalling would have
| resulted in spinning my wheels since I strongly felt that the problem was on
| the computer 'out of the box' - which it was. I followed the help file
| instructions in order to disable DEP for IE. Everything is now working -
| even Access. Before disabling DEP, I created a 3 line wordpad file consisting
| of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING
| DAVID's AV arsenal: If I need to run this series of AV programs in the future
| (I hope not!!!!!), should I re-download the files in order to get the latest
| definitions? Thanks again to all of you. Bryan
|

Bryan:

The scripts will automatically download new AV signature and scanner files as needed.

If you want to do another "On Demand" scan, just choose a AV vendor module (McAfee, Trend or
Sophos).

Ocassionally I do post new versions of the Multi_AV.exe file. Every so often you can
download a new version and execute it to update your version.

Version information is kept in; C:\AV-CLS\readme.txt
The present version is; v2.26
 
G

Guest

Hi David,
I just wanted to take a moment to thank you again for your assistance.
Take care.
 
L

Leythos

My God man the op never was compromised in the first place!

Nice of you to not follow the entire post that it was a reply too - the
chap asked about how reinstalling would have kept him from being
compromised again - but you missed that.
 
L

Leythos

Good Evening,
Right-on Cquirke regarding your point #2: reinstalling would have
resulted in spinning my wheels since I strongly felt that the problem was on
the computer 'out of the box' - which it was. I followed the help file
instructions in order to disable DEP for IE. Everything is now working -
even Access. Before disabling DEP, I created a 3 line wordpad file consisting
of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING
DAVID's AV arsenal: If I need to run this series of AV programs in the future
(I hope not!!!!!), should I re-download the files in order to get the latest
definitions? Thanks again to all of you. Bryan

I hate to say this, but if you had to modify DEP to get Wordpad to work,
then you still have problems with your computer - something is
definitely NOT right with it.

I've never seen a computer yet that required any changes to DEP, and
we've got more than 1000 of them running XP with SPS2.

Since AV wasn't your issue, and since you still don't know what the
actual problem is, I would suggest that in order to prevent additional
problems that you do a factory restore on the machine. We've got tons of
Dell systems and, again, nothing with DEP had/has to be changed.

Before you write back and say it's working fine - consider what you
actually did and why you had to do it with Wordpad, and remember that no
one has reported needing to modify DEP for Wordpad that I've read
anywhere.
 
L

Leythos

Leythos,

I located the article in the Microsoft Knowledgebase;

You receive a "Data Execution Prevention" error message in Windows XP
Service Pack 2 or in Windows XP Tablet PC Edition 2005
(875351) - Describes the Data Execution Prevention feature in Windows XP
Service Pack 2 and why the feature may generate an error message.
http://support.microsoft.com/default.aspx?scid=kb;en-us;875351

In all of this I've not seen the OP post anything about using "Tablet PC
Edition 2005".
 
C

cquirke (MVP Windows shell/user)

(e-mail address removed) says...
I hate to say this, but if you had to modify DEP to get Wordpad to work,
then you still have problems with your computer - something is
definitely NOT right with it.

Are you thinking of a hardware issue, then?

I still think this could be av, in that av will be active whenever you
"open" anything. If the way the av handles material picks a fight
with DEP, you may see problems - or just spontaneously restart, if the
duhfault XP "Restart on system errors" setting's still in effect.
I've never seen a computer yet that required any changes to DEP, and
we've got more than 1000 of them running XP with SPS2.

It's been one of the themes post-SP2. Not as common as some problems,
but common enough to come to mind. As to 1000 PCs, it's a bit like a
comment I heard between two academic professionals discussing a third:
- "He's been in that post for 12 years, so he has the experience..."
- ' Yes, but is that 12 years' experience, or 1 year 12 times? '

IOW, if those 1000 PCs are all in one corporate network with
tightly-controlled settings, aopps, the same av rolled out throughout
the organisation, same hardware vendors, etc. then there may be plenty
of configurations you haven't had experience with.

That's certainly my case; none of the kit I use is currently
DEP-capable, so understandably I haven't seen the issue first-hand.
Since AV wasn't your issue,

How do you conclude that? I don't remember really seeing that
excluded, though I may have missed something.
and since you still don't know what the actual problem is, I would
suggest that in order to prevent additional problems that you do a
factory restore on the machine.

Nah, I still think that's one of the worst ideas I've heard so far.

Earlier on, it sounded as if you suspected an underlying hardware
problem - in which case, this is a recipe for disaster; you go from a
code base that mainly predates the start of the hardware issues, and
replace it with a code base 100% subjected to those issues.

As to malware, falling back to unpatched status is likely to make
re-infection a lot easier too.

As to DEP, then falling back to pre-SP2 code is going to "fix the
problem" the same way as disabling DEP would do, but with FAR more
side-effects and lost protection. Disabling DEP leaves him with an
SP2 code base and no DEP, whereas your "solution" drops him back to
who knows what exploitable patch level.
We've got tons of Dell systems and, again, nothing with DEP
had/has to be changed.

Dell are Intel, whereas AMD were the initiators of DEP hardware
support, with Intel recently catching up. So experience on Dell
systems up to a year ago isn't going to expose you to DEP issues.
Before you write back and say it's working fine - consider what you
actually did and why you had to do it with Wordpad, and remember that no
one has reported needing to modify DEP for Wordpad that I've read
anywhere.

Hint: Background tasks :)

It's not Wordpad that's likely to be crashing on DEP, as much as the
av that scans Wordpad when it starts, and the document file that
Wordpad opens and closes - especially if that's a .doc

Really, if using the relevant Boot.ini parameter to suppress DEP
support solves the problem, then he's in good company with a familiar
issue, and the fix is a lot cleaner than "just" re-install.

Let's Google this stuff... Google(XP SP2 DEP):

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx

http://support.microsoft.com/kb/875352

http://www.tech-recipes.com/windows_tips566.html

Zone Alarm has some issues with DEP:

http://www.zonelabs.com/store/content/company/products/xpInfoCenter/faq.jsp?lid=ts_xpsp2faq

ProTools has problems with DEP:

http://www.digidesign.com/compato/xp/os.cfm

F-Secure has problems with DEP:

http://support.f-secure.com/enu/corporate/supportissue/general/xpsp2.shtml

Kaspersky av and DEP:

http://gladiator-antivirus.com/forum/index.php?showtopic=17753

Dongles screw up on DEP:

http://www.scala.com/miscellaneous-faq/miscellaneous-faq-index.html

OK... I think we see the trend here; usually new versions from vendors
to fix issues with DEP. So what I'd do is:
- build a list of what software's running on the box
(especially underfootware)
- test suppressing these in MSConfig
- if offender's identified, check that vendor's FAQs etc. on DEP
- stay off the 'net while firewall and av are disabled

You may need more than MSConfig on this, as that doesn't cover all
possible underfootware integration points. You can use HiJackThis,
SystemInternals tools, Faber Toys or NirSoft's utilities to get a
better handle on what's running in the background, or as a side-effect
of (say) listing files in Explorer or even a File Open dialog box.




------------ ----- ---- --- -- - - - -
The most accurate diagnostic instrument
in medicine is the Retrospectoscope
 
L

Leythos

IOW, if those 1000 PCs are all in one corporate network with
tightly-controlled settings, aopps, the same av rolled out throughout
the organisation, same hardware vendors, etc. then there may be plenty
of configurations you haven't had experience with.

My experience and depth is based on hundreds of different
sites/installations over the last X years. I includes about 90 different
platform setups (hardware/software/apps/security/av....) at this time
and grows every week.

Not to mention all of the friends/family I support what are not in
controlled environments by their own choice.
 
L

Leythos

Earlier on, it sounded as if you suspected an underlying hardware
problem - in which case, this is a recipe for disaster; you go from a
code base that mainly predates the start of the hardware issues, and
replace it with a code base 100% subjected to those issues.

I've never mentioned hardware in this thread, except to suggest a NAT
box as a border device - until it was pointed out the OP is on Dial-Up.
 
G

Guest

RE: OK... I think we see the trend here; usually new versions from vendors
to fix issues with DEP. So what I'd do is:
- build a list of what software's running on the box
(especially underfootware)
- test suppressing these in MSConfig
- if offender's identified, check that vendor's FAQs etc. on DEP
- stay off the 'net while firewall and av are disabled

I just need some clarification on your suggestion. DEP was shutting down
notepad, wordpad, word and Access. When I disabled DEP for IE, all programs
worked fine. Before disabling DEP, I created a notepad file with 2 lines: abc
and 123. I saved it and re-opened it. DEP then shut it down. If DEP is
supposed to detect code of malware, what could it have detected between abc
and 123? If you really feel that I could be infected despite the fact that
everything is working fine, I am happy to conduct more tests. Please be kind
enough to be as non-technical as possible. And thank you very much for your
support. Bryan
 
L

Leythos

I just need some clarification on your suggestion. DEP was shutting down
notepad, wordpad, word and Access. When I disabled DEP for IE, all programs
worked fine. Before disabling DEP, I created a notepad file with 2 lines: abc
and 123. I saved it and re-opened it. DEP then shut it down. If DEP is
supposed to detect code of malware, what could it have detected between abc
and 123? If you really feel that I could be infected despite the fact that
everything is working fine, I am happy to conduct more tests. Please be kind
enough to be as non-technical as possible. And thank you very much for your
support. Bryan

Go to any other computer with Win XP and DEP, do the same test, if it
doesn't have the same issue then your machine is screwed - that's as
simple and non-technical as it can get.

I've got 8 machines I just checked on and we have no problems.
 
C

cquirke (MVP Windows shell/user)

On Sat, 20 Aug 2005 22:04:02 -0700, "bryan"
RE: OK... I think we see the trend here; usually new versions from vendors
to fix issues with DEP. So what I'd do is:
- build a list of what software's running on the box
(especially underfootware)
- test suppressing these in MSConfig
- if offender's identified, check that vendor's FAQs etc. on DEP
- stay off the 'net while firewall and av are disabled
I just need some clarification on your suggestion. DEP was shutting down
notepad, wordpad, word and Access. When I disabled DEP for IE, all programs
worked fine. Before disabling DEP, I created a notepad file with 2 lines: abc
and 123. I saved it and re-opened it. DEP then shut it down.
OK

If DEP is supposed to detect code of malware

No, that's the intended application of DEP, but that's not what DEP
does - it's what we imply from what it does.

At a hardware level, it's possible to tell whether a processor is
reading instructions or data from RAM - or to put it another way,
whether a byte that's read from RAM is going into the program register
that interprets it as code, or some other register that will treat it
as data. It's the difference between being touched by a spider's
foot, or the spider's mandables.

Since the days on DOS, programs were supposed to store data in data
segments in RAM, and code in code segments. It was considered bad
programming practice to mix data and code in the same memory segment,
or write "self-modifying" code, i.e. where a program writes different
instructions into memory and then runs into them and runs them.

But you know what it's like; we aren't supposed to drive on pavements
but sometimes we take a short cut or two, or park there for a while.

This creates opportunities for malware to break the rules, i.e. enter
a system ostensibly as "just data", and yet end up being run as raw
code, if they happened to be shaped right. Think of the way we catch
fish on baited hooks... if there's a mix of code and data, and my
"data" is big enough to run over the next part which is code, then
eventually when the processor hits that, it will run me as code.

Once I get control, then that exploit code has to enter the body of my
code, which is probably held in an area of RAM that's supposed to be
for data. It is here that DEP steps in and says "that's not allowed".

At least, that's how I think it works... I'd have preferred it to
block whatever wrote that spiky data into code space, but AFAIK that's
not what it does. Anyway, the effect is similar to pavements suddenly
being mined, so whenever sloppy programmers take a "short cut", they
get caught out by DEP.

The other problem is that certain types of code need to break the
rules that DEP enforces, or rather, it used to be SOP for them to do
so and now they have to change the way they work. This is where av
comes in - because malware code can evade signature recognition in
various ways, an av might sample some code into its own data space,
break it up into short runs that are safe to run, one piece at a time,
and then run it there. If that is seen as "running code in data
space" by DEP, then DEP will stomp on that too.

So - we have situations where software can fall foul of DEP without
any actual malware being involved at all.

Why notepad, wordpad, word and Access? Either due to some shared code
library common to all of them (i.e. DLLs like Riched.dll, MSVCRT.DLL,
MFC42.DLL etc. that are built into the programming language support
code that they were written in), or antivirus activity that arises in
the course of what these apps do.

For example, common to all of these may be MS Office "data" file
formats. MS Office is notorious for bringing auto-running macros into
"data" files, thus single-handedly creating the space for a whole new
generation of malware to play in. Every MS Office data file type can
pose this risk, including Access's .mdb "database" files and Word's
..doc "document" files. If the av sees a .doc being touched, whether
it's by Word, Wordpad or Notepad, it will take an interest.

Macro languages such as used in scripts, HTML and MS Office "data"
files are all interpreted, and are simple to write. That means
wherever the malware goes, it goes in editable form; it's easy to
change it a bit and perhaps cause signature-matching to fail. So it's
easy to see that av might "run" these things to look for malicious
behavior, rather than just read it as data and compare it to mugshots.

But DEP wouldn't kick in if the av was parsing these things as macros,
because macros are interpreted in software, not "eaten" by the
processor as raw code. Think of being picked up by a spider's leg
(data access) and then dropped into its mandables :)

In any event, I'd try these tests:
- DEP on, but testing in Safe Mode
- DEP on, testing with full MS Config suppression
- DEP on, normal Windows, but av disabled (be offline)
- DEP on, normal Windows, av active as usual (should fail)

If all of those fail, I'd suspect an issue within common shared code
libraries - and you may find a damaged .DLL (e.g. that was "fixed" by
AutoChk) that's involved, with DEP as simply the messenger.

If everything works as long as the av's off, then check av vendor for
a patch. When we first saw these issues with SP2, only AMD had
processors supporting DEP - that's why experience with Dell may not
expose you to this, at first - but now Intel has DEP support as well.

There are broadly three kings of DEP: AMD's NX (No eXecute), Intel's
new equivalent of NX, and "software DEP" that relies on MS's software
logic to figure out what's going on. I don't think these can be
selectively disabled, but they may fail in different ways - and if so,
with Intel being the newest, we may see new failure patterns.
If you really feel that I could be infected despite the fact that
everything is working fine, I am happy to conduct more tests.

I don't think you're infected, so much as in the teeth of an
incompatibility. It's also possible that a broken .DLL was causing a
wild jump into data space that hit a RET (Return) statement and
carried on working before, but now gets caught in data space by DEP.
Please be kind enough to be as non-technical as possible.
Ooops

And thank you very much for your support. Bryan

Thanks! That will make Leythos's flameage easier to bear :)

I'm working full time with PCs too, but I don't build AMD (I like the
CPUs, but most of the motherboard chipsets give me the creeps) and so
I've yet to see any DEP issues first hand. I've come across them when
other folks have raised them - at which point I could have either said
"bah humbug, I've never seen that" or I could say "tell me more".

Intel's doing DEP now, and even the humble Celerons are now doing the
64-bit support thing these days. So soon, I may be personally
elightened... lucky me :-/


-------------------- ----- ---- --- -- - - - -
Tip Of The Day:
To disable the 'Tip of the Day' feature...
 
C

cquirke (MVP Windows shell/user)

(e-mail address removed) says...
Go to any other computer with Win XP and DEP, do the same test, if it
doesn't have the same issue then your machine is screwed - that's as
simple and non-technical as it can get.

Einstein said "things should be made as simple as possible, but no
simpler" - and then proceded to stick minute and seemingly-irrelevant
factors based on the speed of light into perfectly good Newtonian
equations. They only mattered at extremes that were rare on Earth.
I've got 8 machines I just checked on and we have no problems.

The point is, if his "brand new Dell" is also using a brand new Intel
Pentium 4 with hardware DEP support, and he compares mileage with a
year-old Dell that lacks hardware DEP support, his mileage will vary
alright - but not because his "machine is screwed".


--------------- ------- ----- ---- --- -- - - - -
When your mind goes blank, remember to turn down the sound
 
L

Leythos

The point is, if his "brand new Dell" is also using a brand new Intel
Pentium 4 with hardware DEP support, and he compares mileage with a
year-old Dell that lacks hardware DEP support, his mileage will vary
alright - but not because his "machine is screwed".

And if his brand-new Dell can't run Wordpad and IE then there is
something wrong, because it didn't ship that way.
 
C

cquirke (MVP Windows shell/user)

(e-mail address removed) says...

And if his brand-new Dell can't run Wordpad and IE then there is
something wrong, because it didn't ship that way.

I'm with you there.

Did it ship with XP SP2?
Did the original install disable DEP via Boot.ini?
Has some non-DEP-compatible app been installed?
Is there a code file broken in such a way as to fall foul of DEP?

If all of that model did ship this way, we'd have heard about it by
now. So it's likely to be something like one of the above, or a
subtle hardware issue that's progressively developed since delivery.


-------------------- ----- ---- --- -- - - - -
Tip Of The Day:
To disable the 'Tip of the Day' feature...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top