Sign in with
Sign up | Sign in
Your question

Brand new Dell - already infected?

Last response: in Windows XP
Share
August 16, 2005 7:44:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
for all of the preceeding Mcafee programs (there were many). I also
downloaded all
critical Windows Security downloads. Everything is working fine except when I
work with wordpad/notepad/word or other Microsoft programs. At random, when
I open these files, I recieve IE shutdown errors. I created a new wordpad and
notepad file, saved both and re-opened them: everything seemed fine. Then I
ran Windows Explorer and when I tried to open the wordpad file with explorer,
I received IE shutdown errors. The error report included:
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn32.exe.mdmp
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcompat.txt. The HBT directory
is one that was created when I first turned on my Dell and went through the
initial installation wizard. The errors do not seem to take place along any
specific pattern which makes this wreak of malware. Any advice would be
greatly appreciated. I ran McAfee virusscan and no problems were found. I
also installed and ran Spybot S&D and Adaware, but no problems were found.
Any advice would be GREATLY APPRECIATED! Bryan

More about : brand dell infected

August 16, 2005 8:57:29 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

bryan wrote:
> I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
> Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
> for all of the preceeding Mcafee programs (there were many). I also
> downloaded all
> critical Windows Security downloads. Everything is working fine except when I
> work with wordpad/notepad/word or other Microsoft programs. At random, when
> I open these files, I recieve IE shutdown errors. I created a new wordpad and
> notepad file, saved both and re-opened them: everything seemed fine. Then I
> ran Windows Explorer and when I tried to open the wordpad file with explorer,
> I received IE shutdown errors. The error report included:
> C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn32.exe.mdmp
> C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcompat.txt. The HBT directory
> is one that was created when I first turned on my Dell and went through the
> initial installation wizard. The errors do not seem to take place along any
> specific pattern which makes this wreak of malware. Any advice would be
> greatly appreciated. I ran McAfee virusscan and no problems were found. I
> also installed and ran Spybot S&D and Adaware, but no problems were found.
> Any advice would be GREATLY APPRECIATED! Bryan
>
For a brand new Dell you should be calling Dell Tech Support. You
paid for their service in the price of the PC.
August 16, 2005 10:09:21 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dell tech support does not want to help me despite my support agreement. They
told me that this is a problem with Microsoft programs which is not covered
(which I do not believe). In a prior call, they gave me bad information.
Maybe I spoke to a new person, but for now I guess I will try the above
suggestions. Bryan

"Alan" wrote:

> bryan wrote:
> > I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
> > Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
> > for all of the preceeding Mcafee programs (there were many). I also
> > downloaded all
> > critical Windows Security downloads. Everything is working fine except when I
> > work with wordpad/notepad/word or other Microsoft programs. At random, when
> > I open these files, I recieve IE shutdown errors. I created a new wordpad and
> > notepad file, saved both and re-opened them: everything seemed fine. Then I
> > ran Windows Explorer and when I tried to open the wordpad file with explorer,
> > I received IE shutdown errors. The error report included:
> > C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn32.exe.mdmp
> > C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcompat.txt. The HBT directory
> > is one that was created when I first turned on my Dell and went through the
> > initial installation wizard. The errors do not seem to take place along any
> > specific pattern which makes this wreak of malware. Any advice would be
> > greatly appreciated. I ran McAfee virusscan and no problems were found. I
> > also installed and ran Spybot S&D and Adaware, but no problems were found.
> > Any advice would be GREATLY APPRECIATED! Bryan
> >
> For a brand new Dell you should be calling Dell Tech Support. You
> paid for their service in the price of the PC.
>
Related resources
August 16, 2005 10:31:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I am not very technical and am not sure what these instructions mean. When I
run the command it gives me the choices you state. Do I select Mcafee? Will
this run a scan that is external to Mcafee? I'm confused.

"bryan" wrote:

> Dell tech support does not want to help me despite my support agreement. They
> told me that this is a problem with Microsoft programs which is not covered
> (which I do not believe). In a prior call, they gave me bad information.
> Maybe I spoke to a new person, but for now I guess I will try the above
> suggestions. Bryan
>
> "Alan" wrote:
>
> > bryan wrote:
> > > I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
> > > Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
> > > for all of the preceeding Mcafee programs (there were many). I also
> > > downloaded all
> > > critical Windows Security downloads. Everything is working fine except when I
> > > work with wordpad/notepad/word or other Microsoft programs. At random, when
> > > I open these files, I recieve IE shutdown errors. I created a new wordpad and
> > > notepad file, saved both and re-opened them: everything seemed fine. Then I
> > > ran Windows Explorer and when I tried to open the wordpad file with explorer,
> > > I received IE shutdown errors. The error report included:
> > > C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn32.exe.mdmp
> > > C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcompat.txt. The HBT directory
> > > is one that was created when I first turned on my Dell and went through the
> > > initial installation wizard. The errors do not seem to take place along any
> > > specific pattern which makes this wreak of malware. Any advice would be
> > > greatly appreciated. I ran McAfee virusscan and no problems were found. I
> > > also installed and ran Spybot S&D and Adaware, but no problems were found.
> > > Any advice would be GREATLY APPRECIATED! Bryan
> > >
> > For a brand new Dell you should be calling Dell Tech Support. You
> > paid for their service in the price of the PC.
> >
Anonymous
August 16, 2005 10:48:27 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "bryan" <bryan@discussions.microsoft.com>

| I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
| Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
| for all of the preceeding Mcafee programs (there were many). I also
| downloaded all
| critical Windows Security downloads. Everything is working fine except when I
| work with wordpad/notepad/word or other Microsoft programs. At random, when
| I open these files, I recieve IE shutdown errors. I created a new wordpad and
| notepad file, saved both and re-opened them: everything seemed fine. Then I
| ran Windows Explorer and when I tried to open the wordpad file with explorer,
| I received IE shutdown errors. The error report included:
| C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn32.exe.mdmp
| C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcompat.txt. The HBT directory
| is one that was created when I first turned on my Dell and went through the
| initial installation wizard. The errors do not seem to take place along any
| specific pattern which makes this wreak of malware. Any advice would be
| greatly appreciated. I ran McAfee virusscan and no problems were found. I
| also installed and ran Spybot S&D and Adaware, but no problems were found.
| Any advice would be GREATLY APPRECIATED! Bryan


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 17, 2005 1:40:10 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "bryan" <bryan@discussions.microsoft.com>

| I am not very technical and am not sure what these instructions mean. When I
| run the command it gives me the choices you state. Do I select Mcafee? Will
| this run a scan that is external to Mcafee? I'm confused.

If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
vendor's web site and download the needed AV command line scanner and signature files. Upon
the download completion and the file extraction (they are distributed in archive formats),
it will ask if you wan to run a scan. If the answer is YES, it will then ask if you want to
scan a particular location (such as F: or d:\program files ) either way it will scan either
the selected location or all hard disks and clean the PC of infectors accordingly.

Thye Multri AV Scanner front end utility will keep the three vendor's files up-to-date and
and is an excellent "On Demand" anti virus scanner utility.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
August 17, 2005 1:40:11 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave,
Thank you for your help. I ran the scan for Mcafee in normal mode and
here are the results:

Scanning C: []
Scanning C:\*.*

Summary report on C:\*.*
File(s)
Total files: ........... 137953
Clean: ................. 137808
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:24.49

I ran the c:\AV_CLS\startmenu.BAT and then answered Y to run the scan.
Should I repeat the same steps in safe mode?

"David H. Lipman" wrote:

> From: "bryan" <bryan@discussions.microsoft.com>
>
> | I am not very technical and am not sure what these instructions mean. When I
> | run the command it gives me the choices you state. Do I select Mcafee? Will
> | this run a scan that is external to Mcafee? I'm confused.
>
> If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
> vendor's web site and download the needed AV command line scanner and signature files. Upon
> the download completion and the file extraction (they are distributed in archive formats),
> it will ask if you wan to run a scan. If the answer is YES, it will then ask if you want to
> scan a particular location (such as F: or d:\program files ) either way it will scan either
> the selected location or all hard disks and clean the PC of infectors accordingly.
>
> Thye Multri AV Scanner front end utility will keep the three vendor's files up-to-date and
> and is an excellent "On Demand" anti virus scanner utility.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
August 17, 2005 5:28:26 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <FFB8E749-B11B-4C6D-9A43-F00BAF4D77BC@microsoft.com>,
bryan@discussions.microsoft.com says...
> Dell tech support does not want to help me despite my support agreement. They
> told me that this is a problem with Microsoft programs which is not covered
> (which I do not believe). In a prior call, they gave me bad information.
> Maybe I spoke to a new person, but for now I guess I will try the above
> suggestions. Bryan

What type of internet connection do you have?

If you have DSL or Cable, then get a NAT Router to connect between your
ISP's router and your computer - this will let you reinstall Windows and
everything else without being compromised in the process.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 17, 2005 7:01:14 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <#uCxcysoFHA.568@TK2MSFTNGP10.phx.gbl>,
DLipman~nospam~@Verizon.Net says...
> If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
> vendor's web site and download the needed AV command line scanner and signature files.

NO IT WONT - Mcrappy requires you to register the product and agree to a
control being installed before you can get automatic updates. I've seen
more McCrappy protected machines infected due to their now doing
automatic updates without registration.


--

spam999free@rrohio.com
remove 999 in order to email me
August 17, 2005 7:01:15 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I rebooted into safe mode and ran C:\AV_CLS\Startmenu.bat. The results were
similar:

Summary report on C:\*.*
File(s)
Total files: ........... 137950
Clean: ................. 137823
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0

What should I do next?

"Leythos" wrote:

> In article <#uCxcysoFHA.568@TK2MSFTNGP10.phx.gbl>,
> DLipman~nospam~@Verizon.Net says...
> > If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
> > vendor's web site and download the needed AV command line scanner and signature files.
>
> NO IT WONT - Mcrappy requires you to register the product and agree to a
> control being installed before you can get automatic updates. I've seen
> more McCrappy protected machines infected due to their now doing
> automatic updates without registration.
>
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
August 17, 2005 7:02:54 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <9BF816F2-AF29-4E66-8874-5EC3A994D70D@microsoft.com>,
bryan@discussions.microsoft.com says...
> I ran the c:\AV_CLS\startmenu.BAT and then answered Y to run the scan.
> Should I repeat the same steps in safe mode?

Did you open McCrappy, and select Update? If you did, did you complete
the registration in order to get the updates?

If you didn't complete the on-line registration then you have little
protection.

And yes, it's always best to run AV scan's on suspected machines in Safe
Mode.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 17, 2005 2:12:21 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "bryan" <bryan@discussions.microsoft.com>

| Dave,
| Thank you for your help. I ran the scan for Mcafee in normal mode and
| here are the results:
|
| Scanning C: []
| Scanning C:\*.*
|
| Summary report on C:\*.*
| File(s)
| Total files: ........... 137953
| Clean: ................. 137808
| Possibly Infected: ..... 0
| Cleaned: ............... 0
| Non-critical Error(s): 2
| Master Boot Record(s): ......... 1
| Possibly Infected: ..... 0
| Boot Sector(s): ................ 1
| Possibly Infected: ..... 0
|
| Time: 00:24.49
|
| I ran the c:\AV_CLS\startmenu.BAT and then answered Y to run the scan.
| Should I repeat the same steps in safe mode?

No. You could run Sophos and Trend Micro as a verification. The idea of running in Safe
Mode is if there is an infector found and it is easy to remove in Safe Mode. McAfee AV scan
found no viruses or non-viral malware -- that's good !

{ BTW: 138,000 files in 25 mins. nice speed ;-) }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
August 17, 2005 2:12:22 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

No. You could run Sophos and Trend Micro as a verification. The idea of
running in Safe
Mode is if there is an infector found and it is easy to remove in Safe Mode.
McAfee AV scan
found no viruses or non-viral malware -- that's good !

ok David. I will try Sophos and Trend tonight, although I do not have Sophos
or Trend on my pc. Only Mcafee VirusScan, Privacy and Firewall along with
Spywareblaster for prevention.

"David H. Lipman" wrote:

> From: "bryan" <bryan@discussions.microsoft.com>
>
> | Dave,
> | Thank you for your help. I ran the scan for Mcafee in normal mode and
> | here are the results:
> |
> | Scanning C: []
> | Scanning C:\*.*
> |
> | Summary report on C:\*.*
> | File(s)
> | Total files: ........... 137953
> | Clean: ................. 137808
> | Possibly Infected: ..... 0
> | Cleaned: ............... 0
> | Non-critical Error(s): 2
> | Master Boot Record(s): ......... 1
> | Possibly Infected: ..... 0
> | Boot Sector(s): ................ 1
> | Possibly Infected: ..... 0
> |
> | Time: 00:24.49
> |
> | I ran the c:\AV_CLS\startmenu.BAT and then answered Y to run the scan.
> | Should I repeat the same steps in safe mode?
>
> No. You could run Sophos and Trend Micro as a verification. The idea of running in Safe
> Mode is if there is an infector found and it is easy to remove in Safe Mode. McAfee AV scan
> found no viruses or non-viral malware -- that's good !
>
> { BTW: 138,000 files in 25 mins. nice speed ;-) }
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
August 17, 2005 2:14:39 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Leythos" <void@nowhere.lan>

| In article <#uCxcysoFHA.568@TK2MSFTNGP10.phx.gbl>,
| DLipman~nospam~@Verizon.Net says...
>> If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
>> vendor's web site and download the needed AV command line scanner and signature files.
|
| NO IT WONT - Mcrappy requires you to register the product and agree to a
| control being installed before you can get automatic updates. I've seen
| more McCrappy protected machines infected due to their now doing
| automatic updates without registration.
|
| --
|
| spam999free@rrohio.com
| remove 999 in order to email me

Thaey are NOT MS updates. This is my own scripted front end to McAfee and Sophos' Command
Line Scanners and Trend Micro's Sysclean utility. If you run the script it will provide a
menu and if you choose a scanner module it will do as I indicated.

Give it a shot Leythos !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 17, 2005 3:35:45 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <DD90F48F-3F10-481D-8C8F-B96D3BC0A6DF@microsoft.com>,
bryan@discussions.microsoft.com says...
> I rebooted into safe mode and ran C:\AV_CLS\Startmenu.bat. The results were
> similar:

But you didn't say if you registered McAfee or not? If you don't
register it, it won't have the updates to catch the latest bad things.



>
> Summary report on C:\*.*
> File(s)
> Total files: ........... 137950
> Clean: ................. 137823
> Possibly Infected: ..... 0
> Cleaned: ............... 0
> Non-critical Error(s): 2
> Master Boot Record(s): ......... 1
> Possibly Infected: ..... 0
> Boot Sector(s): ................ 1
> Possibly Infected: ..... 0
>
> What should I do next?
>
> "Leythos" wrote:
>
> > In article <#uCxcysoFHA.568@TK2MSFTNGP10.phx.gbl>,
> > DLipman~nospam~@Verizon.Net says...
> > > If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
> > > vendor's web site and download the needed AV command line scanner and signature files.
> >
> > NO IT WONT - Mcrappy requires you to register the product and agree to a
> > control being installed before you can get automatic updates. I've seen
> > more McCrappy protected machines infected due to their now doing
> > automatic updates without registration.


--

spam999free@rrohio.com
remove 999 in order to email me
August 17, 2005 3:35:46 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

When I installed Mcafee, I registered the product and downloaded ALL updates.
I am completely up-to-date with Mcafee. Sorry, I thought I had mentioned that
in my original post. Thanks. Now what do I do? Dell says they won't help me
unless I pay them $50 for special support (despite the fact that I have a
support agreement). I should have some support calls free from Microsoft -
right??? I think I'm starting to panic.

"Leythos" wrote:

> In article <DD90F48F-3F10-481D-8C8F-B96D3BC0A6DF@microsoft.com>,
> bryan@discussions.microsoft.com says...
> > I rebooted into safe mode and ran C:\AV_CLS\Startmenu.bat. The results were
> > similar:
>
> But you didn't say if you registered McAfee or not? If you don't
> register it, it won't have the updates to catch the latest bad things.
>
>
>
> >
> > Summary report on C:\*.*
> > File(s)
> > Total files: ........... 137950
> > Clean: ................. 137823
> > Possibly Infected: ..... 0
> > Cleaned: ............... 0
> > Non-critical Error(s): 2
> > Master Boot Record(s): ......... 1
> > Possibly Infected: ..... 0
> > Boot Sector(s): ................ 1
> > Possibly Infected: ..... 0
> >
> > What should I do next?
> >
> > "Leythos" wrote:
> >
> > > In article <#uCxcysoFHA.568@TK2MSFTNGP10.phx.gbl>,
> > > DLipman~nospam~@Verizon.Net says...
> > > > If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
> > > > vendor's web site and download the needed AV command line scanner and signature files.
> > >
> > > NO IT WONT - Mcrappy requires you to register the product and agree to a
> > > control being installed before you can get automatic updates. I've seen
> > > more McCrappy protected machines infected due to their now doing
> > > automatic updates without registration.
>
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
August 17, 2005 3:35:46 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Leythos" <void@nowhere.lan>

| In article <DD90F48F-3F10-481D-8C8F-B96D3BC0A6DF@microsoft.com>,
| bryan@discussions.microsoft.com says...
>> I rebooted into safe mode and ran C:\AV_CLS\Startmenu.bat. The results were
>> similar:
|
| But you didn't say if you registered McAfee or not? If you don't
| register it, it won't have the updates to catch the latest bad things.
|

NO Registration is needed !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 17, 2005 3:51:52 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "bryan" <bryan@discussions.microsoft.com>

| No. You could run Sophos and Trend Micro as a verification. The idea of
| running in Safe
| Mode is if there is an infector found and it is easy to remove in Safe Mode.
| McAfee AV scan
| found no viruses or non-viral malware -- that's good !
|
| ok David. I will try Sophos and Trend tonight, although I do not have Sophos
| or Trend on my pc. Only Mcafee VirusScan, Privacy and Firewall along with
| Spywareblaster for prevention.


Both the Trend Micro Sysclean and the Sophos command line scanner ar in the Multi AV scanner
utility I posted.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 17, 2005 3:53:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "bryan" <bryan@discussions.microsoft.com>

REPOST:



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 17, 2005 4:16:17 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <4F70499B-62C3-43F4-8CDB-C830AB8F5BB8@microsoft.com>,
bryan@discussions.microsoft.com says...
> When I installed Mcafee, I registered the product and downloaded ALL updates.
> I am completely up-to-date with Mcafee. Sorry, I thought I had mentioned that
> in my original post. Thanks. Now what do I do? Dell says they won't help me
> unless I pay them $50 for special support (despite the fact that I have a
> support agreement). I should have some support calls free from Microsoft -
> right??? I think I'm starting to panic.

If your machine is compromised there is only one way to ensure it's
clean - load the system restore CD's and wipe everything. When we have
to certify that a machine is clean, we wipe the drive and reinstall from
scratch, that's the only way to be sure. No matter how many AV scan's
you run, no matter how many spyware tools you use, they are all
"reactionary", meaning they don't always have a cure until it's already
been in the wild and exposed.

Since Dell doesn't have an obligation to support software you've
installed, and since you admitted to them that you messed it up, don't
feel bad about Dell wanting money to help you fix a software issue that
you created.

If you want it clean, wipe it and start over - this time get a NAT
device connected before you start, and don't surf anywhere until you get
all of the Windows Updates and your AV software installed - and Use
FireFox as a browser from now on.



>
> "Leythos" wrote:
>
> > In article <DD90F48F-3F10-481D-8C8F-B96D3BC0A6DF@microsoft.com>,
> > bryan@discussions.microsoft.com says...
> > > I rebooted into safe mode and ran C:\AV_CLS\Startmenu.bat. The results were
> > > similar:
> >
> > But you didn't say if you registered McAfee or not? If you don't
> > register it, it won't have the updates to catch the latest bad things.
> >
> >
> >
> > >
> > > Summary report on C:\*.*
> > > File(s)
> > > Total files: ........... 137950
> > > Clean: ................. 137823
> > > Possibly Infected: ..... 0
> > > Cleaned: ............... 0
> > > Non-critical Error(s): 2
> > > Master Boot Record(s): ......... 1
> > > Possibly Infected: ..... 0
> > > Boot Sector(s): ................ 1
> > > Possibly Infected: ..... 0
> > >
> > > What should I do next?
> > >
> > > "Leythos" wrote:
> > >
> > > > In article <#uCxcysoFHA.568@TK2MSFTNGP10.phx.gbl>,
> > > > DLipman~nospam~@Verizon.Net says...
> > > > > If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
> > > > > vendor's web site and download the needed AV command line scanner and signature files.
> > > >
> > > > NO IT WONT - Mcrappy requires you to register the product and agree to a
> > > > control being installed before you can get automatic updates. I've seen
> > > > more McCrappy protected machines infected due to their now doing
> > > > automatic updates without registration.
> >
> >
> > --
> >
> > spam999free@rrohio.com
> > remove 999 in order to email me
> >
>

--

spam999free@rrohio.com
remove 999 in order to email me
August 17, 2005 4:16:18 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

WAIT! I did NOT install any of the ms applications. My Dell came
pre-installed with xp sp2 and Microsoft Office. I did not mess ANYTHING up.
It came this way! Why do you say that I admitted to messing up?

"Leythos" wrote:

> In article <4F70499B-62C3-43F4-8CDB-C830AB8F5BB8@microsoft.com>,
> bryan@discussions.microsoft.com says...
> > When I installed Mcafee, I registered the product and downloaded ALL updates.
> > I am completely up-to-date with Mcafee. Sorry, I thought I had mentioned that
> > in my original post. Thanks. Now what do I do? Dell says they won't help me
> > unless I pay them $50 for special support (despite the fact that I have a
> > support agreement). I should have some support calls free from Microsoft -
> > right??? I think I'm starting to panic.
>
> If your machine is compromised there is only one way to ensure it's
> clean - load the system restore CD's and wipe everything. When we have
> to certify that a machine is clean, we wipe the drive and reinstall from
> scratch, that's the only way to be sure. No matter how many AV scan's
> you run, no matter how many spyware tools you use, they are all
> "reactionary", meaning they don't always have a cure until it's already
> been in the wild and exposed.
>
> Since Dell doesn't have an obligation to support software you've
> installed, and since you admitted to them that you messed it up, don't
> feel bad about Dell wanting money to help you fix a software issue that
> you created.
>
> If you want it clean, wipe it and start over - this time get a NAT
> device connected before you start, and don't surf anywhere until you get
> all of the Windows Updates and your AV software installed - and Use
> FireFox as a browser from now on.
>
>
>
> >
> > "Leythos" wrote:
> >
> > > In article <DD90F48F-3F10-481D-8C8F-B96D3BC0A6DF@microsoft.com>,
> > > bryan@discussions.microsoft.com says...
> > > > I rebooted into safe mode and ran C:\AV_CLS\Startmenu.bat. The results were
> > > > similar:
> > >
> > > But you didn't say if you registered McAfee or not? If you don't
> > > register it, it won't have the updates to catch the latest bad things.
> > >
> > >
> > >
> > > >
> > > > Summary report on C:\*.*
> > > > File(s)
> > > > Total files: ........... 137950
> > > > Clean: ................. 137823
> > > > Possibly Infected: ..... 0
> > > > Cleaned: ............... 0
> > > > Non-critical Error(s): 2
> > > > Master Boot Record(s): ......... 1
> > > > Possibly Infected: ..... 0
> > > > Boot Sector(s): ................ 1
> > > > Possibly Infected: ..... 0
> > > >
> > > > What should I do next?
> > > >
> > > > "Leythos" wrote:
> > > >
> > > > > In article <#uCxcysoFHA.568@TK2MSFTNGP10.phx.gbl>,
> > > > > DLipman~nospam~@Verizon.Net says...
> > > > > > If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
> > > > > > vendor's web site and download the needed AV command line scanner and signature files.
> > > > >
> > > > > NO IT WONT - Mcrappy requires you to register the product and agree to a
> > > > > control being installed before you can get automatic updates. I've seen
> > > > > more McCrappy protected machines infected due to their now doing
> > > > > automatic updates without registration.
> > >
> > >
> > > --
> > >
> > > spam999free@rrohio.com
> > > remove 999 in order to email me
> > >
> >
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
August 17, 2005 4:16:19 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "bryan" <bryan@discussions.microsoft.com>

| WAIT! I did NOT install any of the ms applications. My Dell came
| pre-installed with xp sp2 and Microsoft Office. I did not mess ANYTHING up.
| It came this way! Why do you say that I admitted to messing up?


There is confusion in this thread...

Your system is clean, and doubtfully compramised.

Run the Sophos and Trend Micro modules in the Multi AV Scanner utility for verification.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 17, 2005 4:16:19 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:77230557-C1BB-44A5-BA74-929C181621D4@microsoft.com,
bryan <bryan@discussions.microsoft.com> typed:
> WAIT! I did NOT install any of the ms applications. My Dell came
> pre-installed with xp sp2 and Microsoft Office. I did not mess
> ANYTHING up. It came this way! Why do you say that I admitted to
> messing up?

I don't think you need to take affront here....what I understood Leythos to
mean is that the machine didn't ship to you with a virus on it. That
happened after you started using it.

The issue seems to be that you connected to the Internet without a firewall
enabled. Is that the case? It takes only nanoseconds for you to get hit by
something - and this is true on dialup, as well.

Given that you haven't used the computer much, it may indeed be faster to
reload everything from the recovery CDs.

Also - if you haven't paid for McAfee, you may want to look into another
antivirus program - McAfee isn't a favorite of many of us. I personally like
Trend's PC-Cillin for standalone workstations, but there are as many
opinions on this topic as there are <insert analogy here>.

>
> "Leythos" wrote:
>
>> In article <4F70499B-62C3-43F4-8CDB-C830AB8F5BB8@microsoft.com>,
>> bryan@discussions.microsoft.com says...
>>> When I installed Mcafee, I registered the product and downloaded
>>> ALL updates. I am completely up-to-date with Mcafee. Sorry, I
>>> thought I had mentioned that in my original post. Thanks. Now what
>>> do I do? Dell says they won't help me unless I pay them $50 for
>>> special support (despite the fact that I have a support agreement).
>>> I should have some support calls free from Microsoft - right??? I
>>> think I'm starting to panic.
>>
>> If your machine is compromised there is only one way to ensure it's
>> clean - load the system restore CD's and wipe everything. When we
>> have to certify that a machine is clean, we wipe the drive and
>> reinstall from scratch, that's the only way to be sure. No matter
>> how many AV scan's you run, no matter how many spyware tools you
>> use, they are all "reactionary", meaning they don't always have a
>> cure until it's already been in the wild and exposed.
>>
>> Since Dell doesn't have an obligation to support software you've
>> installed, and since you admitted to them that you messed it up,
>> don't feel bad about Dell wanting money to help you fix a software
>> issue that you created.
>>
>> If you want it clean, wipe it and start over - this time get a NAT
>> device connected before you start, and don't surf anywhere until you
>> get all of the Windows Updates and your AV software installed - and
>> Use FireFox as a browser from now on.
>>
>>
>>
>>>
>>> "Leythos" wrote:
>>>
>>>> In article <DD90F48F-3F10-481D-8C8F-B96D3BC0A6DF@microsoft.com>,
>>>> bryan@discussions.microsoft.com says...
>>>>> I rebooted into safe mode and ran C:\AV_CLS\Startmenu.bat. The
>>>>> results were similar:
>>>>
>>>> But you didn't say if you registered McAfee or not? If you don't
>>>> register it, it won't have the updates to catch the latest bad
>>>> things.
>>>>
>>>>
>>>>
>>>>>
>>>>> Summary report on C:\*.*
>>>>> File(s)
>>>>> Total files: ........... 137950
>>>>> Clean: ................. 137823
>>>>> Possibly Infected: ..... 0
>>>>> Cleaned: ............... 0
>>>>> Non-critical Error(s): 2
>>>>> Master Boot Record(s): ......... 1
>>>>> Possibly Infected: ..... 0
>>>>> Boot Sector(s): ................ 1
>>>>> Possibly Infected: ..... 0
>>>>>
>>>>> What should I do next?
>>>>>
>>>>> "Leythos" wrote:
>>>>>
>>>>>> In article <#uCxcysoFHA.568@TK2MSFTNGP10.phx.gbl>,
>>>>>> DLipman~nospam~@Verizon.Net says...
>>>>>>> If you choose; McAfee, Trend or Sophos it will automatically
>>>>>>> go to the respective AV vendor's web site and download the
>>>>>>> needed AV command line scanner and signature files.
>>>>>>
>>>>>> NO IT WONT - Mcrappy requires you to register the product and
>>>>>> agree to a control being installed before you can get automatic
>>>>>> updates. I've seen more McCrappy protected machines infected due
>>>>>> to their now doing automatic updates without registration.
>>>>
>>>>
>>>> --
>>>>
>>>> spam999free@rrohio.com
>>>> remove 999 in order to email me
>>>>
>>>
>>
>> --
>>
>> spam999free@rrohio.com
>> remove 999 in order to email me
August 17, 2005 8:09:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

David,
I ran Sophos. Here are my results:

1 master boot record swept
47819 files swept
133 errors encountered
no viruses detected
112 encrypted files not checked.

I will run the last one (Trend) later tonight and post back). What do you
think of the results of Sophos? Thank you VERY VERY much for your help.
Bryan

"David H. Lipman" wrote:

> From: "Leythos" <void@nowhere.lan>
>
> | In article <#uCxcysoFHA.568@TK2MSFTNGP10.phx.gbl>,
> | DLipman~nospam~@Verizon.Net says...
> >> If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
> >> vendor's web site and download the needed AV command line scanner and signature files.
> |
> | NO IT WONT - Mcrappy requires you to register the product and agree to a
> | control being installed before you can get automatic updates. I've seen
> | more McCrappy protected machines infected due to their now doing
> | automatic updates without registration.
> |
> | --
> |
> | spam999free@rrohio.com
> | remove 999 in order to email me
>
> Thaey are NOT MS updates. This is my own scripted front end to McAfee and Sophos' Command
> Line Scanners and Trend Micro's Sysclean utility. If you run the script it will provide a
> menu and if you choose a scanner module it will do as I indicated.
>
> Give it a shot Leythos !
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
August 17, 2005 11:23:44 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <77230557-C1BB-44A5-BA74-929C181621D4@microsoft.com>,
bryan@discussions.microsoft.com says...
> WAIT! I did NOT install any of the ms applications. My Dell came
> pre-installed with xp sp2 and Microsoft Office. I did not mess ANYTHING up.
> It came this way! Why do you say that I admitted to messing up?

I was reading what was posted and it seemed to me that you were trying
to get support for software that was not shipped as installed. In the
case of MS Office, as an OEM installation, Dell must provide support,
that's how the OEM agreement works. Microsoft does not provide support
for ANY OEM software installations - unless you want to pay for it.

In case you missed it - you said "When I installed Mcafee" so I assumed
(incorrectly) you had installed it and not just done the update.


--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 17, 2005 11:26:58 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <ONrWCYzoFHA.2580@TK2MSFTNGP09.phx.gbl>,
DLipman~nospam~@Verizon.Net says...
> From: "Leythos" <void@nowhere.lan>
>
> | In article <#uCxcysoFHA.568@TK2MSFTNGP10.phx.gbl>,
> | DLipman~nospam~@Verizon.Net says...
> >> If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
> >> vendor's web site and download the needed AV command line scanner and signature files.
> |
> | NO IT WONT - Mcrappy requires you to register the product and agree to a
> | control being installed before you can get automatic updates. I've seen
> | more McCrappy protected machines infected due to their now doing
> | automatic updates without registration.
> |
>
> Thaey are NOT MS updates. This is my own scripted front end to McAfee and Sophos' Command
> Line Scanners and Trend Micro's Sysclean utility. If you run the script it will provide a
> menu and if you choose a scanner module it will do as I indicated.
>
> Give it a shot Leythos !

Sorry, I misunderstood - I thought you were talking about the products.
As a IT company/owner I can not push scripts that are published on the
net until I have the source code and time to test them. As it stands,
installing McCrappy does not also update the virus definitions and leave
owners/users greatly unprotected without any real notice that they are
unprotected ( at least none that makes it obvious to the masses of non-
technical users ).

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 17, 2005 11:27:48 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <Ox3gVYzoFHA.1148@TK2MSFTNGP12.phx.gbl>,
DLipman~nospam~@Verizon.Net says...
> From: "Leythos" <void@nowhere.lan>
>
> | In article <DD90F48F-3F10-481D-8C8F-B96D3BC0A6DF@microsoft.com>,
> | bryan@discussions.microsoft.com says...
> >> I rebooted into safe mode and ran C:\AV_CLS\Startmenu.bat. The results were
> >> similar:
> |
> | But you didn't say if you registered McAfee or not? If you don't
> | register it, it won't have the updates to catch the latest bad things.
> |
>
> NO Registration is needed !

The registration is needed if you want the product to AutoUpdate itself
- the last install we saw was as I said.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 18, 2005 12:09:55 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "bryan" <bryan@discussions.microsoft.com>

| David,
| I ran Sophos. Here are my results:
|
| 1 master boot record swept
| 47819 files swept
| 133 errors encountered
| no viruses detected
| 112 encrypted files not checked.
|
| I will run the last one (Trend) later tonight and post back). What do you
| think of the results of Sophos? Thank you VERY VERY much for your help.
| Bryan


Bryan:

With a McAfee and Sophos scan with nothing found, I think that says much.

The 133 errors are files that can't be opened for read such as password proteced files and
files that have their respective File Handles held open. It's 'Normal' operation.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
August 18, 2005 2:38:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi David,
Finished the 3rd scan (Trend) with good results again:
virus count: 0
virus clean count: 0
clean fail count: 0
As with Sophos, many files were 'denied access'. I did some homwork and
found something in the Microsoft KB which says that problems which sound
similar to mine occur due to monitor driver failure/incompatibility;

http://support.microsoft.com/default.aspx/kb/q218609/

Any ideas on how I should proceed? I would call Dell regarding the KB
article, but two calls to Dell Tech support yielded poor information. Looking
forward to your reply. It's 1:35am EDT (yawn). ONCE AGAIN, THANK YOU VERY
MUCH FOR YOUR EXPERTISE. Bryan

"David H. Lipman" wrote:

> From: "bryan" <bryan@discussions.microsoft.com>
>
> | David,
> | I ran Sophos. Here are my results:
> |
> | 1 master boot record swept
> | 47819 files swept
> | 133 errors encountered
> | no viruses detected
> | 112 encrypted files not checked.
> |
> | I will run the last one (Trend) later tonight and post back). What do you
> | think of the results of Sophos? Thank you VERY VERY much for your help.
> | Bryan
>
>
> Bryan:
>
> With a McAfee and Sophos scan with nothing found, I think that says much.
>
> The 133 errors are files that can't be opened for read such as password proteced files and
> files that have their respective File Handles held open. It's 'Normal' operation.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
August 18, 2005 5:33:29 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Do you realize that for all of the time you've spend, that you could
backup the files you created on your own and have restored the entire
computer in a known good state by wiping it and reinstalling everything.



In article <308FF50D-81AA-4325-AFD4-E7E8F912FBDA@microsoft.com>,
bryan@discussions.microsoft.com says...
> Hi David,
> Finished the 3rd scan (Trend) with good results again:
> virus count: 0
> virus clean count: 0
> clean fail count: 0
> As with Sophos, many files were 'denied access'. I did some homwork and
> found something in the Microsoft KB which says that problems which sound
> similar to mine occur due to monitor driver failure/incompatibility;
>
> http://support.microsoft.com/default.aspx/kb/q218609/
>
> Any ideas on how I should proceed? I would call Dell regarding the KB
> article, but two calls to Dell Tech support yielded poor information. Looking
> forward to your reply. It's 1:35am EDT (yawn). ONCE AGAIN, THANK YOU VERY
> MUCH FOR YOUR EXPERTISE. Bryan
>
> "David H. Lipman" wrote:
>
> > From: "bryan" <bryan@discussions.microsoft.com>
> >
> > | David,
> > | I ran Sophos. Here are my results:
> > |
> > | 1 master boot record swept
> > | 47819 files swept
> > | 133 errors encountered
> > | no viruses detected
> > | 112 encrypted files not checked.
> > |
> > | I will run the last one (Trend) later tonight and post back). What do you
> > | think of the results of Sophos? Thank you VERY VERY much for your help.
> > | Bryan
> >
> >
> > Bryan:
> >
> > With a McAfee and Sophos scan with nothing found, I think that says much.
> >
> > The 133 errors are files that can't be opened for read such as password proteced files and
> > files that have their respective File Handles held open. It's 'Normal' operation.
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
> >
>

--

spam999free@rrohio.com
remove 999 in order to email me
August 18, 2005 5:33:30 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Leythos,
When Dell put this pc together, they gave me a version of XP sp2 with NO
security updates . I spent the entire evening loading 23 updates (Dell told
me to do them 1 at a time but could not explain to me why they did this).

"Leythos" wrote:

> Do you realize that for all of the time you've spend, that you could
> backup the files you created on your own and have restored the entire
> computer in a known good state by wiping it and reinstalling everything.
>
>
>
> In article <308FF50D-81AA-4325-AFD4-E7E8F912FBDA@microsoft.com>,
> bryan@discussions.microsoft.com says...
> > Hi David,
> > Finished the 3rd scan (Trend) with good results again:
> > virus count: 0
> > virus clean count: 0
> > clean fail count: 0
> > As with Sophos, many files were 'denied access'. I did some homwork and
> > found something in the Microsoft KB which says that problems which sound
> > similar to mine occur due to monitor driver failure/incompatibility;
> >
> > http://support.microsoft.com/default.aspx/kb/q218609/
> >
> > Any ideas on how I should proceed? I would call Dell regarding the KB
> > article, but two calls to Dell Tech support yielded poor information. Looking
> > forward to your reply. It's 1:35am EDT (yawn). ONCE AGAIN, THANK YOU VERY
> > MUCH FOR YOUR EXPERTISE. Bryan
> >
> > "David H. Lipman" wrote:
> >
> > > From: "bryan" <bryan@discussions.microsoft.com>
> > >
> > > | David,
> > > | I ran Sophos. Here are my results:
> > > |
> > > | 1 master boot record swept
> > > | 47819 files swept
> > > | 133 errors encountered
> > > | no viruses detected
> > > | 112 encrypted files not checked.
> > > |
> > > | I will run the last one (Trend) later tonight and post back). What do you
> > > | think of the results of Sophos? Thank you VERY VERY much for your help.
> > > | Bryan
> > >
> > >
> > > Bryan:
> > >
> > > With a McAfee and Sophos scan with nothing found, I think that says much.
> > >
> > > The 133 errors are files that can't be opened for read such as password proteced files and
> > > files that have their respective File Handles held open. It's 'Normal' operation.
> > >
> > > --
> > > Dave
> > > http://www.claymania.com/removal-trojan-adware.html
> > > http://www.ik-cs.com/got-a-virus.htm
> > >
> > >
> > >
> >
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
August 18, 2005 7:20:27 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <D7B24C35-FD65-4517-B632-CF159C2F5395@microsoft.com>,
bryan@discussions.microsoft.com says...
> Leythos,
> When Dell put this pc together, they gave me a version of XP sp2 with NO
> security updates . I spent the entire evening loading 23 updates (Dell told
> me to do them 1 at a time but could not explain to me why they did this).

If you had XP + SP2, and you have a NAT router to act as a barrier for
your Internet connection (assuming you don't use Dial-Up), then opening
IE, selecting Tools, Windows Update, and letting it install all the
updates as it wants (meaning as many as it wants each time) is the
proper way to do it.

So, now that you've scanned your system with multiple AV tools, in safe
mode and not in safe mode, and they all show your machine as clean. What
problem remains with your system?

If it's still compromised, or you still have application that don't work
properly, or you really feel the OS is screwed up, then you would be
better off just wiping it and reinstalling everything.

If you were to install Windows XP + SP2 without doing it as an image
restore, meaning you are restoring it as though you bought XP from
BestBuy, it will take about 1 hour to install, then, you have to use the
Dell Drivers CD to install the drivers - about 30 minutes, then you have
to do the Windows Update process - about 30 minutes, then you can load
all your applications. Here's the kicker, if you are not on a protected
network (behind a NAT based system) and you've not secured the system
before you connect to the internet, you will be compromised all over
again.



--

spam999free@rrohio.com
remove 999 in order to email me
August 18, 2005 7:20:28 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Although I am palanning to eventually move up to high-speed, I am still using
dial up. I would like to look at the information in the Microsoft KB article
which I alluded to in a previous post (although I would like to wait for
David's reply first). The article cites video card/driver incompatibility and
the symptoms sound somewhat similar to what I am experiencing.

http://support.microsoft.com/default.aspx/kb/q218609/

Thank you for your suggestions.

"Leythos" wrote:

> In article <D7B24C35-FD65-4517-B632-CF159C2F5395@microsoft.com>,
> bryan@discussions.microsoft.com says...
> > Leythos,
> > When Dell put this pc together, they gave me a version of XP sp2 with NO
> > security updates . I spent the entire evening loading 23 updates (Dell told
> > me to do them 1 at a time but could not explain to me why they did this).
>
> If you had XP + SP2, and you have a NAT router to act as a barrier for
> your Internet connection (assuming you don't use Dial-Up), then opening
> IE, selecting Tools, Windows Update, and letting it install all the
> updates as it wants (meaning as many as it wants each time) is the
> proper way to do it.
>
> So, now that you've scanned your system with multiple AV tools, in safe
> mode and not in safe mode, and they all show your machine as clean. What
> problem remains with your system?
>
> If it's still compromised, or you still have application that don't work
> properly, or you really feel the OS is screwed up, then you would be
> better off just wiping it and reinstalling everything.
>
> If you were to install Windows XP + SP2 without doing it as an image
> restore, meaning you are restoring it as though you bought XP from
> BestBuy, it will take about 1 hour to install, then, you have to use the
> Dell Drivers CD to install the drivers - about 30 minutes, then you have
> to do the Windows Update process - about 30 minutes, then you can load
> all your applications. Here's the kicker, if you are not on a protected
> network (behind a NAT based system) and you've not secured the system
> before you connect to the internet, you will be compromised all over
> again.
>
>
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
August 18, 2005 11:10:18 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <5BC0C3C4-DCED-4EB8-A38C-DB4571519185@microsoft.com>,
bryan@discussions.microsoft.com says...
> Although I am palanning to eventually move up to high-speed, I am still using
> dial up. I would like to look at the information in the Microsoft KB article
> which I alluded to in a previous post (although I would like to wait for
> David's reply first). The article cites video card/driver incompatibility and
> the symptoms sound somewhat similar to what I am experiencing.
>
> http://support.microsoft.com/default.aspx/kb/q218609/
>
> Thank you for your suggestions.

So, download the new/updated video driver from the video car vendors
site and install it in safe mode - or just uninstall the current driver
in safe mode and then it will ask you for the new driver when you reboot
in normal mode.

--

spam999free@rrohio.com
remove 999 in order to email me
August 18, 2005 11:10:19 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Leythos,
I am even LESS technical when it comes to this type of thing. I hope the
vendor's site is in the owners manual. Or how do I uninstall the current
driver? And when it asks me for the new driver what do I do? THe CD says
documentation so I assume that there are no drivers on the CD? Also, two
types of monitor connectors came with the Dell - a blue and a white. Dell
told me that one is for the older data type (which I am not using). Should I
try to switch lines?


"Leythos" wrote:

> In article <5BC0C3C4-DCED-4EB8-A38C-DB4571519185@microsoft.com>,
> bryan@discussions.microsoft.com says...
> > Although I am palanning to eventually move up to high-speed, I am still using
> > dial up. I would like to look at the information in the Microsoft KB article
> > which I alluded to in a previous post (although I would like to wait for
> > David's reply first). The article cites video card/driver incompatibility and
> > the symptoms sound somewhat similar to what I am experiencing.
> >
> > http://support.microsoft.com/default.aspx/kb/q218609/
> >
> > Thank you for your suggestions.
>
> So, download the new/updated video driver from the video car vendors
> site and install it in safe mode - or just uninstall the current driver
> in safe mode and then it will ask you for the new driver when you reboot
> in normal mode.
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
August 19, 2005 12:02:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <81C00143-167B-4982-9F6C-F8F8593C84AD@microsoft.com>,
bryan@discussions.microsoft.com says...
> Leythos,
> I am even LESS technical when it comes to this type of thing. I hope the
> vendor's site is in the owners manual. Or how do I uninstall the current
> driver? And when it asks me for the new driver what do I do? THe CD says
> documentation so I assume that there are no drivers on the CD? Also, two
> types of monitor connectors came with the Dell - a blue and a white. Dell
> told me that one is for the older data type (which I am not using). Should I
> try to switch lines?

If you have to ask these questions and don't have a way to determine the
answer in a format that you can use - take the computer to a computer
shop and have them fix it - you will save time and get it back working.

I still don't know what your problem is and have not found far enough
back to see what you said it was:

What specifically is your EXACT problem?


--

spam999free@rrohio.com
remove 999 in order to email me
August 19, 2005 12:02:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I MAY HAVE FOUND THE PROBLEM. There is a program called Data Execution
Prevention (DEP). As stated (about 200 posts ago), my microsoft programs were
causing shutdown errors. Before I get the familiar 'Program has encountered a
problem and must close', I get a pop-up menu about DEP. Since I scanned with
about 6 different programs, I feel that my pc is clean, so I disabled DEP for
IE. And now everything works. My only question now is whether I can keep DEP
disabled for IE? Any ideas? Thanks

"Leythos" wrote:

> In article <81C00143-167B-4982-9F6C-F8F8593C84AD@microsoft.com>,
> bryan@discussions.microsoft.com says...
> > Leythos,
> > I am even LESS technical when it comes to this type of thing. I hope the
> > vendor's site is in the owners manual. Or how do I uninstall the current
> > driver? And when it asks me for the new driver what do I do? THe CD says
> > documentation so I assume that there are no drivers on the CD? Also, two
> > types of monitor connectors came with the Dell - a blue and a white. Dell
> > told me that one is for the older data type (which I am not using). Should I
> > try to switch lines?
>
> If you have to ask these questions and don't have a way to determine the
> answer in a format that you can use - take the computer to a computer
> shop and have them fix it - you will save time and get it back working.
>
> I still don't know what your problem is and have not found far enough
> back to see what you said it was:
>
> What specifically is your EXACT problem?
>
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
August 19, 2005 5:58:12 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Wed, 17 Aug 2005 12:16:17 GMT, Leythos <void@nowhere.lan> wrote:
>bryan@discussions.microsoft.com says...

>> When I installed Mcafee, I registered the product and downloaded ALL updates.
>> I am completely up-to-date with Mcafee. Sorry, I thought I had mentioned that
>> in my original post. Thanks. Now what do I do?

>If your machine is compromised there is only one way to ensure it's
>clean - load the system restore CD's and wipe everything. When we have
>to certify that a machine is clean, we wipe the drive and reinstall from
>scratch, that's the only way to be sure. No matter how many AV scan's
>you run, no matter how many spyware tools you use, they are all
>"reactionary", meaning they don't always have a cure until it's already
>been in the wild and exposed.

Ah, a favorite myth, this.

Not that you know a PC is clean because you scanned it; sure, there's
always some doubt there. The myth is that you can take a PC that has
FAILED to defend itself, wipe and rebuild it to the same level of
exploitability (or considerably more so, thanks to lost patches and
duhfault settings), and assume that won't get infected the same way.

If you never bothered to detect the malware, and thus haven't a clue
how it got in, then what are you doing differently with the rebuild
that's going to make any difference?

>If you want it clean, wipe it and start over - this time get a NAT
>device connected before you start, and don't surf anywhere until you get
>all of the Windows Updates and your AV software installed - and Use
>FireFox as a browser from now on.

Those steps will help, but it's still worth finding out what it is
that you are dealing with, before you wipe away the information that
could have provided that information.

If you're up against a human adversary, then they gain the upper hand;
when your PC vanishes and comes back clean, they know you found out
there was a problem, and they'll be stealthier next time. Whereas
you've learned nothing, and made it impossible to learn anything,
about what your assailant was up to.

Also - that "data" you restored after wiping and starting over; how
sure are you that it is free of malware that can re-spawn?


>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -
Anonymous
August 19, 2005 7:24:53 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Thu, 18 Aug 2005 13:33:29 GMT, Leythos <void@nowhere.lan> wrote:

>Do you realize that for all of the time you've spend, that you could
>backup the files you created on your own and have restored the entire
>computer in a known good state by wiping it and reinstalling everything.

Two things:

1) It takes longer, the more you do during the install.

Not all of us are content to live with duhfaults, and it can be quite
difficult to find automated ways of doing things that one knows how to
do on an interactive basis. So that makes it longer to rebuild.

2) It takes longer to troubleshoot a recurrance

If you "just" wipe and re-install everything, and then promptly get
re-infected, then what are you going to do - what I did in the first
place? Or are you going to live "Groundhog Day" forever?

If I have to spend time, and can do so in two different ways, I'll
choose the way that teaches me something, and that makes it less
likely for me to have to fight the same battle all over again ;-)



>------------------------ ---- --- -- - - - -
Forget http://cquirke.blogspot.com and check out a
better one at http://topicdrift.blogspot.com instead!
>------------------------ ---- --- -- - - - -
Anonymous
August 19, 2005 7:24:54 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <p0dag1d3jmf9qb4fju2qgvr2o75ba0uloh@4ax.com>,
cquirkenews@nospam.mvps.org says...
> 2) It takes longer to troubleshoot a recurrance
>
> If you "just" wipe and re-install everything, and then promptly get
> re-infected, then what are you going to do - what I did in the first
> place? Or are you going to live "Groundhog Day" forever?
>
> If I have to spend time, and can do so in two different ways, I'll
> choose the way that teaches me something, and that makes it less
> likely for me to have to fight the same battle all over again ;-)

Well, the OP has been given TONS of advice in this thread and now has
about 1000000 AV scanners at his disposal, in addition to having things
explained to him about security.

There is a good chance, if the OP were to follow the instructions in
this thread, that he would not get compromised again - did you miss all
of it and just come in at the end of the thread?

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 19, 2005 7:32:32 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Thu, 18 Aug 2005 15:06:06 -0700, "bryan"

>I MAY HAVE FOUND THE PROBLEM. There is a program called Data Execution
>Prevention (DEP).

Ah! OK - are you on an AMD processor that supports DEP?

DEP isn't a program as such; it's a capability built into some
processors, starting with AMD and now with Intel playing catch-up. XP
understands DEP, starting with SP2 (pre-SP2 had no DEP awareness).

What DEP does, is to bring back an old concept; that data and
instructions should be kept separate, so that data is never executed
as processor instructrions. This kills a common exploit pattern,
where code is contained within malformed data that overruns beyond
where it should be, causing the system to run it as code.

The trouble is, some programs fall foul of this - especially some
antivirus apps that may "sample" material as code to assess it for
potentially malicious behavior.

You can disable SP2's DEP awareness via a parameter entered after the
partition OS loader line in C:\Boot.ini, or add a copy of that line
with the parameter added, so you can choose which mode to start up
with. But do research that syntax carefully; a botched C:\BOOT.INI
can prevent XP from booting at all, and that's bad news on NTFS.



>--------------- ----- ---- --- -- - - -
Who is General Failure and
why is he reading my disk?
>--------------- ----- ---- --- -- - - -
August 19, 2005 1:16:26 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

>There is a good chance, if the OP were to follow the instructions in
>this thread, that he would not get compromised again - did you miss all
>of it and just come in at the end of the thread?

My God man the op never was compromised in the first place!

--
Mike Pawlak




Leythos wrote:
> In article <p0dag1d3jmf9qb4fju2qgvr2o75ba0uloh@4ax.com>,
> cquirkenews@nospam.mvps.org says...
>> 2) It takes longer to troubleshoot a recurrance
>>
>> If you "just" wipe and re-install everything, and then promptly get
>> re-infected, then what are you going to do - what I did in the first
>> place? Or are you going to live "Groundhog Day" forever?
>>
>> If I have to spend time, and can do so in two different ways, I'll
>> choose the way that teaches me something, and that makes it less
>> likely for me to have to fight the same battle all over again ;-)
>
> Well, the OP has been given TONS of advice in this thread and now has
> about 1000000 AV scanners at his disposal, in addition to having
> things explained to him about security.
>
> There is a good chance, if the OP were to follow the instructions in
> this thread, that he would not get compromised again - did you miss
> all of it and just come in at the end of the thread?
Anonymous
August 19, 2005 1:45:58 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "bryan" <bryan@discussions.microsoft.com>

| Good Evening,
| Right-on Cquirke regarding your point #2: reinstalling would have
| resulted in spinning my wheels since I strongly felt that the problem was on
| the computer 'out of the box' - which it was. I followed the help file
| instructions in order to disable DEP for IE. Everything is now working -
| even Access. Before disabling DEP, I created a 3 line wordpad file consisting
| of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING
| DAVID's AV arsenal: If I need to run this series of AV programs in the future
| (I hope not!!!!!), should I re-download the files in order to get the latest
| definitions? Thanks again to all of you. Bryan
|

Bryan:

The scripts will automatically download new AV signature and scanner files as needed.

If you want to do another "On Demand" scan, just choose a AV vendor module (McAfee, Trend or
Sophos).

Ocassionally I do post new versions of the Multi_AV.exe file. Every so often you can
download a new version and execute it to update your version.

Version information is kept in; C:\AV-CLS\readme.txt
The present version is; v2.26

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
August 19, 2005 1:45:59 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi David,
I just wanted to take a moment to thank you again for your assistance.
Take care.

"David H. Lipman" wrote:

> From: "bryan" <bryan@discussions.microsoft.com>
>
> | Good Evening,
> | Right-on Cquirke regarding your point #2: reinstalling would have
> | resulted in spinning my wheels since I strongly felt that the problem was on
> | the computer 'out of the box' - which it was. I followed the help file
> | instructions in order to disable DEP for IE. Everything is now working -
> | even Access. Before disabling DEP, I created a 3 line wordpad file consisting
> | of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING
> | DAVID's AV arsenal: If I need to run this series of AV programs in the future
> | (I hope not!!!!!), should I re-download the files in order to get the latest
> | definitions? Thanks again to all of you. Bryan
> |
>
> Bryan:
>
> The scripts will automatically download new AV signature and scanner files as needed.
>
> If you want to do another "On Demand" scan, just choose a AV vendor module (McAfee, Trend or
> Sophos).
>
> Ocassionally I do post new versions of the Multi_AV.exe file. Every so often you can
> download a new version and execute it to update your version.
>
> Version information is kept in; C:\AV-CLS\readme.txt
> The present version is; v2.26
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
August 19, 2005 2:18:07 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "bryan" <bryan@discussions.microsoft.com>

| Hi David,
| I just wanted to take a moment to thank you again for your assistance.
| Take care.

You are most welcome Bryan. That includes emailing me. Just remove ~nospam~ from either of
the below email addresses...

DLipman~nospam~@Verizon.Net
David_H_Lipman~nospam~@Yahoo.Com

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
August 19, 2005 8:45:47 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <OzlZfBMpFHA.320@TK2MSFTNGP09.phx.gbl>,
mikepawlak2REM@OVEhotmail.com says...
> >There is a good chance, if the OP were to follow the instructions in
> >this thread, that he would not get compromised again - did you miss all
> >of it and just come in at the end of the thread?
>
> My God man the op never was compromised in the first place!

Nice of you to not follow the entire post that it was a reply too - the
chap asked about how reinstalling would have kept him from being
compromised again - but you missed that.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 19, 2005 8:49:37 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <88D63F40-45DB-4230-9261-B98791AF91E1@microsoft.com>,
bryan@discussions.microsoft.com says...
> Good Evening,
> Right-on Cquirke regarding your point #2: reinstalling would have
> resulted in spinning my wheels since I strongly felt that the problem was on
> the computer 'out of the box' - which it was. I followed the help file
> instructions in order to disable DEP for IE. Everything is now working -
> even Access. Before disabling DEP, I created a 3 line wordpad file consisting
> of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING
> DAVID's AV arsenal: If I need to run this series of AV programs in the future
> (I hope not!!!!!), should I re-download the files in order to get the latest
> definitions? Thanks again to all of you. Bryan

I hate to say this, but if you had to modify DEP to get Wordpad to work,
then you still have problems with your computer - something is
definitely NOT right with it.

I've never seen a computer yet that required any changes to DEP, and
we've got more than 1000 of them running XP with SPS2.

Since AV wasn't your issue, and since you still don't know what the
actual problem is, I would suggest that in order to prevent additional
problems that you do a factory restore on the machine. We've got tons of
Dell systems and, again, nothing with DEP had/has to be changed.

Before you write back and say it's working fine - consider what you
actually did and why you had to do it with Wordpad, and remember that no
one has reported needing to modify DEP for Wordpad that I've read
anywhere.

--

spam999free@rrohio.com
remove 999 in order to email me
August 19, 2005 8:49:38 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Leythos,

I located the article in the Microsoft Knowledgebase;

You receive a "Data Execution Prevention" error message in Windows XP
Service Pack 2 or in Windows XP Tablet PC Edition 2005
(875351) - Describes the Data Execution Prevention feature in Windows XP
Service Pack 2 and why the feature may generate an error message.
http://support.microsoft.com/default.aspx?scid=kb;en-us;875351



"Leythos" wrote:

> In article <88D63F40-45DB-4230-9261-B98791AF91E1@microsoft.com>,
> bryan@discussions.microsoft.com says...
> > Good Evening,
> > Right-on Cquirke regarding your point #2: reinstalling would have
> > resulted in spinning my wheels since I strongly felt that the problem was on
> > the computer 'out of the box' - which it was. I followed the help file
> > instructions in order to disable DEP for IE. Everything is now working -
> > even Access. Before disabling DEP, I created a 3 line wordpad file consisting
> > of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING
> > DAVID's AV arsenal: If I need to run this series of AV programs in the future
> > (I hope not!!!!!), should I re-download the files in order to get the latest
> > definitions? Thanks again to all of you. Bryan
>
> I hate to say this, but if you had to modify DEP to get Wordpad to work,
> then you still have problems with your computer - something is
> definitely NOT right with it.
>
> I've never seen a computer yet that required any changes to DEP, and
> we've got more than 1000 of them running XP with SPS2.
>
> Since AV wasn't your issue, and since you still don't know what the
> actual problem is, I would suggest that in order to prevent additional
> problems that you do a factory restore on the machine. We've got tons of
> Dell systems and, again, nothing with DEP had/has to be changed.
>
> Before you write back and say it's working fine - consider what you
> actually did and why you had to do it with Wordpad, and remember that no
> one has reported needing to modify DEP for Wordpad that I've read
> anywhere.
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
August 20, 2005 3:11:18 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <7683C116-A6AD-4FC0-9DF8-F0709738B5D5@microsoft.com>,
bryan@discussions.microsoft.com says...
> Leythos,
>
> I located the article in the Microsoft Knowledgebase;
>
> You receive a "Data Execution Prevention" error message in Windows XP
> Service Pack 2 or in Windows XP Tablet PC Edition 2005
> (875351) - Describes the Data Execution Prevention feature in Windows XP
> Service Pack 2 and why the feature may generate an error message.
> http://support.microsoft.com/default.aspx?scid=kb;en-us;875351

In all of this I've not seen the OP post anything about using "Tablet PC
Edition 2005".


--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
August 21, 2005 3:24:31 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Fri, 19 Aug 2005 16:49:37 GMT, Leythos <void@nowhere.lan> wrote:
>bryan@discussions.microsoft.com says...

>> Right-on Cquirke regarding your point #2: reinstalling would have
>> resulted in spinning my wheels since I strongly felt that the problem was on
>> the computer 'out of the box' - which it was. I followed the help file
>> instructions in order to disable DEP for IE. Everything is now working -
>> even Access. Before disabling DEP, I created a 3 line wordpad file consisting
>> of ABC, testing and 123. DEP even shutdown this file.

>I hate to say this, but if you had to modify DEP to get Wordpad to work,
>then you still have problems with your computer - something is
>definitely NOT right with it.

Are you thinking of a hardware issue, then?

I still think this could be av, in that av will be active whenever you
"open" anything. If the way the av handles material picks a fight
with DEP, you may see problems - or just spontaneously restart, if the
duhfault XP "Restart on system errors" setting's still in effect.

>I've never seen a computer yet that required any changes to DEP, and
>we've got more than 1000 of them running XP with SPS2.

It's been one of the themes post-SP2. Not as common as some problems,
but common enough to come to mind. As to 1000 PCs, it's a bit like a
comment I heard between two academic professionals discussing a third:
- "He's been in that post for 12 years, so he has the experience..."
- ' Yes, but is that 12 years' experience, or 1 year 12 times? '

IOW, if those 1000 PCs are all in one corporate network with
tightly-controlled settings, aopps, the same av rolled out throughout
the organisation, same hardware vendors, etc. then there may be plenty
of configurations you haven't had experience with.

That's certainly my case; none of the kit I use is currently
DEP-capable, so understandably I haven't seen the issue first-hand.

>Since AV wasn't your issue,

How do you conclude that? I don't remember really seeing that
excluded, though I may have missed something.

> and since you still don't know what the actual problem is, I would
> suggest that in order to prevent additional problems that you do a
> factory restore on the machine.

Nah, I still think that's one of the worst ideas I've heard so far.

Earlier on, it sounded as if you suspected an underlying hardware
problem - in which case, this is a recipe for disaster; you go from a
code base that mainly predates the start of the hardware issues, and
replace it with a code base 100% subjected to those issues.

As to malware, falling back to unpatched status is likely to make
re-infection a lot easier too.

As to DEP, then falling back to pre-SP2 code is going to "fix the
problem" the same way as disabling DEP would do, but with FAR more
side-effects and lost protection. Disabling DEP leaves him with an
SP2 code base and no DEP, whereas your "solution" drops him back to
who knows what exploitable patch level.

>We've got tons of Dell systems and, again, nothing with DEP
>had/has to be changed.

Dell are Intel, whereas AMD were the initiators of DEP hardware
support, with Intel recently catching up. So experience on Dell
systems up to a year ago isn't going to expose you to DEP issues.

>Before you write back and say it's working fine - consider what you
>actually did and why you had to do it with Wordpad, and remember that no
>one has reported needing to modify DEP for Wordpad that I've read
>anywhere.

Hint: Background tasks :-)

It's not Wordpad that's likely to be crashing on DEP, as much as the
av that scans Wordpad when it starts, and the document file that
Wordpad opens and closes - especially if that's a .doc

Really, if using the relevant Boot.ini parameter to suppress DEP
support solves the problem, then he's in good company with a familiar
issue, and the fix is a lot cleaner than "just" re-install.

Let's Google this stuff... Google(XP SP2 DEP):

http://www.microsoft.com/technet/prodtechnol/winxppro/m...

http://support.microsoft.com/kb/875352

http://www.tech-recipes.com/windows_tips566.html

Zone Alarm has some issues with DEP:

http://www.zonelabs.com/store/content/company/products/...

ProTools has problems with DEP:

http://www.digidesign.com/compato/xp/os.cfm

F-Secure has problems with DEP:

http://support.f-secure.com/enu/corporate/supportissue/...

Kaspersky av and DEP:

http://gladiator-antivirus.com/forum/index.php?showtopi...

Dongles screw up on DEP:

http://www.scala.com/miscellaneous-faq/miscellaneous-fa...

OK... I think we see the trend here; usually new versions from vendors
to fix issues with DEP. So what I'd do is:
- build a list of what software's running on the box
(especially underfootware)
- test suppressing these in MSConfig
- if offender's identified, check that vendor's FAQs etc. on DEP
- stay off the 'net while firewall and av are disabled

You may need more than MSConfig on this, as that doesn't cover all
possible underfootware integration points. You can use HiJackThis,
SystemInternals tools, Faber Toys or NirSoft's utilities to get a
better handle on what's running in the background, or as a side-effect
of (say) listing files in Explorer or even a File Open dialog box.





>------------ ----- ---- --- -- - - - -
The most accurate diagnostic instrument
in medicine is the Retrospectoscope
>------------ ----- ---- --- -- - - - -
!