Welcome Guest.   Make a donation to an author on the site November 21, 2014, 08:54:33 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Read the Practical Guide to DonationCoder.com Forum Search Features
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1] 2 Next   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Feb 9, 2010: Windows Patch Leaves Many XP Users With Blue Screens?  (Read 9763 times)
mouser
First Author
Administrator
*****
Posts: 33,682



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« on: February 11, 2010, 06:08:27 PM »

Via Slashdot comes this report that people are experiencing blue screen crashes after applying Windows XP updates on tuesday:

Quote
"Tuesday's security updates from Microsoft have crippled Windows XP PCs with the notorious Blue Screen of Death (BSOD), users have reported on the company's support forum. Complaints began early yesterday, and gained momentum throughout the day."


from http://tech.slashdot.org/...P-Users-With-Blue-Screens
Logged
cyberdiva
Supporting Member
**
Posts: 908


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #1 on: February 11, 2010, 06:41:51 PM »

I'm both puzzled and nervous after reading this article.  Both my husband and I have computers running WinXP Pro with SP2, and we both installed all the patches Microsoft issued this Tuesday.  Neither of us has experienced the problem described in the article, and yes, we both have rebooted more than once since installing them.  It wasn't clear from my hurried reading what percentage of people who installed the patches (esp. the one that has been identified as the probably culprit, KB977165) are encountering this problem.  Does anyone have any additional knowledge about this?   Sad
Logged
Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #2 on: February 11, 2010, 08:03:00 PM »

I know some people advice to disable auto-update for reasons like this. Usually I think they are paranoid tossers who should know better and rather promote other OS if not even trusting updates. Then again... Hopefully it is a if and if and if limited problem no one could have foreseen. 
Logged
wraith808
Supporting Member
**
Posts: 6,480



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: February 11, 2010, 08:55:13 PM »

I have mine set to notify--  I apply them the next monday if I don't hear anything smiley
Logged

Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #4 on: February 11, 2010, 09:09:55 PM »

Well more like healthy skepticism but you can say SEE???  Cool I was more thinking of little people who will follow such advice, and then not care about updates from that day. Not so many care to research. Pros outweighs cons but probably not easy to tell those in problems right now. Lets hope it is not a major worldwide problem and that details will be revealed.

New flash version out today btw. Look out for toolbars and what else they pre-tick for you Wink
Logged
cyberdiva
Supporting Member
**
Posts: 908


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #5 on: February 11, 2010, 10:24:03 PM »

I have my updates set to Notify.  It was only after waiting a day, having my husband assure me he had encountered no problem, and going to one or two web sites to see whether anyone was reporting problems (and finding none) that I downloaded and installed the updates.  So I was taken aback by mouser's message at the start of this thread.  At this point, I'm perplexed and am wondering what triggered the widespread problems and yet didn't affect my husband's system or mine (knock on wood  smiley  ).
Logged
CleverCat
Supporting Member
**
Posts: 1,129


Cat's Are Fun!

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #6 on: February 12, 2010, 12:49:23 AM »

No BSOD here!  smiley
Logged

If you need help - JUST ASK!
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: February 12, 2010, 01:42:42 AM »

Perhaps the people affected by the BSODs already have the malware the patch is trying to prevent, or some problematic antivirus package? Last time security firms went shouting about updates BSODing, it turned not to be MS's fault...
Logged

- carpe noctem
Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #8 on: February 12, 2010, 04:37:54 AM »

May be https://patrickwbarnes.co...iggering-widespread-bsod/ Wink

I tried out some of those atapi.sys infections. Have been "popular" last few months. Can only recommend TDSSKiller from Kaspersky http://support.kaspersky....s/solutions?qid=208280684 Microsoft should bundle it with their removal tool. Does a safe replacement of whatever it finds. Breed like rats, now "third" generation of this rootkit so there could be more new stuff. Also check Hitman Pros changelog http://www.surfright.nl/en/whatsnew "TDL3".

Quote
This rootkit infects the hard disk driver (usually atapi.sys or iaStor.sys) and redirects Google search results.

Think that is what he refer to but there could be more to check than just atapi.sys. I see jraid.sys from Kaspersky page as well. Who knows what happen until they try, heh. Not that many tools can remove this, not when I tried a month ago. Catching up...
« Last Edit: February 12, 2010, 04:55:59 AM by Bamse » Logged
cyberdiva
Supporting Member
**
Posts: 908


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #9 on: February 12, 2010, 07:49:49 AM »

Many thanks, CleverCat, f0dder, and Bamse, for your helpful and reassuring replies.  The explanation about the patch causing havoc only on systems already infected makes some sense and would also explain why not everyone is affected.  I hope it turns out to be true.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #10 on: February 12, 2010, 07:51:51 AM »

Many thanks, CleverCat, f0dder, and Bamse, for your helpful and reassuring replies.  The explanation about the patch causing havoc only on systems already infected makes some sense and would also explain why not everyone is affected.  I hope it turns out to be true.
Do note that a poster on a blog from one of Bamses links says he got the BSOD even though atapi.sys wasn't infected... so there might be problems on clean systems as well. Or that poster could have some other driver infected, or have pesky antivirus smiley
Logged

- carpe noctem
Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #11 on: February 12, 2010, 08:11:32 AM »

True but for what it is worth I can reproduce problem in a VM smiley Evil loop of rebooting. I first installed rootkit, then all updates except 977165. Reboot, everything worked. After 977165 it is game over.



* 2010-02-12_150356.png (2.61 KB, 526x113 - viewed 238 times.)
« Last Edit: February 12, 2010, 08:14:49 AM by Bamse » Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #12 on: February 12, 2010, 08:12:58 AM »

True but for what it is worth I can reproduce problem in a VM smiley Evil loop of rebooting.
Hm? What does that screenshot tell? What's the app, and does "suspicious modification" mean rootkit? etc.
Logged

- carpe noctem
Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #13 on: February 12, 2010, 08:15:33 AM »

It is GMER, one of the best rootkit scanners. Atapi.sys is modified, show no sign of being from MS etc. when looking at properties. All tabs are gone. Generic file now. Startpage in IE was changed as well btw. Porn... I can pm you the link I used for rootkit if you like. There are tons of them but this works on atapi.sys like the blogger hinted was a problem - or one of them. There could be more to this.
« Last Edit: February 12, 2010, 08:20:30 AM by Bamse » Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #14 on: February 12, 2010, 08:19:22 AM »

It is GMER, one of the best rootkit scanners. Atapi.sys is modified, show no sign of being from MS etc. when looking at properties. Startpage in IE was changed as well btw. Porn...
Ah, I thought you could reproduce BSODs without infected driver smiley
Logged

- carpe noctem
Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #15 on: February 12, 2010, 08:21:30 AM »

No and it would not count anyways since in a VM but for now I think he has a point Wink Don't feel like testing for real. I am listing to a Linux podcast so lets say it is evil MS scheme to promote Microsoft Security Essentials if not Windows 7 64bit, heh.
« Last Edit: February 12, 2010, 08:24:15 AM by Bamse » Logged
Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #16 on: February 12, 2010, 08:28:35 AM »

Forgot to say I failed at first infection. Ran Dr. Web Cureit and it removed or rather cured problem. Did not select report only. Dr. Web is pretty good with the latest and greatest but perhaps most tools can remove by now.
Logged
techidave
Supporting Member
**
Posts: 965


see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #17 on: February 12, 2010, 02:03:45 PM »

I just ran the windows update on a new install of xpsp3 and didn't see the KB977165 listed.  Perhaps MS has pulled it.
Logged
cmpm
Charter Member
***
Posts: 2,025

View Profile Give some DonationCredits to this forum member
« Reply #18 on: February 12, 2010, 03:55:41 PM »

Yes they did pull it according to this article-

http://www.ghacks.net/201...s-windows-restart-issues/
Logged
Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #19 on: February 12, 2010, 06:01:36 PM »

They have not really said much yet though http://blogs.technet.com/...-installing-ms10-015.aspx

Quote
However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software.

3rd. party software includes rootkits but he did not say that  Cool Would be useful if those with reboot problem would scan with a bootable Dr. Web or whatever.
Logged
CleverCat
Supporting Member
**
Posts: 1,129


Cat's Are Fun!

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #20 on: February 13, 2010, 12:43:46 AM »

Never had a virus! Thanks Kaspersky....  Thmbsup
Logged

If you need help - JUST ASK!
Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #21 on: February 13, 2010, 01:00:17 AM »

Well good luck with Kaspersky http://www.virustotal.com...2cd20cad77628d-1266031238  Cool

Possible failing AVs work much better when exe is fired of. Possible... Expect hit rate to be random regardless of brand.

The file I used was 1-2 weeks old so result is far from impressive. Massive amount of logic in update causing problems or "conflicts" with this type of rootkit.
« Last Edit: February 13, 2010, 01:02:55 AM by Bamse » Logged
CleverCat
Supporting Member
**
Posts: 1,129


Cat's Are Fun!

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #22 on: February 13, 2010, 01:13:05 AM »

It might help if they used the latest version i.e. 9 - 7 is old... Wink
Logged

If you need help - JUST ASK!
Bamse
Supporting Member
**
Posts: 410


View Profile Give some DonationCredits to this forum member
« Reply #23 on: February 13, 2010, 01:16:28 AM »

Not necessarily since this is only a dumb filescan. Still a pretty poor result but of course not a problem if resident shields catch everything, heh. Kaspersky is on top of things with their TDSSkiller tool so at least they can remove/fix problem.

I wonder how many AVG users still use version 8.x which did not have any resident protection against rootkits.
« Last Edit: February 13, 2010, 01:23:48 AM by Bamse » Logged
CleverCat
Supporting Member
**
Posts: 1,129


Cat's Are Fun!

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #24 on: February 13, 2010, 01:28:09 AM »

Shields up No.1....  Grin
Logged

If you need help - JUST ASK!
Pages: [1] 2 Next   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.043s | Server load: 0.03 ]