Avast WEBforum

Avast Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: waking on February 11, 2010, 09:50:39 PM

Title: XP users alert re BSODs
Post by: waking on February 11, 2010, 09:50:39 PM
If any XP users have just started to experience BSODs,
read this as avast! may not be responsible for all of them.

Windows Patch Leaves XP Users With Blue Screen of Death
http://www.pcworld.com/article/189110/windows_patch_leaves_xp_users_with_blue_screen_of_death.html?tk=nl_dnx_h_crawl
Title: Re: XP users alert re BSODs
Post by: news on February 11, 2010, 10:18:44 PM
Interestingly enough, I guess I've been lucky and none of the pc's I worked with have experienced this problem with regard to the monthly updates.  I'm sure it's more people than have posted in the forum at Microsoft that are having this issue.

They just aren't sure yet if the patches themselves are the real problem, or maybe something they've possibly installed, hardware issues..etc. It's great that it's being brought to the surface so quickly. Not so great, however for those experiencing the problems. Thanks so very much for the link. I have a netbook, haven't checked into it yet with Windows XP on it.  :o ;)
Title: Re: XP users alert re BSODs
Post by: kakapo on February 11, 2010, 10:29:06 PM
Thank you SO much for posting this info. I've been wracking my brain trying to work it out because my XP Pro 64 bit PC is continually BSOD ing and I'm still on Avast 4.8. My notebook's fine (XP Pro 32 bit) but after uninstalling printer, other peripherals and heaps of software on the PC, I'm still getting BSODs which did indeed start after MS Updates. Now I may have a clue as to a fix. Sounds spooky though the fix....the one suggested by maxyimus. Do you think this is necessary or will MS put out a fix please? Do you have any other links to this problem please? Thank you for posting this waking. Much appreciated.
Title: Re: XP users alert re BSODs
Post by: Rednose on February 11, 2010, 10:48:15 PM
Hi kakapo :)

There is nothing spooky about the fix from maxyimus. All he does is using Recovery Console to remove the updates.

Greetz, Red.
Title: Re: XP users alert re BSODs
Post by: PhilR on February 12, 2010, 12:08:55 AM
You should see this thread as well:

http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1

MS is more likely to fix it quickly if they get help from end-users experiencing the problem.

Phil

P.S. Comments to this story on the SANS Intitute's Internet Storm Center suggest it might be a rootkit crashing the newly updated kernel:

http://isc.sans.org/diary.html?storyid=8209#comment
Title: Re: XP users alert re BSODs
Post by: news on February 12, 2010, 12:40:53 AM
Thanks so very much PhilR for the links. Well, my netbook gave me no problems with the updates.  ;)

Rootkits, a true menace. They hide in your system and are sometimes extremely hard to eliminate. Infected systems will always create problems for security updates. The security forums are having a time of it right now, I'm sure of that.
Title: Re: XP users alert re BSODs
Post by: polonus on February 12, 2010, 12:56:28 AM
Hi folks,

Also read here: http://forum.avast.com/index.php?topic=55404.msg468934#msg468934

polonus
Title: Re: XP users alert re BSODs
Post by: news on February 12, 2010, 02:00:01 AM
Thanks so very much for the link Polonus. Looks like possible driver issues on some of the other boards I've finally been able to read on as well where the BSOD's were concerned with Windows Updates. Very glad your problem was fixed. 
Title: Re: XP users alert re BSODs
Post by: waking on February 12, 2010, 09:14:45 PM
Microsoft Pulls Patch that Causes Blue Screen of Death

http://www.pcworld.com/article/189210/microsoft_pulls_patch_that_causes_blue_screen_of_death.html?tk=nl_dnx_h_crawl
Title: Re: XP users alert re BSODs
Post by: sunrisecc on February 12, 2010, 09:48:42 PM
Possible reason?

http://blogs.zdnet.com/Bott/?p=1764&tag=col1;post-1764
Title: Re: XP users alert re BSODs
Post by: news on February 12, 2010, 10:11:03 PM
Thanks so very much waking and sunrisecc for the links. This is quite interesting, and intriguing. To patch or not to patch, that is the question?  ;D I'm doing a bit of research on my own with this one. As long as you're not experiencing any problems, I wouldn't worry about it just yet.

They (Microsoft) may or may not let you know where the problem lies. Sometimes, it's better they don't let "the cat out of the bag" as it were. Even after they find out what they need to know. Keeps the hounds (hackers) at bay for a while longer. ;)
Title: Re: XP users alert re BSODs
Post by: sunrisecc on February 12, 2010, 10:18:45 PM
Since the patch is unavailable temporarily, I would definitely patch the others.

I have updated 3 XP Pro computers and have no problem.
But then I use Avast on the XP computers.  :D
Title: Re: XP users alert re BSODs
Post by: olddog on February 13, 2010, 01:43:53 AM
Regardless of what turns out the be the root cause of the problems that update KB977165 seems to have triggered, the recovery problems being faced by those who have been affected once again highlights the value of having frequent partition imaging as a primary part of any backup system.

I manually downloaded and installed the latest batch of MS updates early on the 11th Feb when they still included KB977165. So far I have experienced no problems at all - hope it stays that way.

Title: Re: XP users alert re BSODs
Post by: DavidR on February 13, 2010, 02:11:21 AM
Yes, I too have that KB installed and so far no issues in XP Pro SP3.
Title: Re: XP users alert re BSODs
Post by: Gopher John on February 13, 2010, 02:32:18 AM
Yes, I too have that KB installed and so far no issues in XP Pro SP3.

No problem here.  Applied all patches on Patch Tuesday.  I have a Dell XPS system purchased in 2005.  The link above indicated that the affected systems may have been infected with malware already.  Maybe that's just Microsoft's story, but some of the malware doesn't like being neutered.
Title: Re: XP users alert re BSODs
Post by: YoKenny on February 13, 2010, 02:35:53 AM
No problem on my XP Pro system.  8)

Just a short while for the 2010 Winter Games to start.
Title: Re: XP users alert re BSODs
Post by: jeffj4873 on February 13, 2010, 02:58:50 AM
Iget an occasional BSOD but nothing like described, Apparently do have that patch installed.
Title: Re: XP users alert re BSODs
Post by: MikeBCda on February 13, 2010, 07:58:22 PM
I updated last night, and 977165 was included.  But so far, no problems.

I think I saw somewhere that there's some evidence that the BSOD associated with this patch may only affect systems infected with a particular trojan, I forget which one.
Title: Re: XP users alert re BSODs
Post by: waking on February 13, 2010, 08:55:41 PM
Microsoft Says Malware Causing Blue Screen Crashes

http://www.pcworld.com/businesscenter/article/189233/microsoft_says_malware_causing_blue_screen_crashes.html?tk=nl_dnx_h_crawl
Title: Re: XP users alert re BSODs
Post by: waking on February 13, 2010, 09:14:32 PM
I notice that the VirusTotal report:

http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

referenced in the last PC World article I posted indicates that avast! 4.8 (1351? - not the latest!)
with VPS 100211 does NOT detect the bad atapi.sys file. Does anyone know whether or not
avast! 5.0.418 will catch it?
Title: Re: XP users alert re BSODs
Post by: news on February 13, 2010, 09:26:27 PM
Loving all of these *great* links you're posting waking. Thanks so very much. I would guess Vlk and his crew would have to answer the latest problem with the atapi system file issue. I haven't had a problem in that area..yet. 

I do know however, avast! alerted me to a sign of the aurora exploit on one of my test systems. I was VERY happy to see avast! let me know of that during my travels and testing on the internet.  :o ;)
Title: Re: XP users alert re BSODs
Post by: Rick F on February 13, 2010, 10:17:43 PM
I just checked my version of atapi.sys (dated 8/10/2004) at VirusTotal and it's clean. I wonder if it would be safe for me to run the 'workaround' M$ recommends to stop the vulnerability -- which the patch MS10-015 (KB977165) was designed to plug?  I mean to run the "Fix It" they talk about here:

Vulnerability in Windows Kernel could allow elevation of privilege
http://support.microsoft.com/kb/979682

Thanks.
Title: Re: XP users alert re BSODs
Post by: DavidR on February 13, 2010, 10:30:55 PM
Recently there was a whole slew of atapi.sys infection reports in the viruses and worms forum.
Title: Re: XP users alert re BSODs
Post by: news on February 13, 2010, 10:55:01 PM
I just checked my version of atapi.sys (dated 8/10/2004) at VirusTotal and it's clean. I wonder if it would be safe for me to run the 'workaround' M$ recommends to stop the vulnerability -- which the patch MS10-015 (KB977165) was designed to plug?  I mean to run the "Fix It" they talk about here:

Vulnerability in Windows Kernel could allow elevation of privilege
http://support.microsoft.com/kb/979682

Thanks.

Hi Rick..

I would say yes. Run the fix until Microsoft decides what they plan to do about the patch. It's better to have something in place, for now. You can always remove the fix when Microsoft decides to move on this issue. Be sure to bookmark the page where the fix comes from so that you will have the fix removal as well.  Hope this helps you.
Title: Re: XP users alert re BSODs
Post by: Rick F on February 14, 2010, 08:24:10 PM

Hi Rick..

I would say yes. Run the fix until Microsoft decides what they plan to do about the patch. It's better to have something in place, for now. You can always remove the fix when Microsoft decides to move on this issue. Be sure to bookmark the page where the fix comes from so that you will have the fix removal as well.  Hope this helps you.

Thanks news,

I went ahead and downloaded the 'fixit' and the 'unfixit' (just in case) so I won't have to go hunting for it later if I need it.  Ran the enable fix and it seems like it's fine.

Rick

Title: Re: XP users alert re BSODs
Post by: YoKenny on February 15, 2010, 01:18:02 AM
@ Rick F

Are you still running WinXP Media Ctr SP-2?

Windows XP Service Pack 3 has been available for over a year and a half that contains several Critical Security updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don't automatically download or install them.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online
Title: Re: XP users alert re BSODs
Post by: news on February 15, 2010, 01:34:31 AM
You're welcome Rick. YoKenny..If memory serves me correctly, I believe Rick is pretty savy with computers, to some capacity.  He'll correct me if I'm wrong though.  ;)
Title: Re: XP users alert re BSODs
Post by: YoKenny on February 15, 2010, 01:55:34 AM
@ news

Maybe Rick F hasn't updated his signature with SP3 installed?
Title: Re: XP users alert re BSODs
Post by: waking on February 15, 2010, 04:35:10 AM
All of the critical patches rolled up in SP3 were released individually as well.
Some of us chose (and choose) to apply patches selectively, as it facilitates
identifying problematic changes and simplifies the roll-back process if needed.
It provides micro-management opportunities which installing a large package
doesn't. The fact that someone is still running under SP2 does not mean that
they don't have all critical patches applied.

SP3 simplified the patching by giving one-stop shopping, but that comes with the
drawback of complicating recovery if something goes wrong with one or more of the
patches included - and that did in fact happen with SP3 on some systems.

That being said, it needs to be noted that MS has announced the discontinuation
of support for XP with SP2 in the near future. Presumably XP with SP3 applied
will continue to be supported for awhile longer. So if an XP user wants to
continue to get security patches from MS, they need to apply SP3 as of July 2010.

http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=222000858

http://arstechnica.com/microsoft/news/2009/12/support-for-windows-xp-sp2-windows-2000-ends-july-13-2010.ars

http://www.ubergizmo.com/15/archives/2009/12/microsoft_to_drop_windows_xp_sp2_support.html
Title: Re: XP users alert re BSODs
Post by: Rick F on February 15, 2010, 04:45:59 AM
I try to keep up-to-date on critical updates, but SP-3 scares me.  There was one update a couple of years ago (KB916595) that killed my computer within the first month I got it from Dell.  It took a week to get everything working again. Dell couldn't figure out why that patch killed my computer, so I have a post-it note below my monitor to NEVER install that patch.  I'm concerned that patch will be included in SP-3.

I do periodic backups using 'Symantec Live State Recovery' (not Symantac AV... will never have that) which creates a 'ghost' image of my 'C' drive.  Hopefully that will work when I eventually need it.

Thanks again.
Title: Re: XP users alert re BSODs
Post by: waking on February 15, 2010, 05:06:37 AM
>There was one update a couple of years ago (KB916595) that killed my computer ...
>I'm concerned that patch will be included in SP-3.

It is included, according to this:

List of fixes that are included in Windows XP Service Pack 3
http://support.microsoft.com/kb/946480
Title: Re: XP users alert re BSODs
Post by: Marc57 on February 15, 2010, 06:21:08 AM
Windows XP with Service Pack 2. This XP version is no longer supported as of July 13, 2010. Microsoft recommends that users upgrade to Service Pack 3 (SP3) or to Windows 7


http://windowsitpro.com/windowspaulthurrott/article/articleid/103556/microsoft-warns-of-windows-version-expirations.html
Title: Re: XP users alert re BSODs
Post by: YoKenny on February 15, 2010, 11:56:21 AM
The KB916595 item refers to Stop error message on a Windows XP-based computer: "STOP 0x000000D1" from  June 6, 2006
Quote
STOP 0x000000D1(parameter1, parameter2, parameter3, parameter4)
DRIVER_IRQL_NOT_LESS_OR_EQUAL

HTTP.SYS
http://support.microsoft.com/kb/916595

Means that you have not kept your device drivers up to date.

Windows XP Stop Messages
http://www.updatexp.com/stop-messages.html

That was one of the first problems I had with XP that caused BSOD's for me so I learned to make sure I install the latest device drivers from my system manufacturer.
Title: Re: XP users alert re BSODs
Post by: sunrisecc on February 15, 2010, 01:52:11 PM
Additional info?

Rootkit blamed for Blue Screen patch update snafu

http://www.theregister.co.uk/2010/02/15/rootkit_blue_screen_culprit_probably/
Title: Re: XP users alert re BSODs
Post by: Rick F on February 15, 2010, 05:00:57 PM
Quote
YoKenny wrote: That was one of the first problems I had with XP that caused BSOD's for me so I learned to make sure I install the latest device drivers from my system manufacturer.

Interesting. I spent months trying to figure out why my PC would sometimes give me a BSOD.  It was always my modem (Conexant D850 - 56K).  I'd go looking for the lastest driver... even with DELL's help, and no matter what verion drives was installed, it always showed up as driver 7.6.0.50 dated 1/7/2004.  Finally, I just disabled the modem driver so I no longer get BSODs. (I'm not on dial-up).  When I need to send a fax, I re-enable the modem, send the fax, then disable again.

Thanks guys.  Boy, this is really getting off topic though.
Title: Re: XP users alert re BSODs
Post by: Rick F on February 15, 2010, 05:51:48 PM
Quote
YoKenny wrote: That was one of the first problems I had with XP that caused BSOD's for me so I learned to make sure I install the latest device drivers from my system manufacturer.

Interesting. I spent months trying to figure out why my PC would sometimes give me a BSOD.  It was always my modem (Conexant D850 - 56K).  I'd go looking for the lastest driver... even with DELL's help, and no matter what verion drives was installed, it always showed up as driver 7.6.0.50 dated 1/7/2004 installed.  Finally, I just disabled the modem driver so I no longer get BSODs. (I'm not on dial-up).  When I need to send a fax, I re-enable the modem, send the fax, then disable again.

Thanks guys.  Boy, this is really getting off topic though.
Title: Re: XP users alert re BSODs
Post by: YoKenny on February 15, 2010, 07:44:24 PM
@ Rick F

Old dial-up modems where the bain of my existence back then as the makers never kept the drivers updated so I removed the adapter if the system did not need it or purchased a new one if really needed.

The Zoom Model 3035 - PCI Express V.92 can be purchased for as low as $25.00:
http://www.zoom.com/products/dial_up_internal.html

I use my Brother MFC-240C All-In-One to send and receive FAXes.

Its not off topic if the Conexant D850 - 56K modem is causing BSODs though.
Title: Re: XP users alert re BSODs
Post by: Marc57 on February 17, 2010, 09:43:09 PM
Hackers "fix" XP BSoD rootkit


Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch

http://blogs.zdnet.com/hardware/?p=7349&tag=nl.e550


Isn't it nice these Hackers "care" about us?   ::)
Title: Re: XP users alert re BSODs
Post by: YoKenny on February 18, 2010, 09:33:41 AM
Quote
Update - Restart Issues After Installing MS10-015 and the Alureon Rootkit
Hi,
We wanted to provide you with an update on our ongoing investigation into the “blue screen” issues affecting a limited number of customers who installed MS10-015.  We have been working around the clock with our customers, partners and several teams at Microsoft to determine the cause of these issues.  Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit.  We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software.  The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state.  In every investigated incident, we have not found quality issues with security update MS10-015.  Our guidance remains the same: customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.
 
http://blogs.technet.com/msrc/archive/2010/02/17/update-restart-issues-after-installing-ms10-015-and-the-alureon-rootkit.aspx
Title: Re: XP users alert re BSODs
Post by: sunrisecc on February 18, 2010, 11:51:03 AM
Now the question is - does Avast 5 find the Alureon rootkit?