Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Windows Patch Leaves Many XP Users With Blue Screens
slashdot ^ | 02/11/2010 | Slashdot

Posted on 02/12/2010 10:34:08 AM PST by zeugma

"Tuesday's security updates from Microsoft have crippled Windows XP PCs with the notorious Blue Screen of Death, users have reported on the company's support forum. Complaints began early yesterday, and gained momentum throughout the day. 'I updated 11 Windows XP updates today and restarted my PC like it asked me to,' said a user identified as 'tansenroy' who kicked off a growing support thread: 'From then on, Windows cannot restart again! It is stopping at the blue screen with the following message: 'A problem has been detected and Windows has been shutdown to prevent damage to your computer.' Others joined in with similar reports. Several users posted solutions, but the one laid out by 'maxyimus' was marked by a Microsoft support engineer as the way out of the perpetual blue screens."

Update: 2/12/2010:

Rootkit May Be Behind Windows Blue Screen

 "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."


TOPICS: News/Current Events; Technical
KEYWORDS: bluescreen; bsod; lowqualitycrap; microsofttax; rootkits; windowsupdate
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-64 next last
To: zeugma
So, for XP users, before you install any new updates, check for the rootkit with any AV scanners you may have. Since the rootkit has been identified and known to modify a specific file, "atapi.sys", I'd probably try to find out what the correct md5sum of the file should be as a quick way of determining if you have an issue with this update.

That's probably excellent advice. How many people here, including me, don't have a clue as to what you are talking about?

41 posted on 02/12/2010 11:48:47 AM PST by Graybeard58 ("0bama's not just stupid; He’s Jimmy Carter stupid”. - Don Imus)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

WiFi went out for me


42 posted on 02/12/2010 11:59:06 AM PST by NonValueAdded ("Roll back Pelosi" Rush Limbaugh, 2/12/10)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TChris

According to the websites you provided, even when rootkits are detected, unless you know what you’re doing, wiping out the hard-drive and reinstalling windows may be the only way to eliminate them. That sounds pretty radical.


43 posted on 02/12/2010 12:05:19 PM PST by mentor2k
[ Post Reply | Private Reply | To 28 | View Replies]

To: Andrewksu

Since you probably can’t read this, you won’t know that your problem was not an isolated one. Many others had the same issue. By the time you’ve reinstalled a clean version of Windows and reinstalled all of your aps, you probably won’t care either


44 posted on 02/12/2010 12:10:40 PM PST by centurion316
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
What is a Rootkit?

The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits

A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-Based Rootkits

Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

User-mode Rootkits

There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

Kernel-mode Rootkits

Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.

RootKitRevealer
45 posted on 02/12/2010 12:12:17 PM PST by mentor2k
[ Post Reply | Private Reply | To 1 | View Replies]

To: Forgiven_Sinner

As an aside to rootkits Microsoft will be tagging computers starting Feb 16th against pirated copies of Windows 7 thru your AUTOMATIC UPDATES. Turn off Automatic Updates and install manually / the number of the deadly update is : KB971033 see http://lauren.vortex.com


46 posted on 02/12/2010 12:17:39 PM PST by MissDairyGoodnessVT (Free Nobel Peace Prize with oil change =^..^=)
[ Post Reply | Private Reply | To 36 | View Replies]

To: Graybeard58
That's probably excellent advice. How many people here, including me, don't have a clue as to what you are talking about?

Sorry, my geek was showing.

There are programs used to validate the content of a given file, so you can be reasonably sure that the file hasn't been tampered with. md5sum is one such program. 'checksum' and 'sha1sum' are others. Here's a quick example of how they might be used...

I don't have a copy of windows presently, so this is an example of what it looks like in unix, but you should be able to get similar results from a DOS prompt if you have a copy of md5sum or a similar program...

$ echo "aaaaaaaaaaa" > aaa.txt
$ echo "aaaaaaaaaab" > bbb.txt
$ echo "aaaaaaaaaaa" > ccc.txt
$ md5sum *txt
d8ce56398c88e1b4d9e5f83e64c79098  aaa.txt
5f2e08f7acea184ff78f8053ca712be0  bbb.txt
d8ce56398c88e1b4d9e5f83e64c79098  ccc.txt
$

Notice that in the above the only difference between the first two text files I created was that I changed the final "a" to a "b", yet you get vastly different results from md5sum when you check them.  The "ccc.txt" file reports the same sum as the "aaa.txt" file because they are identical except for their name. Checksums like this are used to validate the integrity of ISO images that you use to burn CD/DVDs with. When I want to download a copy of the latest Fedora Linux, rather than going to a website and just downloading the ISO file, I download it from a bittorrent site. Once the download is complete, I can validate that noone did anything malicious to any of the data by going to Fedora's website and making note of what the checksum of the file should be, and verifying it against what I have from my downloaded file.

Hope that clears things up.

Google should be able to locate a copy of md5sum for windows that you can use for this purpose, if you don't already have it or something like it.

47 posted on 02/12/2010 12:20:48 PM PST by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 41 | View Replies]

To: Jonah Johansen

Looking for a free anti virus program . How the free Avira ?


48 posted on 02/12/2010 12:21:17 PM PST by Irish Eyes
[ Post Reply | Private Reply | To 16 | View Replies]

To: mentor2k

Excellent post about different types of rootkits! Thanks for sharing.


49 posted on 02/12/2010 12:22:18 PM PST by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 45 | View Replies]

To: zeugma

When I got back to the office at 7:00 p.m. yesterday, there were two computers from customers that had blue screened from these updates. In both cases, it was a driver issues. Sometimes Microsoft overwrites drivers and its not a good thing. Booting from the recovery disk and reinstalling the drivers fixed both.

On the subject of rootkits. I would NEVER assume a rootkit was cleaned by any software package available free or otherwise. I would always reformat. I’ve seen the result of that assumption and its just not worth it.

It was a big batch of updates and the larger the number of updates the more likely there will be an uh-oh.

Given the diversity of installed hardware and software base in the real world, it is not surprising that bad things happen.

Even though I sound all sweet and resonable, that’s not how I feel. I’ve been fighting some kind of obscure issue for two days and am thoroughly sick and tired of technology.


50 posted on 02/12/2010 12:26:40 PM PST by Roses0508
[ Post Reply | Private Reply | To 1 | View Replies]

To: Graybeard58; zeugma
"That's probably excellent advice. How many people here, including me, don't have a clue as to what you are talking about?"

After I got up off the floor I decided I didn't have a clue either! LOLOLO!!!!! Oh my that was funny! LOLOLOL!!!

51 posted on 02/12/2010 12:33:29 PM PST by LadyPilgrim ((Lifted up was He to die; It is finished was His cry; Hallelujah what a Savior!!!!!! ))
[ Post Reply | Private Reply | To 41 | View Replies]

To: Graybeard58

You can write your current md5sum on the inside of your left palm for convenient future reference.


52 posted on 02/12/2010 12:37:47 PM PST by steve86 (Acerbic by nature, not nurture)
[ Post Reply | Private Reply | To 41 | View Replies]

To: mentor2k
That sounds pretty radical.

In many cases, that's the only choice you have.

Rootkits are bad juju.

53 posted on 02/12/2010 12:38:13 PM PST by TChris ("Hello", the politician lied.)
[ Post Reply | Private Reply | To 43 | View Replies]

To: TChris
That sounds pretty radical.
In many cases, that's the only choice you have.

Rootkits are bad juju.

I'd go further and say that it's always the only choice you have. How the heck could you ever trust a computer that had been rooted? I sure as heck wouldn't.



54 posted on 02/12/2010 12:50:31 PM PST by zeugma (Proofread a page a day: http://www.pgdp.net/)
[ Post Reply | Private Reply | To 53 | View Replies]

To: zeugma
I'd go further and say that it's always the only choice you have. How the heck could you ever trust a computer that had been rooted? I sure as heck wouldn't.

From what I can gather, IceSword is one tool that can kill rootkits dead. The creator of one of the strongest rootkits out there even said that IceSword is the one tool that he can't beat. (yet).

But, in the great majority of cases, Windows users will be best served by doing a reinstall.

55 posted on 02/12/2010 1:00:03 PM PST by TChris ("Hello", the politician lied.)
[ Post Reply | Private Reply | To 54 | View Replies]

To: Mr. Jeeves
I know - my OS/X upgrade cured all of this stuff a couple of years ago. :)

Me too; I've used nothing but Mac OS X since 2002 and have never once had a virus, worm or other malware problem, in spite of never running antivirus software. (Of course, this is typical for virtually all Mac users)

It just mystifies me that people who know better continue to put up with such abuse by MS Windows.

56 posted on 02/12/2010 1:00:44 PM PST by doc11355
[ Post Reply | Private Reply | To 27 | View Replies]

To: zeugma

I update every time windows has an up date available and have no problems. How come some do and some don’t.

I have Windows XP.


57 posted on 02/12/2010 1:06:49 PM PST by Graybeard58 ("0bama's not just stupid; He’s Jimmy Carter stupid”. - Don Imus)
[ Post Reply | Private Reply | To 1 | View Replies]

To: SevenofNine

58 posted on 02/12/2010 1:16:31 PM PST by monkapotamus
[ Post Reply | Private Reply | To 1 | View Replies]

To: NY.SS-Bar9

Zone alarm security suite does rootkits - PC tool’s Regristry Mechanic might be better...


59 posted on 02/12/2010 1:18:38 PM PST by GOPJ (Nobody likes to be lectured by those claiming superior wisdom but lacking common sense - - Hanson)
[ Post Reply | Private Reply | To 8 | View Replies]

To: MikeWUSAF

If you’d been running in a virtual machine, that exploit might have been a non problem, just a suggestion......


60 posted on 02/12/2010 1:25:13 PM PST by Notary Sojac ("Goldman Sachs" is to "US economy" as "lamprey" is to "lake trout")
[ Post Reply | Private Reply | To 15 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-64 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson