AutoPatcher Forum

Possible problem encountered by some XP users after installing a patch Tuesday fix

http://www.krebsonse...ndows-xp-users/

ciao ...

funny. no issue at all with xp in the machines that i have tested so far (just 3, but...)

[]s

Might also only be happening on systems that has been infected by a rootkit or malware. Hard to
tell at the moment.

yep. just in case, i'm holding the main xp script, despite be already online. at least, this gives time to test properly

[]s

Update:

http://blogs.technet...g-ms10-015.aspx

great. now, they have removed from wu, but you can download this one through this. the enu script is already done, with this one and the removal of the obsolete update. so far i've noticed, the third party software that search for vulnerability point this one as missing, if you don't install it. also, certain third party software to check for vulnerabilities asks for ms08-066.mspx, that was made obsolete some time ago (i'm unsure about the number. i have the right one at home).

so, at this point, i really don't know what to do

any thoughts?

[]s

Why don't you just add a warning in the title of the apm file. Leave it up to the user if he wants to install.

yep. but this one is an critical update, that it's selected by default. that's the problem...

[]s

at this point, i wasn't sure about what to do. but after thinking a little, ms didn't removed that file from their servers. in the recent past, KB976126 v1 was creating an minor issue and was removed from ms servers. this one don't. why, i don't know. but i'm sure about one thing: even ms is unsure about how this issue is created. otherwise, they should have removed that file from their servers and they didn't that.

given so, the xp enu script was made public, with this update included

[]s

ok,just take a look in here. according to symantec, the the reason for the bsod is an rootkit

[]s

I would go ahead and add the update to the script, the user should be reading up on the updates they install anyway.

Translation from babelfish:

http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=http%3
A%2F%2Finfo.abril.com.br%2Fnoticias%2Fseguranca%2Frootkit-e-causa-de-tela-azul-diz-s
ymantec-17022010-9.shl&lp=pt_en&btnTrUrl=Translate

Rootkit is cause of blue screen, says Symantec

Security
Rootkit is cause of blue screen, says Symantec
7 Comentário(s)
James Della Valle, de INFO Online Wednesday, 17 of February of 2010 - 10h39

São Paulo - the Symantec informed that one rootkit is the responsible one for the excess of

blue screens of error that are appearing in versions of Windows XP.

The company pointed the [Tidserv]

(http://www.google.com/search?hl=en&source=hp&q=Tidserv&btnG=Google+Search&aq=f&
aqi=&oq=)

as responsible for if infiltrating in drivers of kernel, as atapi.sys.
Leia também:

o MS will make blitz against Windows 7 ´não oficial´ (11/02/2010)

A on time to the archive, it starts if to spread for the system with a behavior similar to the

one of a worm. Softwares of security, as antivirus, can fail in the detention of the threat,

hiding the real nature of the problem.

Microsoft admitted that the problems with the famous “blue screen of the death” had after

increased the launching of update MS010-15. To prevent more problems, the Security

Response Center of the company informs that it goes to congeal the distribution of update

until the problem is decided.

The Symantec affirms that the problem occurs because of an alteration made in the virtual

addresses. The dumb update the data used for rootkit, what it makes the infectado module

of kernel to call invalid addresses.

The security company points that the best form to decide the problem is to use one backup

of drivers infectados. In some cases, the users must even though consider the

reinstallation of Windows XP. The Symantec says that its antiviruses can identify the

threatened archives.

Personal note from humble3d: The new atapi.sys file was 95kb and tested positive for
rootkit;
My old atapi.sys was 94kb and tested clean; so, in an abundance of caution, I replaced the
new atapi.sys with the old one...
so far so good...

MORE:
FROM:
http://www.symantec....rv-and-ms10-015
2. Locate the infected partition, which is normally the boot partition

3. Replace atapi.sys in \%Windir%\system32\drivers with the clean backup copy

4. Reboot

Here's a list with the most common driver names infected by the rootkit, which can be used in the above process:

atapi.sys

iastor.sys

idechndr.sys

ndis.sys

nvata.sys

vmscsi.sys

We are aware that the blue screens may be caused by other good or bad kernel mode applications that were relying on hard coded addresses, but Tidserv is one of the most prevalent threats that may cause this problem. Symantec detects these infected drivers on disk as Backdoor.Tidserv!inf, but recommends that the files are replaced manually, since attempting to remove the file automatically may render the system unbootable.

Edited by humble3d, 18 February 2010 - 03:53 AM.