KB977165 should be removed!
Posted 14 February 2010 - 07:19 AM
Many users faced BSOD after that ... see various reports in the Internet.
For example http://www.neowin.ne...to-recent-patch
and latest reports from Microsoft itself.
This "update" should be removed from Autopatcher XP SP3!
Posted 14 February 2010 - 09:19 AM
Isn't that so?
For the meantime - until MS finally manages to solve this problem... - there is a temporary Fix-It solution:
Posted 14 February 2010 - 09:26 AM
Edited by click-click, 14 February 2010 - 09:31 AM.
Posted 14 February 2010 - 10:39 AM
fix isn't always simple - a flag in AutoPatcher might help "Caution!". I don't use AutoPatcher much anymore, I mostly keep updated for
the people I have turned on to it so what you decide is not an issue for me.
Posted 15 February 2010 - 12:49 AM
Posted 17 February 2010 - 05:27 PM
symantec says that the problem happens due an change done in the virtual addresses. the update changes the data that the rootkit is running, making the infected module of the kernel call for invalid addresses
of course, the problem has increased after KB977165, but the reason is an rootkit, not the update.
yours still think that this one should be removed after this?
i'm sure that someone will find an english source for that info
Posted 17 February 2010 - 05:49 PM
Posted 18 February 2010 - 03:31 AM
Translation from babelfish:
Rootkit is cause of blue screen, says Symantec
Rootkit is cause of blue screen, says Symantec
James Della Valle, de INFO Online Wednesday, 17 of February of 2010 - 10h39
São Paulo - the Symantec informed that one rootkit is the responsible one for the excess of blue screens of error that are appearing in versions of Windows XP.
The company pointed the [Tidserv]
as responsible for if infiltrating in drivers of kernel, as atapi.sys.
o MS will make blitz against Windows 7 ´não oficial´ (11/02/2010)
A on time to the archive, it starts if to spread for the system with a behavior similar to the one of a worm. Softwares of security, as antivirus, can fail in the detention of the threat, hiding the real nature of the problem.
Microsoft admitted that the problems with the famous “blue screen of the death” had after increased the launching of update MS010-15. To prevent more problems, the Security Response Center of the company informs that it goes to congeal the distribution of update until the problem is decided.
The Symantec affirms that the problem occurs because of an alteration made in the virtual addresses. The dumb update the data used for rootkit, what it makes the infectado module of kernel to call invalid addresses.
The security company points that the best form to decide the problem is to use one backup of drivers infectados. In some cases, the users must even though consider the reinstallation of Windows XP. The Symantec says that its antiviruses can identify the threatened archives.
Personal note from humble3d: The new atapi.sys file was 95kb and tested positive for rootkit;
My old atapi.sys was 94kb and tested clean; so, in an abundance of caution, I replaced the new atapi.sys
with the old one...
so far so good...
2. Locate the infected partition, which is normally the boot partition
3. Replace atapi.sys in \%Windir%\system32\drivers with the clean backup copy
Here's a list with the most common driver names infected by the rootkit, which can be used
in the above process:
We are aware that the blue screens may be caused by other good or bad kernel mode
applications that were relying on hard coded addresses, but Tidserv is one of the most prevalent threats that may cause this problem. Symantec detects these infected drivers on disk as Backdoor.Tidserv!inf, but recommends that the files are replaced manually, since attempting to remove the file automatically may render the system unbootable.
Edited by humble3d, 18 February 2010 - 03:41 AM.
Posted 21 February 2010 - 08:14 AM
I am sorry if it was a double post...I'm not well...
Anyway, I lost the data from a text file, but, long story
short, the msft update is ok; it's the computer owners
infected system that's the fault;
Kaspersky has a small, free download to test for the trojan but,
I've misplaced the info in the lost text file...
I will still try to find it for you...
Update: I think i found it:
Hackers fix XP BSoD rootkit
An update released by Microsoft this month (MS10-015)
broke XP machines that were infected with the TDL3 rootkit (also known as TDSS and Tidserv and many other
names - more info here
Well, a rootkit that causes crashes is bad for business, so the hackers had an update out in the matter of hours.
On last Tuesday Microsoft released a number of Windows updates, some of them critical because they fixed a 17
years old bug. After some users updated their Windows operating systems, they got a scaring and really annoying
blue screen of death.
Most of those users were angry with Microsoft, but the problem this time is not related to Microsoft. Indeed a
number of the users affected by this BSOD was infected by TDL3/TDSS rootkit.
More exactly, TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem
resides in the lazyness of rootkit writers when writing the driver infection routine.
Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the
rootkit compatible with the Microsoft patch.
It’s one big cat and mouse game between the good guys and the bad guys.
One vender, who spoke on conditions of anonymity, admitted his truth:
All software is impregnated with rootkits from the factory bench, he said.
This is how we track users' experiences, needs, wants and habits.
This so called spying on customers is necessary and proper for maintaining
market share in a very competitive market.
Unavoidably determined by prior circumstances, The customer is the big
winner at the end of the day.
It's a win, win situation for all of us.
KAV has a free rootkit killer here which believes it can stop the TDL3::
I Ran the kav tool and the rootkit was not found.
I then installed WindowsXP-KB977165-x86-ENU.exe and,
everything is fine...
Edited by humble3d, 21 February 2010 - 08:40 AM.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users