Jump to content

Recommended Posts

I don't want to keep pestering people with what may turn out to be silly questions, but this dust up with the Microsoft update rendering some computers unbootable has me a little freaked out.

http://forums.malwarebytes.org/index.php?showtopic=39655

I haven't installed the update in question, just in case, but they are still being offered to me at the Windows Update site. I have all other critical updates installed, I've just left out that one.

As I said in the other thread, I've scanned the atapi.sys file at virus total and come up with one positive. From what I have seen on other sites, this is what other people are getting as well. Jotti turns up nothing. I submitted the file to Microsoft (I use Microsoft Security Essentials) and they say it's clean, but then one reads information indicating that the rootkit in question is clever enough to evade security software and so forth.

See the comments section here:

https://patrickwbarnes.com/blog/2010/02/microsoft-update-kb977165-triggering-widespread-bsod/

Patrick gets the same result at virustotal as I do, and his file has the same SHA1 value as mine.

So I wondered if I could run GMER, and if it DOES kick out a false positive, at least no harm done. And if there is a problem, then obviously I need to know. I've never used GMER. I don't have a reason to think my computers are infected, I would just like to be sure. I am also waiting for Microsoft to do more research on this before I go ahead and install anything.

http://blogs.technet.com/msrc/

Link to post
Share on other sites

OK, I ran GMER on both the desktop and the laptop, and I didn't see anything. The laptop had this:

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xA1A198A0]

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

---- EOF - GMER 1.0.15

I'll post the desktop's in an edit. ;)

OK, I'm back, and here's the desktop:

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

I think if there was a "rootkit", it would have said so, right? I mean, it would have actually used the word "rootkit"? Nothing came up. The SSDT thing on the laptop can be explained, it's my firewall's self protection.

Link to post
Share on other sites

Maurice,

The desktop is Windows Media Center Edition SP3, laptop is Windows XP Pro SP3. The update in question is KB977165. Complaints here:

http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1/#e9b28c45-635c-4adf-8d24-817bf39c207b

That's a long thread, now locked.

Microsoft is investigating, posts here:

http://blogs.technet.com/msrc/archive/2010/02/11/restart-issues-after-installing-ms10-015.aspx

And yesterday's update:

http://blogs.technet.com/msrc/archive/2010/02/12/update-restart-issues-after-installing-ms10-015.aspx

Checking around various places on the 'net, there's been some back and forth as to whether or not the computers which experienced the problem were infected and that's why they became unbootable. Someone researching it is at this link, which is currently inaccessible. I was able to access it earlier today. I wonder if the site has been overwhelmed and crashed.

https://patrickwbarnes.com/blog/2010/02/microsoft-update-kb977165-triggering-widespread-bsod/

It looks like my system is clean, I just wanted to check. I think I will still wait until Microsoft does some further research on the update.

Link to post
Share on other sites

I did end up having to hard boot both the systems I ran GMER on just now. The desktop froze when I was using the Opera browser. The laptop experienced difficulty running a scan with Superantispyware. Actually SAS sort of got snarled up and wouldn't scan and wouldn't close. (MWB behaved itself earlier, however.) I don't know if that was a coincidence or not. Maybe GMER tickled stuff that my computers didn't like much.

Anyway, things look fine now.

Link to post
Share on other sites

Preface, I'm running an XP system with update 977165 installed evening of 10th. Without issue.

{A sidenote as well: nearly a dozen pcs in our office were also updated this past week without any BSOD issue).

The thing is your system needs this update to cover a potential risk.

I do not believe that most systems have had an issue with this. Just the ones you have read and that starts all the buzz.

You need to have courage and not fear to take this update.

Be advised that I used to 'make many replies' on the MS windows update group (forum now) and have some background in this area.

This update does NOT 'bsod' on all systems. Just some ---- for whatever reasons. And as my colleague Susan stated, there are a zillion of mixes of configurations out there. Some will have issues, but for conditions related to their mix and circumstance. And those people with issues, need to report all to MS. As my other colleague noted, they can start a free support incident with MS.

Have your Windows CD/DVD handy so when AND IF the BSOD happens, you can back-out the update as listed in the social answers forum you noted above.

The only precautions I take on major updates, is to disable antivirus & anti-malware real-time monitors before hand and then apply the updates. Especially in cases where a significant change is made or whenever a major IE fix is in the mix.

Link to post
Share on other sites

@Amethyst

Please stop posting any further GMER logs. Also, you should not be running it on your own. It's one of the tools that you must have expert guidance with. from someone who has been trained.

Also, Gmer logs do not belong here, in the PC Help forum !

If you suspect malwares to be present on your system, use the Malware Removal sub-forum.

See this topic http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.