WARNING about hotfix for KB925902 patch

  • Thread starter Thread starter Guest
  • Start date Start date
Alan D said:
To the two uncharitable people who marked this post of mine as unhelpful -
Click to expand...

Those must be among the 48 posts I can't download.<g>
I must say that I've seen few uncharitable answers in these newsgroups. I'm
sorry you were on the receiving end of that.

Bob Vanderveen
 
Well of course I didn't get a crash... but it might blue screen on you,
you'd just have to power off and power back up in the worst case, and
depending on how it crashed the OS might have to run a disk error check
which could take a while, but that's all automatically done, and assumes
that AVG doesn't protect you. Here's what I get back from that hyperlink:

you do not appear to be vulnerable to the ie ani cursor exploit
for more information about the exploit and the patch visit: zert

note: this test may not be effective against all known and vulnerable
versions of user32.dll.
if the test does not crash your browser, you may still be vulnerable.
please check the microsoft advisory for a list of known affected software.

and then from Norton I get:

A computer with the IP address 109.151.108.133 sent information that is
Characteristic of the HTTP ANI FILE Anih Hdr Size 80 attack.

Which in turn disables any communication with that site for an hour. Note
that the patch from Zert referenced above is not the Microsoft patch but a
temporary patch to fix the same problem released before the Ms one... I
don't want to imply that you should try to install that unofficial patch
from Zert
 
Alan D said:
Thanks for this Bob - replying in sequence.

I can't do that, because in order to be able to reboot my computer after the
hotfix smashed it up, I used System Restore to get back to the point just
before the hotfix was installed. But I presume that the hotfix is now
effectively eliminated by the restore operation? It certainly isn't there in
Add/Remove programs now.


I think I will probably do this - I'm just waiting, first, to get AVG's
reply to my email to see what they suggest.


I think I probably won't do any of this. Instead, I shall rely on the fact
that AVG seem to have the .ani exploit covered (judging from their comments
on their website), leave this particular patch off my system, and rely on AVG
to protect me. As I said elsewhere, this patch is the most damaging piece of
(effective) malware I've ever encountered, and no way do I trust it.
Click to expand...

If you read this:
http://support.microsoft.com/?kbid=925902
you will see in *bold red letters* the following:

[...] The relocation occurred because the DLL C:\Windows\System32\Hhctrl.ocx
occupied an address range reserved for Windows system DLLs. The vendor
supplying the DLL should be contacted for a new DLL.

That update is dated 30 March 2007 and is available here:
http://www.realtek.com.tw/downloads...peID=3&GetDown=false#High Definition Audio Co
decs

So that you need not concern yourself with choosing the correct file, this
is a direct download link for the file you need:
ftp://202.65.194.211/pc/audio/WDM_R164.exe

This will fix the problem described above.

As to uninstalling KB925902:
1. This update fixed 7 problems and is a critical update labeled by some as
a critical-INSTALL NOW-update.

2. Relying on any antivirus program is a bit iffy. By their nature av
programs are reactive. The company must detect the virus and design a
signature to block it. The bad guys are aware of this and continually revise
their code to bypass the must recent signatures.

3. Do you really want to continue running your system with a third party dll
(the old driver) erroneously loaded into the reserved system area of memory
when it can so easily be fixed?

Just some thoughts,
Bob Vanderveen
 
You bet. It acted just like a virus. I was unable to run Outlook Express. It
froze.

I first reinstalled windows xp sp2 but that didn't make it go away. Then I
used Acronis for the first time and that finally got me back a few days by
reinstalling my entire "C" drive. Now everything works again.

Regards,
 
Bullwinkle said:
You bet. It acted just like a virus.
Click to expand...

Thanks for the feedback. This is my point exactly. The question is not so
much whether the patient survives the infection, but whether the patient
survives the cure.
 
Anonymous Bob said:
So that you need not concern yourself with choosing the correct file, this
is a direct download link for the file you need:
ftp://202.65.194.211/pc/audio/WDM_R164.exe
This will fix the problem described above.
Click to expand...

That's very kind, Bob. Thank you. I'm downloading it now but I think their
servers must be very busy (not surprisingly). It's down to just a trickle of
data. I'm still not sure whether I'll risk installing it though. The old
driver has worked perfectly well for 18 months, until this update. My
instinct makes me as suspicious of this new Windows update as you are of the
old driver.
As to uninstalling KB925902:
1. This update fixed 7 problems and is a critical update labeled by some as
a critical-INSTALL NOW-update.
Click to expand...

I get that. But for me it created at least three other problems in the
process, and the subsequent hotfix came close to reducing my system to
rubble. So the price is too high.
2. Relying on any antivirus program is a bit iffy. By their nature av
programs are reactive. The company must detect the virus and design a
signature to block it. The bad guys are aware of this and continually revise
their code to bypass the must recent signatures.
Click to expand...

I see that it's a risk.
3. Do you really want to continue running your system with a third party dll
(the old driver) erroneously loaded into the reserved system area of memory
when it can so easily be fixed?
Click to expand...

If I believed that this patch was free of flaws, then no. But I now mistrust
the patch; I've read some reports that actually there's some conflict between
it and an earlier security patch - and I'm not knowledgeable enough to be
able to decide for myself whether that's the case or not. But I can see that
this patch does seem to be in conflict with a growing number of programs, and
that Microsoft failed to provide adequate, clear warning of those conflicts
even though they knew about at least one of them (the RealTek one).

With regard to the ease of fixing the driver: I do know that my old audio
driver has been completely trouble free until last week. I know nothing about
the new one, except that Microsoft's equivalent fix came close to wiping out
my system.

The point is, Bob - I trust YOU, but I simply don't trust the patch.
 
Dave M said:
Well of course I didn't get a crash... but it might blue screen on you,
you'd just have to power off and power back up in the worst case,
Click to expand...

OK ... thanks for this Dave. I'll have to see if I can summon up the courage
to try it!
 
Dave M said:
I used this link to test my successful install of the Ms patch, and was actually surprised that Norton intercepted it before anything else happened. You might run a test for AVG once your back to semi-normal to make sure your covered by AVG in the event you don't go the patch re-install route. An unpatched/exposed system will simply crash with this test with no further harm to your system.

Warning: don't run this test unless you're prepared for a system crash:
http://zert.isotf.org/tests/testani.htm
Click to expand...

I thought I'd try this with my system while the patch is still in place. I
immediately got the message saying that I don't appear to be vulnerable (so
the patch worked); then a moment later AVG popped up with a threat detection,
offering to put the test file into the virus vault (which it successfully
did).

So AVG has indeed got this covered as far as it goes at present. That info
might be useful to someone reading this. You can try this test with AVG
running and it will intercept the test file.

Thanks again Dave - this has been really helpful.
 
I have been reading the posts here about the patch from last tuesday and see
alot of folks with problems. Is this due to having RealTek? I have AVG free
version, and so far I haven't had a problem. Have no idea if I have Realtek
or not, computer savy I am not, but don't think I do have it. My complete
test runs each morning from AVG, and so far I see nothing, hopefully it stays
that way!!

Just seems a shame we download things that are suppose to protect us and
some wind up with more problems then before..SAD....:-(

I hope to goodness the next so called fix doesn't cause more problems. Hope
all the folks that are affected from this are able to get things back to
normal, as I know what it is like to have a computer that just doesn't act
right, NOT a good feeling.

Take care all, and have a lovely holiday weekend...:-)
 
:

Have no idea if I have Realtek
or not, computer savy I am not, but don't think I do have it.
Click to expand...

JJ, open Device Manager (to open Device Manager, click Start, and then click
Control Panel. Click Performance and Maintenance, and then click System. On
the Hardware tab, click Device Manager) and then click on 'Sound, video and
game controllers'. Look for 'RealTek High Definition Audio'.

You'd know about it by now, if you had it (!) so my guess is you won't find
it in the list.
 
Alan,

In reguards to the post having been marked as "unhelpful", please
remember the wording of the question:

"Was this post helpful to you?"

In clicking the [No] button all someone is saying is that the post was not
helpful to them, nothing more, nothing less. It should not be seen as a
judgement on or evaluation of your situation or your post. The post was not
helpful to them. That is all.

There are many things you have said in this thread [and the other] that I
have to say I agree with. With my arsenal intact, and my safe browsing
habits, I never get "hit" with anything, but I keep everything updated to be
safe. Still, with all the updating I do EveryDay [various Antivirus and
AntiMalware tools] nothing casuses my heart to skip a bit EXCEPT for Patch
Tuesday [and in this case Patch Tuesday Part 1].

The worst thing that can happen with my other tools is a False Positive,
which I would usually catch. The worst thing that can happen with a Bad MS
Patch is ...
Well, you know the answer to that question.

In their defense this was a emergency patch that they were not ready to
release but were forced to due to the current attack situation. Hopefully the
situation will be ironed out shortly.

I feel for you, I really do. If you remember my respose to your question in
the other thread, when I changed the header to 'NOT YET ...' there were
reports of other problems that were still being investigated. I waited a
full 24 hours before installing the patch. I also installed it at work first
[my work machines are from the same company and are similar to my home
machine] to see if there were any problems. If it had messed up a work
machine I would have continued wait to see if the fixes, if any, worked.
Most people are not in a situation where they can do this.

I am a little lost in the two threads right now so am a little unsure of
your current status. I believe you have rolled back to a point where you no
longer have the "patch" or the "hotfix" and your system is funtioning
properly. If this is the case I am happy for you. If you use IE as your
browser you should not allow this situation to go on for too long. More
Exploits are sure to follow after a patch is released, it always happens that
way. Use Extra, Extra caution when browsing till this situation is
rectified. You might want to consider using a different browser in the mean
time.

Good Luck and Best Wishes,
?:-\
Tim
 
Hi Alan, and thank you for the help. I did find Realtek AC97 in the list. My
computer is about 2 1/2 years old. It is a Compaq, and I run IE6, have SP2.
Right now I also have Spywareblaster, AVG free edition,and a firewall. As I
said, AVG runs a complete test each morning, so far I see nothing.

Thanx again for your help, much appreciated.
 
JJ said:
I did find Realtek AC97 in the list.
Click to expand...

I think (someone will correct me if I'm wrong) that it is specifically the
RealTek High Definition Audio panel that is the problem - looks like you're
ok, JJ.

Incidentally, the only reasons I have for supposing AVG is affected are: (1)
the 100% CPU usage by AVG that now blitzes my image scanner when I try to use
it; (2) the dozens of AVG error reports in Event Viewer when my big hotfix
crash occurred. No other AVG problems have emerged (so far).

Have a good holiday yourself.
 
JJ said:
Hi Alan, and thank you for the help. I did find Realtek AC97 in the list. My
computer is about 2 1/2 years old. It is a Compaq, and I run IE6, have SP2.
Right now I also have Spywareblaster, AVG free edition,and a firewall. As I
said, AVG runs a complete test each morning, so far I see nothing.

Thanx again for your help, much appreciated.
Click to expand...

To my knowledge there are no problems with the AC97 version.

Bob Vanderveen
 
I looked for anything that said HD, but nothing, so maybe I am ok. Good Lord,
last thing I need is problems, had way too many with last computer.

I did click on properties of Realtek and it said everything was running
normally. Like I said, compyter savy I am not, so I really do appreciate the
help I recieve from folks on this site. Hubby runs same computer but has XP
Pro, with the AVG and Spywareblaster, so far he is ok too. He had downloaded
IE7 and it drove him bats, so he took it out, yet other friends have it and
love it. Oh well, I guess I had best leave well enough alone, as they say, if
it isn't broke, don't fix it.

Again my thanks to you, hope things get back to normal for you soon, and
enjoy your holiday!!!!
 
Tim Clark said:
In clicking the [No] button all someone is saying is that the post was not
helpful to them, nothing more, nothing less. It should not be seen as a
judgement on or evaluation of your situation or your post. The post was not
helpful to them. That is all.
Click to expand...

Point taken Tim. I suppose I'm being oversensitive in my present raw state!
I believe you have rolled back to a point where you no
longer have the "patch" or the "hotfix" and your system is funtioning
properly.
Click to expand...

No. I rolled back to before the hotfix but after the patch. So at the moment
I have the patch, a disabled audio panel, and a messed-up scanner, and the
jury is still out about the next step to take (if any). I've used the Zert
test, which satisfies me that I'm not vulnerable to the .ani exploit.
Good Luck and Best Wishes,
Click to expand...

Sentiments much appreciated!
Cheers,
Alan
 
Hi Alan

Sorry to hear of your demise and that there are some unsympathetic souls on
here. I`m using a web based viewer and have not seen the threads you are
referring to. FWIW. I`ve always felt a system restore never quite returns
your system to its original state and have always taken the view that any
problematic software (post system restore) should be reinstalled. Have you
tried this with your scanner software and AVG? At least (in theory) you will
have a clean install of these applications. I would reboot between each
change to your system and clean my registry of any redundant entries before
reinstalling . I can well understand why there is a reluctance among the
professionals to recommend this approach as the consequences could be
catastrophic. But, drastic situations sometimes call for drastic measures. I
have done this thru the medium of a reliable registry cleaner which I have
been using and become very confident with for over two years now without
problems. Before attempting anything like this, a backup is, of course,
essential and I have achieved this by imaging my hard drive at periodic
points when I know my system is 99.9% stable and clean - mainly to reflect
software additions. That way I know, at least, if all else fails, I can
return my system to a workable state with minimum effort. Personal data is
backed up to a flash drive on a weekly basis and so I can be up and running
with relative ease in the event of a disaster. What about the 0.1% you may
ask yourself? No more dangerous than the risks we take when going online !

Stu
 
Bob, seeing I am not affected by this last update, should I download the next
patch that is coming out tuesday? Sorry for so many questions, but as I said,
computer savy I am not.
 
JJ said:
Bob, seeing I am not affected by this last update, should I download the next
patch that is coming out tuesday? Sorry for so many questions, but as I said,
computer savy I am not.
Click to expand...

JJ,

I'm a firm believer in keeping my systems fully updated. This last update
caused me no problems on my Windows 2000 system and only minor (and self
correcting) problems on XP. Having said that, I fully understand Alan's
frame of mind.<g>

Bob Vanderveen
 
Ok, I see there are more then one patch, I guess there are a few security
things as well. So far I am totally up to date, and the only thing I did not
download was the IE7. As far as Alan, I understand his being upset, as I had
issues with my other computer that drove me crazy. Luckily they did get
resolved, but it took alot of hard work and many downloads of things to
square it away. To say the least, it was VERY frustrating. Thanks
again....:-)
 
Back
Top