Microsoft Update KB2859537 prevents PC from booting if Rootkit is present

I spent my Saturday evening working on probably the most convoluted computer problem I’ve ever seen.

This computer was infected with a rootkit virus that went undetected for who knows how long, no thanks to Symantec Endpoint Protection. I didn’t realize that at first though because there wasn’t any obvious signs of infection, and like I just mentioned, Symantec wasn’t throwing any alerts.

Microsoft released a security update on Tuesday, KB2859537, that prevents a rogue application from hijacking the kernel via a particular exploit. Automatic updates installed it among 11 other updates Wednesday night. When staff came in Thursday, the computer was stuck at the “Starting Windows” screen.

I started by attempting to fix the issue as if it was a problem with Microsoft Windows Update. I used every utility imaginable to clear/reset/fix Windows Update. I also reset the BIOS, screwed with the IRQs, sat through a system file check and hard drive check (which takes over an hour.) I even did a full hardware diagnostic to make sure the memory, CPU, etc wasn’t failing. Also removed unnecessary applications as well as Symantec to make sure nothing was interfering.

I eventually narrowed the problem to a specific update by installing 1 update at a time, rebooting, next update, repeat.

After identifying which update caused the computer to not load, I searched the web to see if others had the same problem. That’s when it happened: there was a dialog popping up in the bottom left of IE to install the latest Media Player. I had seen this dialog once before when I was on a Microsoft site today, and it looked official, so I didn’t think much of it. But now it was popping up on a non-Microsoft forum.

I immediately downloaded TDSSKiller and removed two rootkits that it found (Rootkit.Win32.BackBoot.gen and Rootkit.Boot.Cidox.b.) Rebooted, installed and updated mbam. Rebooted into safe mode, ran mbam full scan. It found 2 results (both Tojan.Vundo variants.) Rebooted and the IE popup was gone, but I ran ComboFix just to be safe. It found a few malicious files and folders (FunWebProducts, DownloadHelper to name a couple.) Then, I reset IE to make sure there wasn’t any lingering Add-ons.

Next, I installed the August malicious software removal tool. After a reboot, I re-attempted to install security update KB2859537. This time, instead of locking up, the computer booted normally. Yay! Praise be to the computer gods.

What was happening: KB2859537 corrected an exploit that a rootkit virus was using to hijack the computer. Because the exploit was fixed after installing the update, upon the next reboot, the rootkit is now blocked from functioning. This causes the entire computer to lock up and even BSOD in some cases. By removing the rootkit virus, I was able to install the security update without the computer locking up.

I wish I could say that was fun. Hope this saves someone else some time.

Update: If your computer is already locked up from the update, use your Windows disc to launch Startup Repair. During the repair, it will ask if it can use System Restore. Proceed through the menus and it will restore the computer to before the update was installed. I had a better success rate of doing this with the Windows disc than with F8 as the Rootkit corrupted the system restore utility.

Source/proof: By request, I’ve gathered all of the logs from the computer and made them available to the public here.

Comments

  1. just another example of problems associated with Windows. I wish I could say I never struggled through something similar but I know things like this have helped me to have the knowledge I have and would not sacrifice this knowledge after earning it. But I bought a Mac anyway – still keeping Windows machines around though. Some habits die hard.

    • My condolences.

    • Thanks – but I am far from a tech head and just learned things through necessity. So far I have no real complaints on the Imac probably because I don’t know enough to notice. Ignorance is bliss there I suppose. The windows machines I ought and (mostly) built always end up suffering from OS problems despite my best efforts.
      As far as the other OS’s out there – too much of a neophyte to even consider jumping over the various installation hurdles.

      • I’ve installed several versions of Mac OS X (10.3 and 10.4 on my old eMac, and iAtkos Mountain Lion on my desktop) and every version of Ubuntu since 2007. Ubuntu is, and has always been, easier to install.The issues that come afterwards, however, were a different story. I used to have to worry drivers. ….Now I don’t. –that said, Ubuntu on a Mac is ….kind of a bad idea. As you can imagine, Apple doesn’t.. help us out a whole lot with that.

  2. Haig Revitch says:

    Thank you for posting this. My main OS (use it about 90% of the time) is Kubuntu Linux–which never has problems like this. But I do use Windows about 10% of the time, and I don’t like spending hours fixing ‘infection’ problems like this. One of the reasaons I use Linux is because of problems like this.

    • As Microsoft is now phasing out TechNet, my staff and I are currently taking a serious look at linux/opensource based replacements for Microsoft Active Directory and Server environments. We’d still be using Microsoft Windows as the desktop operating system, but I intend to change the back end server infrastructure of our solutions drastically over the next year. If we can’t easily and cheaply test Microsoft software in our own environment here, I don’t think they are going to be the best “partner” to move forward with as we continue to enhance and refine our solution.

      To put this in perspective, we manage about 50 small business networks in the Pittsburgh region. Our AVERAGE business spends $8k/every 3 years on software licenses between CALs, Servers, Exchange, etc. Another $10k if you count Office.

      • Speaking of this I will be testing the Sogo Exchange server under Ubuntu for my companies groupware server,. Will report back later if your interested.

  3. I am lucky I don’t have to face that issue. I installed Ubuntu Linux after putting up with errors that messed up my sound in winblows. I also installed Wine to run the windows programs that I may want to run or games I may want to play. I’m still tweaking my system to my preferences. I may have to face similar issues though, with Linux. Though, I hope not.

  4. Thank you James. You’ve done a pile of work here and saved us all similar grief in your beautifully documented write-up. Still makes me wonder why a Windows licensee has to single-handedly jump these hurdles, potentially every few weeks as ‘updates’ come along, without documentation or support from Microsoft. Your efforts mirror the type of assistance frequently seen in the Linux community and should be Microsoft’s obligation under their license fee. As a 25+ year veteran of Microsoft products, I invite you to join the Linux community (Ubuntu) where you can concentrate on your technical writing for enhanced software performance, without the hassle of root-kits, viruses, Windows updates, upgrades and license fees.

    • To be fair, I usually don’t have any problems with Windows Updates on Windows 7.

      We manage a few CentOS headless servers. They are great for most things, but I really need a GUI on an “Active Directory” server. Another option would be a headless server that has a web GUI / remote MMC I can use from another computer. Do you know of anything like that reliable enough for a business network?

  5. John Weiss says:

    you have been an absolute lifesaver. i googled this error today after 2 of our computers wouldnt start. sure enough, TDSSKiller found the same rootkits. thank you for posting this!

  6. Steve Holt says:

    You seriously continue using your operating system after it has been compromised with a rootkit? You should do a clean wipe.

    • It’s not practical from an IT standpoint to simply format a customer’s computer every time they pickup a virus. Customers frequently get viruses and they need things working ASAP, there’s no time for a days worth of downtime while all software is reloaded. I understand your security concerns, but most customers do not have the financial resources to spend 4-8 hours on a reload every time they happen to get adware.

  7. I run TDSSKiller with default parameters and it did not find any rootkits. Still my computer kinda lock up after KB2859537 is installed. I get 0XC000005 error with all programs. When I remove KB2859537 computer works normal. So what is problem here. Im out of ideas.Windows 7 ultimate 64 bit. I need help and ideas.

  8. You mean default parameters + two bottom boxes? I did done it and only what I see is 8 unsigned drivers medium risk then skip is automatically choosed.

  9. Oops unsigned files 8 not drivers.

  10. james thank for helping me, I read many others have exactly same problems than me. I mean many peoples no rootkits found but same problem than I have. Any ideas or help. I have spend 3 days to figure this out. Always it will end same all work normally but after KB2859537 is installed. I get 0XC000005 error with all programs. System restoration from point also will give errors in any point.

    • Did you run through the same steps I did above? Bios update, all drivers update (check Intel’s site there’s a utility.) Also system file checks, disk checks and memory tests?

  11. I can remove those 2 what u might suspect say what they are. I guess ICCS, oem-drv64 or ctaudsvcservice?

  12. All tested as you did I have done. But this problem hapen only after KB2859537 is installed. It is also weird all system restoration points gives error. All work normal no problems but after KB2859537 problems.

    • I understand, just that this update may not be the cause, simply the catalyst. For instance, if I install it on a desktop that was just formatted, I don’t have any issues. This means it’s most likely an outdated driver, etc that is now unable to function due because the security update changed the way certain interactions with the kernel take place. Can you post your minidump file so we can see what is causing BSOD?

  13. I run mbam, security essentials and August malicious software removal tool with fast settings. Nothing suspicious was found 0 files was found. Now I am running August malicious software removal tool with complete setting.

  14. Checked all those 8 unsigned files with google. All fine.

  15. minidump file? what is that and how I get it? Only way what I could get my comp work was use system restoration point and even it gave error it sometimes works. Im using drivergenious to keep all my drivers update. I think all my drivers are update.

    • You may want to ask someone with a bit more experience to look at it. At this time I’m not able to explain minidump files, how to read them, etc. Also, I doubt that driver program actually keeps everything up to date, the manufacture website for each component is your best bet.

  16. After KB2859537 installed I get 0XC000005 errors with all programs, browsers chrome,explorer,firefox and all other programs and games. When I try start those programs. KB2859537 will make all those problems. I have done all what you have advised and told in this article but nothing help :(

  17. C:\Windows\Minidump\ is empty even I changed in settings to show all hidden files, etc.

  18. Drivergenius do all same than looking all drivers manually only difference it will check automatically from manufacture. I can google how to get minidump files and how to read. But now that folder seem to be empty :S

    • I’m leaning toward you having a program or custom setting that’s incompatible with the update. Maybe something that starts automatically. Disable as much as possible with msconfig

  19. http://www.resplendence.com/whocrashed

    Crash Dump Analysis
    ——————————————————————————–

    Crash dump directory: C:\Windows\Minidump

    Crash dumps are enabled on your computer.

    No valid crash dumps have been found on your computer

  20. Ok Im testing disable all not needed programs and try install update. I report if it will help. Also I use google to find answers and info more about this problem.

  21. I find much information about this problem and what causes it and how to remove it here read. Hope it help all others there are many many peoples with this problem millions.

    translate.google.com/translate?sl=auto&tl=en&prev=_t&hl=fi&ie=UTF-8&u=http://www.outsidethebox.ms/15229/%23_Toc364370256&act=url

  22. If no rootkit viruses found and have any problems with KB2859537. Solution is remove KB2859537 and make it so it don’t install automatically. Until microsoft will make fix for this problem.

    How to hide KB2859537 and not let that install from your computer
    Make sure you hide the update once you uninstall it because it will re appear in windows update again.
    If you do not know how to do this
    Bring Up Windows Updates
    put a check mark in that update and right click
    Left click “Hide”
    It will grey out- that is how you will know it did it

    now you will not see it again until you click on: Restore Hidden Updates

    How to remove KB2859537
    Go to control panel
    Click on program and features
    On the left side of the list you will see View Installed Updates
    Click it
    Once it loads look through the list of Microsoft security updates and find the KB
    Double click it and it will begin to uninstall
    A reboot is required
    Then follow the instructions I gave Rose to hide it so it does not try to reinstall

    Hope this will help all others which have same problems.

  23. Removing the Update KB2859537 from the command line
    At the command prompt, running as root , run:
    1
    wusa.exe / uninstall / kb: 2859537
    Wusa.exe utility is designed to install and uninstall updates Windows. Run it with the key /? , to find out more.
    Rolling back to a restore point system
    Run the system recovery and fall back to a point before the problem occurred. If you can not or will not boot the system, enter the recovery environment Windows 7 or Windows 8 and do a system restore from there. And yes, this situation does save rollback .
    Removing the Update KB2859537 from the recovery environment using DISM
    The more complex version makes sense to apply only if the first two methods to remove the update failed.
    Boot into Recovery Environment Windows 7 or Windows 8 .
    Start a command prompt and specify the drive letter on which you installed Windows .
    At the command prompt, type:
    1
    DISM / Image: D: \ / Get-Packages
    where D – the drive letter of the system that you identified in the previous step.
    In the results of the team find the package that contains the name of KB2859537 . The figure shows the name of the package are only examples.
    remove-KB2859537-dism
    Highlight the name of the package the left mouse button and press the right mouse button to copy it to the clipboard.
    At the command prompt, type:
    2
    DISM / Image: D: \ / Remove-Package / PackageName:
    and right-click to insert the name of the package. Should get something like this command:
    3
    DISM / Image: D: \ / Remove-Package / PackageName: Package_for_KB2859537 ~ 31bf3856ad364e35 ~ x86 ~ ~ 6.1.1.3
    Press Enter , to execute a command and delete the package.

  24. I just wanted tot ell everyone that [insert OS name here] is way better than Windows and would never have those problems.

    Just in case, someone forgot to post this.

  25. Excellent website you have here but I was
    wanting to know if you knew of any message boards that cover the same topics talked about in this article?
    I’d really love to be a part of community where I can get comments from other knowledgeable individuals that share the same interest. If you have any suggestions, please let me know. Thanks!

  26. IncompetantIT peoplesuck says:

    Messing with IRQs?

    DUDE… you ever heard of ACPI!?!

    You are an obvious incompetent IT person.

    Find another field to work in…

    • Ya, sure, it’s completely unreasonable for me to ensure the hardware of a system is fully functional when diagnosing a problem as mysterious as this. I’ve noticed that you concealed your username, why do that if you’re so great and respected in the IT field? Go back to help desk support buddy.

  27. Jonathan Giraldo says:

    JAMES thankjs for the great forum, I have a quick question. We are experiencing the boot issues with this update as well. How ever I have noticed that most of the operating systems in the network have about 160 unsigned signatures.
    Is it possible that the booting issue could be caused by the unisgned signatures and installing the update?

    Thanks and I will be waiting on your update.

    • Google the unsigned files to identify if any are malicious. 160 is a LOT. I’ve never seen more than 8

      • Jonathan Giraldo says:

        when I run TDDSKILLER it detects them, so I think it would be safe to assume some of them are infected.

        What I would like to know is if it is possible that having unsigned signatures can cause the update to detect them as rogue, thus causing the boot loop thst this KB has been issueing.

        Thanks once again

        • Yes a malicious unsigned driver showed up when I resolved our issue. Please download and review the log files I posted above

  28. Jonathan Giraldo says:

    OK… THANKS once again. I will do that and check it out

  29. I am having a nightmare. This morning windows did second update. It did another last night. This morning was taking a long time.

    Am now in position I can’t start my computer. It’s windows 7 I can’t get into safe mode. Called Microsoft who were about as useful as calling my nan for computer help. (And she is dead)

    • Restore PC to last known good settings. Press F8 before windows starts to pick this option.

      • I tried to do this but for some reason only restore point is this morning Microsoft service pack. Nothing else. It’s been running start up repair now for 4/5 hours (windows 7). My CD isn’t working so cant do reinstall as I have data on machine that is irreplaceable.

        • Remove the hard drive. Install a new hard drive and load a fresh copy of windows from the CD. Add the old hard drive as a secondary drive (make sure it isn’t set to boot before the new drive in the bios.) You’ll be able to get all the data off. What city/state are you located?

          • CD rom isn’t working. I could have backed up the files and do factory reinstall. I don’t have money for a new hard drive. It was running fine until microsoft update this morning.

            • There’s not going to be a free solution

              • just wondering how long is normal for start up repair. Some people are saying days. I don’t mind as long as it repairs it. But Microsoft told me to shut it down whilst it was in repair mode. Just hope that hasn’t damaged the disk. I would just reinstall, but I have pictures and photos of my daughter who died on there and have no other copies. Yet without Laptop I can’t write posts on my blog…. I wish I could find difinitive answer how long is too long windows 7 start up repair loop.

          • Am in England uk

Follow

Get every new post delivered to your Inbox.

Join 673 other followers

%d bloggers like this: