<<Repost - other attempt may not get through...>>
Yesterday was (Windows) Patch Tuesday for the month of June. There
are ten items in the queue for my machine (not yet applied). Some
have been sitting there for a while, so don't really count
as new items. Maybe half of them are new for this month.
And sometimes, even though there are multiple of them,
they're caused by the same root exposure.
If you have System Restore turned on, the computer may have
made a restore point just before applying the patches. It's possible,
if you could start WinXP in Safe Mode, you could use rstrui to return
to the state before Patch Tuesday. As I understand it, if you
do System Restore from Safe Mode, you can't revert the
restoration. Whereas, a System Restore done from Normal mode,
you can undo it and return to "today's condition". If you
return the machine to yesterday's condition, you could lose
any files created outside of My Documents. (Documents inside
My Documents are not tracked, so won't appear or disappear
because of a System Restore point application.) If you keep a
Downloads folder outside My Documents, then it would revert
to yesterdays state, and you could lose a couple downloads.
(That's how I figured this out for myself once - stuff went
missing.)
http://support.microsoft.com/kb/304449
Looking at the first interesting patch KB2707511, it says that
one involves a change to the kernel. And an exposure in BIOS
memory (probably below 640K). I could see a change down there,
perhaps tipping something over. Or, if the WinXP install
was already compromised by malware, sometimes these kinds
of updates, actually fail/get snagged, because the
malware causes the condition. So rather than Windows
"tipping over", it's the malware that gets whacked in the
head and causes the machine to crash. The last time this
happened, a Windows update caused machines already suffering
from a TDSS root kit, to crash. So rather than Microsoft
being directly responsible, it was TDSS that did it. And
the authors of the TDSS malware pushed out a change in
a few days, so their infected machines wouldn't be harmed
by the Windows update, and Windows Update would stop crashing
the computers. In that case, Microsoft may have had some idea
that would happen (they were probably aware of the possibility),
but didn't bother to push out a pre-check that the machine
wasn't infected. It sure was a good way to get people's attention,
because it caused a few people who didn't know they had a root kit
present, to "wake up".
You can do an offline scan for malware, using the Kaspersky CD. It
should run fine within a VM, and you'd be able to scan the now
non-bootable WinXP partition and look for malware.
http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286083
"Iso image of Kaspersky Rescue Disk 10 (237 MB)"
That is basically a LiveCD using Gentoo, plus an executable that
starts automatically, and will scan for Windows malware.
If you need it, Kaspersky also makes a "TDSSKiller", but at
this point, we don't know if that has anything to do with
your predicament or not.
http://support.kaspersky.com/viruses/solutions?qid=208280684
It'll probably take a few more days, of crash reports, before
somebody figures out how the Windows Update is breaking things.
Paul