Damn KB890830!!! Arrrrggggghhh.

I have spent almost as much time troubleshooting a failure to run of the
Malicious Software Removal Tool on two computers, as it would have taken to
"scrape and build".

Case A: HP Pavilion m7590n. Originally shipped with Windows MCE 2005 SP2;
upgraded to SP3. MSRT for August 2008 triggers a system restart, and all
updates failed. I finally ran "Custom", and installed each of 9 updates one
by stinking one. When I hit KB890830, as the installation progress bar was
marching across the screen, there was a very audible "click", as something
tripped the P.S., and system shut down, and restarted. Went into file system
check mode, and came back still wanting to run the MSRT.

Case B: HP Pavilion 6745C. Originally shipped with Windows Me, obtained a
Windows XP Home Edition SP2 upgrade pack from Fry's Electronics, and did a
clean install on NTFS partitions. Added SP3 before setting up the
applications. I let it run with 13 "Critical Updates" to work on, came back
to find it had rebooted spontaneously. Went back to the Windows Update site;
only four of the updates had installed. Went to "Custom" mode, and installed
all but KB890830. Installation was normal. However, as with Case A:,
KB890830 triggers a shutdown before it has begun to run. At this time, MSRT
has not been run on the Pavilion 6745C. I can't force it into Safe Mode the
same way as with the Pavilion m7590n; F8 key. Too tired to continue at this
time; been 12 hours since I began screwing around with this issue. Will
fight with it some other time.

Or, maybe, it is time to pitch Windows and switch to another OS? This really
sucks. Third month in a row that Windows Update has caused problems
requiring manually deleting system files, and manually downloading the
patching .exe files.

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.

N. Miller wrote:

> Or, maybe, it is time to pitch Windows and switch to another OS?

Check out Ubuntu at www.ubuntu.com It's free and comes with access to
over 24,000 free programs.

Alias

Interesting as I've never had that MSRT cause any issues and never
wanted a restart. Can you post the log up here?

N. Miller wrote:
> I have spent almost as much time troubleshooting a failure to run of the
> Malicious Software Removal Tool on two computers, as it would have taken to
> "scrape and build".
>
> Case A: HP Pavilion m7590n. Originally shipped with Windows MCE 2005 SP2;
> upgraded to SP3. MSRT for August 2008 triggers a system restart, and all
> updates failed. I finally ran "Custom", and installed each of 9 updates one
> by stinking one. When I hit KB890830, as the installation progress bar was
> marching across the screen, there was a very audible "click", as something
> tripped the P.S., and system shut down, and restarted. Went into file system
> check mode, and came back still wanting to run the MSRT.
>
> Case B: HP Pavilion 6745C. Originally shipped with Windows Me, obtained a
> Windows XP Home Edition SP2 upgrade pack from Fry's Electronics, and did a
> clean install on NTFS partitions. Added SP3 before setting up the
> applications. I let it run with 13 "Critical Updates" to work on, came back
> to find it had rebooted spontaneously. Went back to the Windows Update site;
> only four of the updates had installed. Went to "Custom" mode, and installed
> all but KB890830. Installation was normal. However, as with Case A:,
> KB890830 triggers a shutdown before it has begun to run. At this time, MSRT
> has not been run on the Pavilion 6745C. I can't force it into Safe Mode the
> same way as with the Pavilion m7590n; F8 key. Too tired to continue at this
> time; been 12 hours since I began screwing around with this issue. Will
> fight with it some other time.
>
> Or, maybe, it is time to pitch Windows and switch to another OS? This really
> sucks. Third month in a row that Windows Update has caused problems
> requiring manually deleting system files, and manually downloading the
> patching .exe files.
>

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

N. Miller wrote:
> I have spent almost as much time troubleshooting a failure to run of the
> Malicious Software Removal Tool on two computers, as it would have taken
> to
> "scrape and build".
>
> Case A: HP Pavilion m7590n. Originally shipped with Windows MCE 2005 SP2;
> upgraded to SP3. MSRT for August 2008 triggers a system restart, and all
> updates failed. I finally ran "Custom", and installed each of 9 updates
> one
> by stinking one. When I hit KB890830, as the installation progress bar was
> marching across the screen, there was a very audible "click", as something
> tripped the P.S., and system shut down, and restarted. Went into file
> system
> check mode, and came back still wanting to run the MSRT.
>
> Case B: HP Pavilion 6745C. Originally shipped with Windows Me, obtained a
> Windows XP Home Edition SP2 upgrade pack from Fry's Electronics, and did a
> clean install on NTFS partitions. Added SP3 before setting up the
> applications. I let it run with 13 "Critical Updates" to work on, came
> back
> to find it had rebooted spontaneously. Went back to the Windows Update
> site;
> only four of the updates had installed. Went to "Custom" mode, and
> installed
> all but KB890830. Installation was normal. However, as with Case A:,
> KB890830 triggers a shutdown before it has begun to run. At this time,
> MSRT
> has not been run on the Pavilion 6745C. I can't force it into Safe Mode
> the
> same way as with the Pavilion m7590n; F8 key. Too tired to continue at
> this
> time; been 12 hours since I began screwing around with this issue. Will
> fight with it some other time.
>
> Or, maybe, it is time to pitch Windows and switch to another OS? This
> really
> sucks. Third month in a row that Windows Update has caused problems
> requiring manually deleting system files, and manually downloading the
> patching .exe files.

On Wed, 13 Aug 2008 10:44:47 -0400, PA Bear [MS MVP] wrote:

> Unexplained computer behavior may be caused by deceptive software...

This KB890830 is the *only* "unexplained" behavior. First showed up on a
computer on which I had recently installed the "TVeristy" media server, and
upgraded from 2 GB to 4GB of RAM. First thing I did was run Avas scan, then
downloaded, and ran, the MSFT memory diagnostic tool. Avast reports no
malware (dicounting a half dozen false positives; I *know* what those
applications that Avast was alerting on do! Including the iTunes uninstaller
application!). The MSFT memory diagnostic looped four times without error.

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.

On Wed, 13 Aug 2008 07:08:54 -0700, Susan Bradley, CPA aka Ebitz - SBS Rocks
[MVP] wrote:

> Interesting as I've never had that MSRT cause any issues and never
> wanted a restart. Can you post the log up here?

I tried posting the log as an attached .zip file. Client says it went out,
but the file is 61 kBytes.

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.

N. Miller wrote:

> [...] Avast reports no
> malware (dicounting a half dozen false positives;

That sounds unlikely. What applications are these?

> I *know* what those
> applications that Avast was alerting on do! Including the iTunes uninstaller
> application!).

But do you know whether your copy of the application has been modified to
contain malware?

Harry.

--
Boycott Beijing 2008 http://www.rsf.org/rubrique.php3?id_rubrique=174

On Fri, 15 Aug 2008 10:36:00 +1200, Harry Johnston [MVP] wrote:

> N. Miller wrote:

>> [...] Avast reports no
>> malware (dicounting a half dozen false positives;

> That sounds unlikely. What applications are these?

C:\Program Files\iTunes\Plug-ins\amip_uninstall.exe
C:\Program Files\Online
Service\PeoplePC\ISP5900\Branding\ppal3ppc.exe\$IN STDIR\PPCToolbar.dll
C:\Program Files\Passware\ariskkey.dll
C:\System Volume Information\_restore....(I believe this one is one of the
EICAR files; the log line runs on beyond the number of supported
characters). EICAR is *not* malicious, but always detected.
C:\Programs\music_now\inetchk.exe

"AMIP" is a WinAmp plugin for iTunes. The file creation date is consistent
with the file creation dates for the Wimamp install folder. Because of the
fact that I was typing while the scan was running, I managed to blow away
the uninstaller for this plug-in.

"ppal3ppc.exe" is an OEM included installer for the PeoplePC Internet
service.

"Passware" is a password reveler which I installed. AV programs are noted
for alerting on applications which are *potentially* malicious, leaving it
up to the operator to know, for sure, whether they installed such software,
or not.

EICAR is, well, EICAR. http://en.wikipedia.org/wiki/Eicar_test_file

"Inetchk.exe" is in another of the OEM included files, this one pertaining
to AOL's "Music Now".
http://www.timewarner.com/corp/newsr...448986,00.html

> But do you know whether your copy of the application has been modified to
> contain malware?

They are in the proper folders, as originally installed, and have file
creation dates consistent with the other files in those folders.

HJT log shows nothing malicious. AdAware and Spybot S&D show nothing
malicious.

CurrPorts shows no suspicious connections, or applications listening. If
there is anything malicious on this box, it is very well hidden. I have not
run a rootkit scan. Primarily because, aside from the MSRT dumping the power
during its run, nothing unexplained is going on.

Oh, and finding an MVP who posted a suggestion to another user with a
similar problem seems to indicate an MSRT problem. The solution offered was
to download the latest version of KB890830, go to %Windows$\System32, delete
the 'msrt.exe' file, reboot to "Safe Mode", and run the newly downloaded
file. When I did that, MSRT ran normally, *without* dumping the power.

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.

N. Miller wrote:

> "AMIP" is a WinAmp plugin for iTunes. The file creation date is consistent
> with the file creation dates for the Wimamp install folder.

I'm sure most viruses nowadays make sure the file creation/modification date
doesn't change when they infect a file. If this is really a legitimate piece of
code, it seems unlikely that Avast would flag it - though it would be worth
checking with the WinAmp folks.

> "Passware" is a password reveler which I installed.

OK, that one is probably a genuine false positive.

> EICAR is, well, EICAR. http://en.wikipedia.org/wiki/Eicar_test_file

Not *exactly* a false positive, but not a risk either. :-)

> Oh, and finding an MVP who posted a suggestion to another user with a
> similar problem seems to indicate an MSRT problem. The solution offered was
> to download the latest version of KB890830, go to %Windows$\System32, delete
> the 'msrt.exe' file, reboot to "Safe Mode", and run the newly downloaded
> file. When I did that, MSRT ran normally, *without* dumping the power.

OK; thanks for letting us know. It's very odd, though; MSRT is user-mode code,
meaning it shouldn't be able to crash the computer even if it is faulty. Also I
wasn't aware that MSRT put a file in system32 in the first place. Certainly
there's no such file on my system, even when MSRT is actually running.

Harry.

--
Boycott Beijing 2008 http://www.rsf.org/rubrique.php3?id_rubrique=174

http://support.microsoft.com/kb/890830

" How to remove the Malicious Software Removal Tool
The Malicious Software Removal Tool does not use an installer.
Typically, when you run the Malicious Software Removal Tool, it creates
a randomly named temporary directory on the root drive of the computer.
This directory contains several files, and it includes the Mrtstub.exe
file. Most of the time, this folder is automatically deleted after the
tool finishes running or after the next time that you start the
computer. However, this folder may not always be automatically deleted.
In these cases, you can manually delete this folder, and this has no
adverse effect on the computer. "

It's present on my XP Pro system in sys32.
What happens if you run mrt from the Run line ?


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============



Harry Johnston [MVP] wrote:

> N. Miller wrote:
>
>> "AMIP" is a WinAmp plugin for iTunes. The file creation date is
>> consistent
>> with the file creation dates for the Wimamp install folder.
>
>
> I'm sure most viruses nowadays make sure the file creation/modification
> date doesn't change when they infect a file. If this is really a
> legitimate piece of code, it seems unlikely that Avast would flag it -
> though it would be worth checking with the WinAmp folks.
>
>> "Passware" is a password reveler which I installed.
>
>
> OK, that one is probably a genuine false positive.
>
>> EICAR is, well, EICAR. http://en.wikipedia.org/wiki/Eicar_test_file
>
>
> Not *exactly* a false positive, but not a risk either. :-)
>
>> Oh, and finding an MVP who posted a suggestion to another user with a
>> similar problem seems to indicate an MSRT problem. The solution
>> offered was
>> to download the latest version of KB890830, go to %Windows$\System32,
>> delete
>> the 'msrt.exe' file, reboot to "Safe Mode", and run the newly downloaded
>> file. When I did that, MSRT ran normally, *without* dumping the power.
>
>
> OK; thanks for letting us know. It's very odd, though; MSRT is
> user-mode code, meaning it shouldn't be able to crash the computer even
> if it is faulty. Also I wasn't aware that MSRT put a file in system32
> in the first place. Certainly there's no such file on my system, even
> when MSRT is actually running.
>
> Harry.
>