Can NOD32 still protect me?

Discussion in 'NOD32 version 2 Forum' started by Elwood, Oct 13, 2006.

Thread Status:
Not open for further replies.
  1. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Hello,

    I have found that my pc running Windows ME is not stable with the KB918547 update installed (I'm pretty sure this is the update that causes problems, but I have not installed the other (IE) updates that were released at the same time either....yet). I believe this is the graphics engine update that MS issued immediately before "support" was dropped for 98SE/ME OSes.

    KB918547 causes freezes when the pc is idle (whole display freezes, mouse, keyboard, system tray clock etc.) and sometimes when I click on links or run maintenence programs (scan disk etc.). It did not cause freezes when running graphics intensive games or benchmarks, which I found to be odd. It even affected DOS apps like memtest86+, froze after 89% of the sixth pass with no memory errors up to that point.

    I restored an image backup, installed the updates and the problem returned, installed the image a second time and no problems at all in the last three days, whereas my pc was locking up several times a day with the update(s) installed.

    Will NOD32 still protect me from the exploits that may be developed?

    I do not use IE for anything other than Windows Update and since the fiasco with the final update(s), I doubt I'll be using it for that anymore either. Firefox and SeaMonkey (default) are my browsers of choice.

    Thanks for any input.
     
    Last edited: Oct 13, 2006
  2. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Actually, I believe that memtest86+ is a Linux app, but no matter. The point is that it runs off a boot floppy or CD. As a result, it is totally independent of Windows, so the errors in memtest86+ cannot be caused by the KB918547 update. Now, KB918547 could certainly be causing other problems on your PC, but not with memtest86+.

    Be that as it may, your question is still a valid one (even if KB918547 gave you no problems at all). New exploits can still pop up that affect WinME. Since Microsoft has officially dropped support for WinME, they are under no obligation to fix the exploit. Will NOD32 still protect you? Past track record would tend to say, "yes".
     
  3. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I would think the same thing, but I'm going to run memtest86+ again and see if it runs ten times to completion, and if it does would you say it's a complete coincidence that it only fails after the updates?

    I know how my pc was acting and how it's acting now. The update(s) causes problems that mimic hardware problems. I took this pc apart as far as I could and put it back together again looking for any physical sign of damage. I don't think it's a hardware problem even though the pc is old.

    My RAM is Mushkin pc133 SDRAM and has a lifetime (of the pc) warranty, I think it's an extremely high quality product. Does RAM just go bad like that and then return to normal function? Because that's how it acts with and without the update(s).
     
  4. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
    KB918547 has caused some problems.
    It runs as a service (.exe) and there are some registry issues possible.
    Also as a service it may conflict with ZoneAlarm etc.
    It seems to be for IE's rendering engine?
     
  5. ASpace

    ASpace Guest

    Yes , NOD32 will not kill the whole vulnerability but will eliminate all kind of threats that try to exploit it which is the same . NOD32 will detect them either by signatures/generic detection or heuristic .

    It is recommended that you always keep it updated .

    Use Firefox and make sure it is updated . Make sure you use good firewall to keep the instruders out and you will be fine ;)
     
  6. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Memtest86+ results:

    AMD Athlon: (0.1:cool: 1102 MHz
    L1 Cache: 128k 6720MB/s
    L2 Cache 256k 2071 MB/s
    Memory: 512M 328 MB/s
    Chipset: VT82C69/693A/694X

    WallTime: 9:29:53
    Cached: 512MB
    RsvdMem: 80k
    MemMap: e820-Std
    Cache: on
    ECC: off
    Test: Std
    Pass: 11
    Errors: 0
    ECC:
    Thanks for the nput and reassurances. I keep NOD32 and my browser versions up to date.

    I think you're right. I think that the most that can happen while using SeaMonkey or Firefox is that I'll be prompted and asked how I want the file type handled and by NOD32 if/when it detects any malicious file that tries to slip through during that time.
    The only other security product I have running during this time and during the problematic period is/was Kerio Personal Firewall 2.1.5 with remote administration disabled. I usually also run BOClean, but I don't think it has any bearing whatsoever on the situation because it happened with or without BOClean installed.

    I think KB918547 might be deliberate sabotage.

    I still have Paolo Monti's patch archived, but uninstalled it when I read that 9x was not affected by that particular WMF vulnerability. I wonder if it would protect against this "newer" WMF vulnerability?

    [added]

    Running processes:

    http://img227.imageshack.us/img227/3537/processesuo6.th.png
     
    Last edited: Oct 14, 2006
  7. ASpace

    ASpace Guest

    I am not sure about tha patch , may be it will work , NOD32 will protect you against this exploit . NOD have detected it proactively and later signatures were added
     
  8. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Again, thanks for your input.

    I would be very interested to know if indeed Paolo Monti's WMF patch effectively seals this WMF hole because when I had his patch installed, I noticed no odd behaviors and experienced no problems, unlike when this KB918547 "patch" was installed on my system.

    I guess I better go get those other patches, I believe one of them had something to do with a vulnerability in Windows Media Player 9. I'm not going to install KB918547 though.
     
  9. ASpace

    ASpace Guest


    I have never used Paolo's patch . It is my decision not to install any 3rd party patches . Also NOD protected me from the begining proactively and later by signatures . You are welcome ! :thumb:
     
  10. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Personally, I trust Paolo Monti over MS any day of the week. I installed his patch the first day it was made available (I think) as I had been reading of the zero day exploit and was aware of a third party patch by Ilfak Guilfanov for NT based OSes and when I read that Paolo Monti had created a patch for his own use and had made it available publicly (can't find it now online), I installed it immediately and advised other people running 9x to do the same (of course I also advised that if/when MS made a patch available to uninstall Monti's patch before installing any MS patch covering the same vulnerability).

    This was before it was found that 9x was immune to that particular WMF exploit, but this leaves the question of whether or not the current WMF vulnerability being covered by this patch open.

    I think KB918547 is a ticking time-bomb and if it isn't causing problems for some people now, it probably will in the (near) future. Of course many people won't have an image to fall back on and will probably conclude that their hardware/OS is shot and they'll either reinstall their OS, update it fully and discover that their "hardware problem" still exists, which at that point they'll feel the need to have their computer(s) repaired (which won't help) or buy a new pc with XP installed on it (which I believe is probably the motivation for sabotaging peoples' computers with this "patch").

    This is probably becoming off-topic now, so I'll conclude my observations and only hope that Paolo Monti or another Eset "official" will respond either in the negative or affirmative that his patch is a viable alternative to KB918547 (which is not an option for me).
     
  11. ASpace

    ASpace Guest

    I also trust Paolo Monti and ESET . Paolo has created lots of useful tools and removal utilities which I often use .

    As far as I can remember you won't be able to find Paolo's patch available at the moment because Microsoft have asked to have all non-MS patches removed and only their available . Anyway ...let me ask you why do you care so much about this WMF exploit/patch ? This is currently not being exploited and will probably never again be . Moreover , if your ESET NOD32 is updated you are covered and fully protected without any patches .

    ADD: WMF affects only Internet Explorer , not Firefox :D
    :thumb: :thumb: :thumb:
     
    Last edited by a moderator: Oct 15, 2006
  12. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I don't really know why I care about the WMF vulnerability so much except I like to have my "bases covered", so to speak and I feel that MS is enaging in sabotage. I guess I'm a bit obsessive/compulsive. I trust NOD32, but if the hole can be completely sealed with a non-MS patch, why not?

    I have Paolo Monti's patch archived, so if anyone wants it, I'll be glad to make it available to them. I'll probably install it myself in a little while, doesn't seem to cause any problems, at least none that I encountered during the months I had it installed.

    Still haven't installed those other updates yet either, but one does have to do with Windows Media Player, something about a vulnerbility in the way WMP handles .png images? Not sure why that would really be needed either, but I guess I'll probably install it anyway...
     
  13. ASpace

    ASpace Guest


    Ok ,as you like it . Thanks for letting us know .

    Anyway , I personally woudn't care about this at all . NOD32's IMON will detect it and will prevent it from even touching your PC . WMF vulnerability exploits only Internet Explorer and if you are not using it , nothing to worry about ;)

    You are welcome ! :thumb: :D
     
  14. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    You're welcome. :thumb:

    Thanks again, to you and all. :cool:

    [added]

    I just installed the update for Windows Media Player 9 and I installed the latest version of Windows Script for my OS.

    Download details: Windows Script 5.6 for Windows 98, Windows Millennium Edition, and Windows NT 4.0

    I guess that's all the updates/patches I'm going to install.

    [second edit]

    I had another freeze while browsing the WalMart site (ran cursor over tabs at the top of page and immediately froze), so either my pc *is* going south (which is very possible) or one of the two MS patches I installed today is causing the problem and not KB918547.

    I think that I installed Windows Script in a vain attempt to fix the problem when it first started occurring more than a month ago, so as unlikely as it seems, it must be the WMP update? I was not using WMP at the time of this freeze nor any others that I recall.

    I just restored an image I made yesterday while my pc was running great.

    I'm going to run like this for a week or two, if I don't post back, I'm running fine (I have access to another pc).

    I'm planning on getting a new pc with XP SP2 before Vista comes out. I don't think I want Vista, at least in its' early stages. Not thrilled about using XP, but I don't know anything except Windows, hopefully that will someday change.
     
    Last edited: Oct 15, 2006
  15. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,031
    Location:
    California
    Hello,

    I am wondering if the stability issue you reported may be due to another problem, such as overheat condition inside the computer.

    It could be that the KB918547 update service causes the CPU to generate more heat when it is running. Normally this type of problem shows up with a concordant decrease in performance, but in this case the service could be making use of a number of instructions which cause the processor to produce more waste heat without a noticable loss in performance.

    Have you verified all the fans inside the computer (including fans attached to things like video cards) are spinning up properly when power is applied to the computer?


    Regards,

    Aryeh Goretsky
     
  16. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Hi and thanks for the reply,

    Actually I think I have finally fixed the problem, it seems to have been a loose connection on the motherboard as I have now installed all updates except KB918547 and I haven't experienced any freezes in several days.

    I'll probably make another image before installing that particular update, but I don't think the update was the problem after all. It's been a very frustrating experience tracking this "minor" hardware problem down and I'm sorry if I've sounded abrupt or over-sure of myself, but I thought I had tried just about everything.

    I had already tried tightening the connection (unplugging and plugging back in), but was going back over things and the computer wouldn't even boot (no lights either) after I had touched that connector, so I laid the pc down and pushed it as hard as I felt was safe and it's been acting fine ever since. Not sure where the wires lead, but I think it goes from the power button to the motherboard.
     
Thread Status:
Not open for further replies.