I removed MS09-058 security update in Vista

Wish me luck.  I removed MS09-058 security update (released by Microsoft earlier this month).  I keep getting BSOD 0x1000008e each time I will click "Send/Receive" button in Outlook.  I’ve done memtest, diagnostic test, re-insert the memory sticks and clean-boot (also used Dell diagnostics tool) but nothing is helping or showing that any of my devices or software and drivers is to fault.  I went thru removing AV and firewall software but no joy.  I’ll see if MS09-058 is the culprit.  If it is… then I got a friend who will try it too because he’s seeing the same issue – BSOD 0x1000008e.

Anyway, event log is not much help.  Just seeing 1 info and 1 error that I figured not related. Info on many Minidump files is not helping too other than it is say kernel error. Keeping my fingers crossed! If no more BSOD after removing MS09-058… I’m a happy camper!

10-27-2009 11-47-33 AM   10-30-2009 2-08-38 AM

So I have MS09-058 now being offered again by MU because I removed it:

10-30-2009 3-27-02 AM

I’ll install that back if I’ll get another BSOD. 

Update:  BSOD again even MS09-058 has been removed 🙁 Back to square 1!

Update 2, Oct 31:  SBS Diva Susan Bradley is helping me to find the culprit.  Armed only with dump files… keyscrambler.sys seems to be the culprit but another dmp file I have shows ntoskrnl.exe will not load.  First to do is remove KeyScrambler v2.60 to see if BSODs will stop.  Note though that I installed that new version of KeyScrambler on Oct.6 or 7.  The crashes started Oct. 19 to present.  Many thanks Mom Susan for helping all the time!

Update 3, Nov. 1:  I reported the issue to KeyScrambler.  I had another BSOD even after uninstalling KeyScrambler but the BSOD bug check shows for ntoskrl.exe.  Whether it’s related to KeyScrambler (because the driver of KS hooks in kernel)…. I’m tired of this.  I think I spent alot of days already.  The system is OK but not until I will use Outlook to send email.  It’s crazy.  I better go back to my ‘image’ backup prior Oct. 13.  Yeah, I better do that today.  It’s Halloween anyway (not so busy… at least not my inbox with full of malware spam to review and add to collection!) And BTW, the new BSOD even after I removed KeyScrambler v2.60 is this and this occurred today Nov. 1, at 4:15PM (GMT+8):

11-1-2009 4-15-44 PM

Another thing for me to analyze? :( 

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:WindowsMinidumpMini110109-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6002.18082.x86fre.vistasp2_gdr.090803-2339
Machine Name:
Kernel base = 0x81e4c000 PsLoadedModuleList = 0x81f63c70
Debug session time: Sun Nov  1 16:12:06.310 2009 (GMT+8)
System Uptime: 0 days 2:34:32.596
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
…………………………………
Loading User Symbols
Loading unloaded module list
…….
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {20, 2, 0, 8a491e2f}

Probably caused by : tcpip.sys ( tcpip!TcpPushRequestReceive+86 )

Followup: MachineOwner
———

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000020, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8a491e2f, address which referenced memory

Debugging Details:
——————

READ_ADDRESS: GetPointerFromAddress: unable to read from 81f83868
Unable to read MiSystemVaType memory at 81f63420
00000020

CURRENT_IRQL:  2

FAULTING_IP:
tcpip!TcpPushRequestReceive+86
8a491e2f 8b4620          mov     eax,dword ptr [esi+20h]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

TRAP_FRAME:  81f41a7c — (.trap 0xffffffff81f41a7c)
ErrCode = 00000000
eax=00000001 ebx=b6d6dc44 ecx=b6d6dd2c edx=00000000 esi=00000000 edi=b6d6db58
eip=8a491e2f esp=81f41af0 ebp=81f41b0c iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
tcpip!TcpPushRequestReceive+0x86:
8a491e2f 8b4620          mov     eax,dword ptr [esi+20h] ds:0023:00000020=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8a491e2f to 81e99fb9

STACK_TEXT: 
81f41a7c 8a491e2f badb0d00 00000000 00000000 nt!KiTrap0E+0x2e1
81f41b0c 8a47c19c b6d6db58 85663bc0 00000100 tcpip!TcpPushRequestReceive+0x86
81f41b30 8a47bdb1 00632330 81f41b94 81f41c50 tcpip!TcpProcessExpiredTcbTimers+0x165
81f41b68 81ef62eb 85663bc0 00000000 0048ba31 tcpip!TcpPeriodicTimeoutHandler+0x18b
81f41c88 81ef5eab 81f41cd0 868c0802 81f41cd8 nt!KiTimerListExpire+0x367
81f41ce8 81ef6615 00000000 00000000 000911d9 nt!KiTimerExpiration+0x22a
81f41d50 81ef487d 00000000 0000000e 00000000 nt!KiRetireDpcList+0xba
81f41d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x49

STACK_COMMAND:  kb

FOLLOWUP_IP:
tcpip!TcpPushRequestReceive+86
8a491e2f 8b4620          mov     eax,dword ptr [esi+20h]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  tcpip!TcpPushRequestReceive+86

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: tcpip

IMAGE_NAME:  tcpip.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a856b4a

FAILURE_BUCKET_ID:  0xD1_tcpip!TcpPushRequestReceive+86

BUCKET_ID:  0xD1_tcpip!TcpPushRequestReceive+86

Followup: MachineOwner
———

I’m tired. I have backup that don’t have all these before Oct. 13… I need to go back!  ROFL

Leave a Reply