Microsoft readies new rootkit detection tool in light of Windows XP patching problems

Microsoft readies new rootkit detection tool in light of Windows XP patching problems

Summary: Microsoft is working on a new tool for tecting and removing the Alureon rootkit from Windows' users systems after the company found that Alureon seems to be behind blue-screen problems experienced by some XP users who applied a recent Microsoft security fix.


A week ago, Microsoft officials said they were removing one of the company's Windows patches from the Windows Update pipeline because of reports of blue-screening by some XP users after applying that patch.

On February 17, via the Microsoft Security Response Center (MSRC) blog, the Softies shared the fruits of their investigations of this issue. My ZDNet blogging colleague Ed Bott had predicted, the blue screening was a result of malware already on users' XP machines. And that seems to be the case, Microsoft officials said -- specifically the Alureon rootkit.

According to the new blog post by MSRC Director Mike Reavey, Microsoft is "working on a simpler solution to detect and remove Alureon from affected systems which should be released in a few weeks." (Other third-party security firms are doing the same, Reavey said.)

There's no update in the new post as to when Microsoft will recommence distributing MS10-015 via automatic update (I'd think if and when that happens, it will be after Microsoft releases the Alureon rootkit-detection fix.)

Microsoft pulled MS10-015 (KB977165) from WIndows Update in early February after reports by users, including some XP users claiming blue-screen-of-death (BSOD) issues seemingly resulting from application of the that patch.

Users still having issues they believe may be the result of MS10-015 can obtain free support from Microsoft by going to or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here:

Topics: Microsoft, Operating Systems, Security, Software, Windows


Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Good deal

    I have to give them kudos for looking into these problems, and going the extra mile to ensure its users are safe. Hopefully, it'll come through WU, and people won't ignore it.
    The one and only, Cylon Centurion
    • Should it not be part of MSE? (nt)

      • Shouldn't Symantec, McAfee, et al also have detection?

        Just wondering...rather than finger pointing.
        • Agreed...

          There are some great rootkit removal tools out there and most of the time the free ones work the best. ComboFix is a great example of this.

          The main problem is that I've yet to find one that works well proactively. Nearly all of them simply remove infections from machines that have already been compromised.

          If anyone can reccommend an active rootkit scanner that works well, I would love to hear about it... and just a side note, but both symantec and mcaffee are horrible products compared to other offerings out there. I would personally avoid them like the plague.
          • Sophos Root-kit Scanner Tool?

            The Sophos website usually offers a "free" root-kit scanner tool.

            My Sophos AV is set to do daily scans (in addition to the continuous background checks etc.). These include a scan for root-kits. But on a stand-alone PC which contains masses of files & programs, these daily scans take hours.

            I had been planning to do the root-kit scans less often.
          • Vipre

            Try Vipre Rescue - Command line scanner that works pretty good. Saved my butt a few times. Vipre AV wokrd good too.
        • A tad sensitive perhaps?

          The poster hoped it would come through WU and I suggested it perhaps should come through MSE.

          The finger pointing was done by you (at me). Maybe you should try to crawl out of your MS fanboy skin, just for a change.
        • Yes

          But I'm not surprised they don't.

          I don't think either one of these AV programs are very effective. They need to become more pro-active, and STOP the infection before it happens instead of reacting AFTER the infection has set in.

          It's for this reason every one of my machine's has NOD32 on it. I've been using it for 5 years, and nothing has ever made it to my machine yet.
      • It might

        I think MSE has the ability to detect this previous one.
        The one and only, Cylon Centurion
        • As general comments.....

          I updated 8 XP systems and did not have a single BSOD, which was of course a relief. In addition, I do not blame MS at all for this issue.

          Having said that and using MSE as my anti-malware SW, it is of course always of concern when your line of defense will not catch everything. But malware is a cat and mouse game, so catching everything before the fact is highly unrealistic.

          The reason I suggested MSE as a better avenue than WU, was its very frequent update cycle.
      • I would hope they'd go this route

        I'm using MSE only now on all systems. This
        would be immensely helpful if I don't need to
        install a second, tool.

        Friends/family that come to me with boxes that
        need cleaning up that don't already have
        good/working AV, I have first been running MS
        Malicious Software Removal Tool. That thing
        catches tons of junk on their systems that
        generally Symantec and McAfee have let through.
        Then I uninstall those and have them go with
        MSE. Their systems are always performing better
        after this approach -- every time.
  • Will the.....

    rootkit detection fix be part of the MSE updates or a separate little utility?
    • Just a guess...

      it will probably be released on the Windows Update web site, part of the "Malicious Software Removal Tool" available for download.
  • RE: Microsoft readies new rootkit detection tool in light of Windows XP patching problems

    If Microsoft pulled the update (KB977165) in early
    February, then why does it still show when I go to and still shows as an active
    update on our WSUS server?
    • MS pulling the update

      Hi, As I noted on Feb 4, MS was pulling the update only from Win Update and leaving it up on WSUS and SMS ...

      More here:;post-5314

      Thanks. MJ
      Mary Jo Foley
      • Has MS now re-posted it to Windows/Microsoft Update?

        Yesterday I re-imaged a system with my Windows XP SP3 / Office 2003 base image and ran Microsoft Update on the system. KB977165 was one of the 105 (!) updates installed. I specifically double-checked, because I was planning on installing it anyway; it shows up in Add/Remove Programs.
        • 64-bit patch is available again

          The 64-bit patch was going to be available again, but they were going to hold off on making the 32-bit patch available. You're sure it was re-offered?
          • Positive it was re-offered on 32-bit XP Professional.

            I double-checked to see if it was installed via Microsoft Update because I was going to manually install it if it wasn't. I wasn't concerned about the image being infected because the image has never been exposed to the Internet - it was built on an isolated machine.
          • BSOD had nothing on me

            I never got the BSOD. I run my av and a sub program on a regular basis. So I might of killed the little bugger before the update.
        • What are you worrying about? Unless you are infected with the rootkit?

          Since you re-imaged a system, it should be clean, should it not?

          Whoohoo, what if the image contains the rootkit?

          Well then it's perfect, you want that update to cause a BSOD, so you now definitely know for sure, your image source is also already infected...

          In any case, you win.

          But personally, I wouldn't worry. That is if your systems are healthy prior to the update(s).