Subscribe to RSS
Follow me on Twitter
Join me on Facebook
If you use Windows XP and haven’t yet updated your system with the applicable security updates that Microsoft issued Tuesday, you might want to hold off for a bit. Turns out, a non-trivial number of XP users are reporting that their systems suffer from the dreaded Blue Screen of Death (BSoD) and fall into an interminable reboot loop after installing the latest batch of patches from Redmond.
The problem seems to be affecting only some XP systems. This thread on a Microsoft.com answers forum seems to include a fix that works. However, the fix requires users to have their XP install CD handy (in a practice that should be outlawed, many computer makers get away with shipping systems without an install/reinstall disc)
According to the support forum threads I’ve seen on this, affected users noticed the problem on the reboot following the installation of Tuesday’s patch batch. The folks who complained of the bootup problem said the BSOD error page is accompanied by the message “PAGE_FAULT_IN_NONPAGED_AREA”.
If you’re experiencing the above-described problems after installing Tuesday’s bundle of updates, follow these steps, which a number of affected users have said seem to fix the problem:
1. Boot from your Windows XP CD or DVD and start the recovery console (see this link on how to use recovery console)
Once you are in the Repair Screen..
2. Type this command: CHDIR $NtUninstallKB977165$\spuninst
3. Type this command: BATCH spuninst.txt
4. Type this command: systemroot
5. When complete, type this command: exit
Unfortunately, there is an entire subset of users who might be in for a whole mess more work to fix this kind of problem: Netbook users. One of the things that makes netbooks so light and small is that they do not have optical (CD/DVD-ROM) drives. If you’re a netbook user who has this problem AND a copy of a Windows XP install CD handy and a computer with a CD drive, you may still be able to rescue your system by building a custom XP install/bootup disc on a USB drive.
If all of that sounds like too much work, home users are eligible for no-charge support by calling 1-866-PCSAFETY (and/or 1-866-234-6020 and/or 1-800-936-5700) in the United States and in Canada. Microsoft says there is no-charge for support calls that are associated with security updates.
Update, 8:34 a.m. ET: Based on a review of various help forums discussing this problem, it appears that the problematic update is KB977165 (MS010–15:Vulnerabilities in Windows kernel could allow elevation of privilege”). Note that systems experiencing a BSoD may do so or hang in Safe Mode when loading the system driver “mups.sys”.
The help instructions above have been modified to specify the removal of just this one patch. A previous version of this blog post included instructions for removing all of the patches Microsoft shipped for XP systems on Tuesday.
Update, Feb. 12, 10:09 a.m. ET: Microsoft has a blog post up acknowledging this problem, saying that it stopped shipping the problematic update via Windows Update as soon as it recognized the issue. Redmond says it is still investigating the cause of the conflict. Microsoft notes that in lieu of applying the patch, XP users can use Microsoft’s click+install “Fix it” tool, which disables the vulnerable Windows component. That workaround is available here.
Tags: bsod, microsoft patches, PAGE_FAULT_IN_NONPAGED_AREA, reboot loop, windows
Based on the thread it appears the KB977165 has been narrowed down as the culprit. So the rest of the patches are probably safe to install.
Well-loved. Like or Dislike:
17 
1
I have downloaded my patches for the month but have not yet installed them. What advice do you have for me?
Hot debate. What do you think?
9 
7
From BK’s post above: “you might want to hold off for a bit. “
Well-loved. Like or Dislike:
10 
6
Well yeah, I got that I shouldn’t install the updates, but what do I do about this bum update that has been downloaded to my machine? Can I delete it? Will I receive the good update on top of this one when MS fixes it, or will Windows Update think I have it already? I think it was a fair question and that you were kind of snotty.
Hot debate. What do you think?
8 
8
Bunny,
I was trying to be helpful, no snot intended.
Well-loved. Like or Dislike:
7 
0
Windows 7 Ultimate 32bit – stuck on Loadind screen after first restart. Repairing didnt help so thank God for the restore point before the patched application.
Hope we get some info soon
Hot debate. What do you think?
6 
3
The recovery console and installation repair options both require a Win XP CD which, unfortunately, is no longer possible to get from OEMs as BK already mentioned. Between cost-cutting by the manufacturers and MS treating everyone like pirates, it’s unethical at best and criminal at worst to leave users with no real recourse to quickly recover from a botched update other than to wipe everything out and start over…all the worse if one hasn’t backed up recently or have dual-boot systems since Windows doesn’t like to share.
(And yes, you’d be surprised at how many people don’t regularly back up.)
Well-loved. Like or Dislike:
24 
2
Are MicroSD cards the possible replacement of lugging around DVDs & CDs with the reader.
It’s now possible to boot them as USB devices and they have a write protect to protect against being violated (assuming the reader supports it and its not a software thing that could be over written by a rootkit.)
Any feedback on MicroSD for large 50+ deployments/fixes?
Like or Dislike:
2 
1
It’s possible to buy OEM CDs on ebaY. I bought mine for like $16 and used it along with my prior computer’s reg key to load XP on my new system.
Like or Dislike:
0 
0
Not to blindly defend Micro$oft, but I’d bet most of the crashing machines have malware on them.
Hot debate. What do you think?
23 
24
Hmmm…interesting theory, you may be on to something here. I’ve updated all (10) of my office clients as well as all all (3) of my home machines without a single problem.
The only machine I have not updated is my SBS 2003 server, that has Automatic Updates switched OFF just for reasons like this, and even though it is probably malware free, I will follow BK’s advice (from the last post) about waiting to update this one until the culprit is found.
All-in-all though, the thing to take away from this would be to WAIT a few days before installing major patches to see if there are issues like these
Well-loved. Like or Dislike:
9 
3
Apparently there is anecdotal support for the infected computer theory, posted recently on the MS Update support thread by Patrick W. Barnes:
“I had an Eee PC with XP Home brought to me with this same problem. I rolled back KB977165, rebooted and the system worked fine. I reapplied KB977165 and the rest of the updates available at Microsoft Update, and the problem returned. I replaced %System32%\drivers\atapi.sys with a clean version from a XP SP3 distribution folder and rebooted… voila! Problem solved.
For reference, the SHA1SUMs of the atapi.sys files:
Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6
Working:
a719156e8ad67456556a02c34e762944234e7a44
If anyone wants to look at the non-working atapi.sys:
https://patrickwbarnes.com/pub/atapi.sys
I will be looking at this more in-depth. If I find anything more, it will be posted in a follow-up comment at the ISC:
http://isc.sans.org/diary.html?storyid=8209
UPDATE :
I uploaded the non-working atapi.sys file to VirusTotal, and this is the result:
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529
Apparently, this update problem is the result of an infection.”
Good work Patrick and good work Brian for scooping everyone on this story.
Well-loved. Like or Dislike:
25 
0
I hate it when I’m right… ;^)
Hot debate. What do you think?
3 
5
I think you are on to something, although folks won’t want to hear that it may be partly their own fault …
Hot debate. What do you think?
12 
10
Yeah right, its always someone’s fault, just not microsoft’s.
About two weeks ago I purchased a laptop from hp. Upon arrival, it had so much crapware on it I normally re-install the system. But in today’s world, hp doesn’t ship computers with actual OS discs. I called and asked if they would send a Windows 7 disc to me, but they said they were all out. OK. In addition, if I wanted one I would have to purchase one for over $100.
Maybe these problems won’t happen in the future with Windows 7, but I’ll never know since I returned the hp and got yet another Mac!
Hot debate. What do you think?
20 
22
Partly their own fault????
A friend of mine has been hit by this. And it does look like an infection in the atapi.sys is involved.
Not sure you could say it is her fault. She has full internet security suite installed from Bitdefender. Runs MalwareBytes weekly and SuperAntiSpyware weekly.
She does not visit extra-curricular websites. Has no risky behavior I could identify. Obviously there is something at work that let in the malware. But at this point it seems to me the industry is letting her down more than she is messing up.
To maintain a clean computer at this point is not in the ability of the average and above average computer user.
I’ve been running her through the gauntlet required to even ask a question on majorgeeks.com and it is beyond daunting for the average user.
Something has got to change. People can function like this.
Well-loved. Like or Dislike:
17 
0
The main problem with most users is they do NOT use a defense in depth strategy to properly secure their systems. Their primary and usually only defense is AV/Security software. The days of relying on just AV/Security software are long gone. In fact, I never thought it was ever a good strategy.
While I use AV software, my biggest defenses, besides a hardware firewall and then a software firewall on each system, are a blocking hosts file from MVPS (see link below) and running as a non-admin (limited user). The blocking hosts file is usually updated monthly and blocks a slew of known malicious websites. Besides the firewalls, I strongly believe the blocking hosts file alone has kept malicious stuff from even getting to my system, even as I’ve been to risky parts of the Internet (using IE none the less).
Of course, running as a non-admin will stop most malware in its tracks should it actually get to your system.
One other thing, NEVER use P2P file sharing software (ex. Limewire) as it will almost guarantee malware on your system.
Blocking hosts file:
http://www.mvps.org/winhelp2002/hosts.htm
While the computing industry has its part to play, end users also have theirs. Computers are powerful and complex tools. They are not appliances like a toaster, albeit, it’s still possible to get electrocuted by a toaster or to cause a fire by using it improperly.
Hot debate. What do you think?
4 
4
The problem is that it’s not just any one AV package. And scan-behind doesn’t help. Java and Adobe product now must also be updated. Perhaps run Secunia also.
Like or Dislike:
1 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
8 
15
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
2 
8
My bet would be that there is something the patch fixes that is interfering; ie. AV Protection (ironic, I know).
Like or Dislike:
4 
2
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
2 
9
The Microsoft Security Response Center is reporting that the BSOD is known to occur on computers that already have malware installed on them, but they are not ruling out other possible causes (yet):
http://blogs.technet.com/msrc/archive/2010/02/12/update-restart-issues-after-installing-ms10-015.aspx
Like or Dislike:
0 
0
Apparently this has been found to be true.
Also, all may have a program called SecureIT.
Like or Dislike:
0 
0
you sir/maam are correct. alureon.ct is the name of the malware that causes the kb file to spazz out. they say that the
mslive onecare scanner will detect and fix it but i cant get it to work
Like or Dislike:
0 
0
I have tried this, but after windows setups runs from the cd I get the blue screen of death again so I can’t do the instructions. So frustrating!!
Well-loved. Like or Dislike:
6 
1
not sure if it will help im just a trouble shooter. have you tried disabling the hdd in boot sequence?? thats how i got mine to boot from cd without the bsod.
couldnt help but notice a small difference in the ops command and the one i got from tech support.
CD $NtUninstallKB977165$\spuninst
>BATCH spuninst.txt
>exit
vs.
CHDIR $NtUninstallKB977165$\spuninst
3. Type this command: BATCH spuninst.txt
4. Type this command: systemroot
5. When complete, type this command: exit
when i tried it using the CHDIR command it didnt work but when i just put CD it did.
Like or Dislike:
0 
0
Thanks a lot for the solution given here. I was also encountering the Blue Screen of Death after installing these patches. I followed the steps and everything is working fine for me now. As of now i have deferred the installation of these patches. Am i not supposed to install these patches ever?
And what could be the reason for these patches not working for some users only?
Well-loved. Like or Dislike:
8 
0
Brian, thanks as always for your news. I hope things are going well for yoiu and your family since you left the Post.
Like or Dislike:
4 
2
As for the notebook problem, for less than $50 you can buy an external USB DVD burner. It’s a handing thing to have for loading software, burning rescue disks, or copying files.
Well-loved. Like or Dislike:
6 
1
Trying to uninstall that one update results in a scary warning that removing that update might cause like 8 others to stop working properly. So much for being modular. So I had to choose — would I rather be damned if I do or damned if I don’t?
Well-loved. Like or Dislike:
8 
1
Well from my extensive experience very little is modular when Microsoft is concerned (eg. anti-trust for IE+OS and WMP+OS in Europe).
So are you damned doing or damned donting?
It’s possible that uninstalling this update would potentially leave other updates not doing what they were meant to but rest assured it will get fixed when you install your next service pack. right?
Like or Dislike:
2 
0
Wouldn’t the needed updates just how up in March?
Like or Dislike:
1 
0
And of course there’s another subset of XP users who can’t get online to even read this after a blue-screen.
Thx MS for keeping my part-time computer repair business mostly busy!
Well-loved. Like or Dislike:
17 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
2 
12
Automatic Updates installed this (and other updates) last night on 150 XP Pro machines last night – no problems. I wonder if it’s specific to XP Home?
Well-loved. Like or Dislike:
6 
0
No, I have XP Home/SP2. I installed the 10 updates yesterday and so far, no BSoD.
Like or Dislike:
1 
0
Some blogs are reporting issues with KB977165 and Windows 7; however my W 7 machine updated OK.
Like or Dislike:
4 
1
Many WinXP users experienced BSODs after installing the previous Kernel update KB971486 (MS09-058) in October 2009. While removing either update may resolve the BSOD, doing so leaves the computer subject to the security vulnerabilities addressed by the update (which Automatic Updates may reinstall anyway). Best course of action (i.e., resolving the BSOD and getting the WinXP box patched) is to open a free support incident by phone or via email (https://support.microsoft.com/oas/default.aspx?gprid=6527). More at https://consumersecuritysupport.microsoft.com/
Well-loved. Like or Dislike:
7 
1
We deployed these patches to our pilot group which consists of about 50 of ~1900 computers. At this point we have not seen a single issue. We run Window XP with SP3.
Well-loved. Like or Dislike:
7 
0
You can try to boot into safe mode. Once in safe mode, you should be able to remove the update that is causing the problem. If you can’t get into safe mode, then try the recovery console, or use WinPE or BartPE. BartPE (http://www.nu2.nu/pebuilder/) is a reverse engineered version of WinPE. Both are liveCD versions of Windows. The only problem I have with BartPE is that sometimes it doesn’t have the proper IDE controller driver and therefore the liveCD does not see the hard drive after booting up, but if it is built on the system you are trying to recover, then you should have no problems. Unfortunately, Winternals ERCD is now a Microsoft Enterprise Product (http://www.microsoft.com/windows/enterprise/products/mdop/dart.aspx). So, the relabeled ERCD is of no help to the average user. Perhaps Brian could have a post on BartPE sometime as a follow on to the Ubuntu LiveCD post he had on SecurityFix.
Like or Dislike:
2 
1
It should be noted that BartPE requires a full XP installation CD (>= SP1) in order to build the image. This could be a problem for those who obtained their XP boxes with hidden partitions or “recovery” discs.
Like or Dislike:
2 
0
For those without XP CD — you an build a repair console CD with this ISO:
http://www.thecomputerparamedic.com/rc.iso
If no is burning software or you don’t know how to use yours to burn ISO images — this ISO burning software is free & easy to use.
http://www.snapfiles.com/get/burncdcc.html
Download the burncdcc.zip> unzip it> run it> point it to the RC.ISO you downloaded> follow prompts. I have it finalize the CD.
The ISO is simply the recovery console — nothing more but will get you there to follow OP’s post.
Well-loved. Like or Dislike:
10 
0
thanks for the fix, oopsie.
anyone without an xp disc try this!
Like or Dislike:
0 
0
Mup.sys is a Microsoft system network driver. The driver is performing an illegal action which is causing the kernel to fail to load causing the BSoD. You may be able to boot up in Safe Mode w/o Networking, but previous mup.sys errors have even stopped Safe Mode from working. Until Microsoft gets enough calls and knows which systems are failing and what software and hardware they have on them, then uninstalling the mup.sys update is the only workaround for now. Once Microsoft knows the underlying cause of the problem, then the patch will be fixed. The cause could be a third party device driver causing mup.sys to fail or it might be a bug in the mup.sys update that only causes a failure due to a third party driver being present. It is futile to speculate about the cause of the failure at this point. If people want to know why this happened to them, they need to post details of what computer this happened on (Manufacturer, Make, Model, extra software added) on support forums. However, Microsoft will likely have a support page available within 1-3 days about this particular error along with a fix. If you think you have problems, I guarantee you that many Microsoft Support techs are trying to help some big business customer with many severs and hundreds or thousands of clients that are disabled with this error as I write this.
Well-loved. Like or Dislike:
15 
1
My four year old desktop with XP Pro SP3 ran the updates early Wednesday morning and has rebooted successfully twice since.
Before doing so I came here and the ISC and found no warnings. I guess we should wait a day or two before the MS update?
You have to assume MS has some kind of benchmark process prior to releasing updates, but this one seems to have been skimpy. I’d be interested to know how many platforms are affected.
Like or Dislike:
3 
1
Uh, no. BartPE requires the i386 folder from the OEM Install CD. If no OEM Installation CD has been provided by the manufacturer, then there pretty much has to be an i386 folder on the C: drive of the computer. If the OEM did not include an i386 folder on the C: drive, then there is an OS image on a hidden partition somewhere on the drive. If this latter issue is the case, then you should call your OEM and demand an install CD because your system was crippled when you bought it because it had no repair or feature installation capability to begin with. The OEM is supposed to sell you a complete fully functional licensed copy of Windows with your computer. Without the i386 folder, you do not have a complete fully functional operating system bacause you are missing components you need.
Well-loved. Like or Dislike:
10 
0
I ran into the problem with no Windows distribution CD when I bought my first complete retail computer (I had always built my own PCs prior to that). It was an HP Pavilion from one of the main retail chains and I didn’t realize it didn’t include software media until I opened the box at home. I called HP customer support requesting the media which I felt I rightly owned by virtue of the Microsoft license sticker on the side of the unit. Their response was that their OEM agreement with Microsoft specifically prevented them from providing said media to customers (so they deftly passed the buck to Microsoft). :-\
I guess it’s back to building my own systems from here on out, because after having to recover my wife’s XP PC from this recent update BSOD event using the XP CD I had, I never want to be in the position of being stuck again (keeping my fingers crossed that the retail HP unit running Vista behaves itself).
Well-loved. Like or Dislike:
6 
0
I have Vista Home Premium 32 bit and noticed after the update that some of my news sites no longer work correctly. I thought it was the site itself, but now I am wondering if it had to to with the update since I never had this problem on these sites before. I no longer can join in discussions on my news sites because after I post my comments they never show up-they just disappeared. And I no longer can update my account on one of the news sites. Has anyone else noticed any web sites not working correctly since updating with Windows Update?
Like or Dislike:
2 
2
Darn, now I hear about it. I’ve already rebuilt my entire system. I turned off my machine one night (with auto updates enabled) and the next day it wouldn’t boot. Blue screen would appear but not long enough to read, tried to pause it but gave up. After I rebuilt I put the durressed C: drive into my machine as a secondary and it all read perfectly fine and still is. At that point I knew something was fowl.
Like or Dislike:
3 
1
Shouldn’t this link, “building a custom XP install/bootup disc on a USB drive” forward to instructions on just how to accomplish that? There is no mention of bootable USB drives on the page I was forwarded to.
I’ve several low-capacity USB flash drives that are no longer being used; a backup boot drive would be nice.
Like or Dislike:
0 
0
Chris,
Apologies. I will fix that link momentarily. Thanks.
Like or Dislike:
0 
0
A poster on the story at ISC ( http://isc.sans.org/diary.html?storyid=8209#comment ) stated that in his case it was due to a rootkit which, among other things, modified the system file atapi.sys . I have confirmed on one system I have where this update caused blue screens was similarly infected.
Well-loved. Like or Dislike:
8 
0
Hi Folks
Thanks for the great page Brian
For those of you with this issue and without a CD/DVD player to boot from, consider if you can, PXE booting
I use PXE booting at work/home to access tools and utilities. It’s great
Here’s a post to assist in creating a PXE environment for a few decent utilities
http://wiki.contribs.org/PXE_booting_to_BARTPE
Here’s a shameless plug for my own messy page on PXE booting if anyone wants to learn FreeBSD
http://www.isgsp.net/freebsd/pxe.html
I hope this helps
Take care
Steve
Like or Dislike:
0 
0
More interesting info on this from comments at http://isc.sans.org/diary.html?storyid=8209
“Because antivirus software is likely not to be able to detect malware on a running rootkit-infected system (because the rootkit will ‘cloak’ its existence), this may help people (who’ve not patched yet) to determine if their PC is infected with the malware identified by Patrick W. Barnes. However, I need some help to make sure.
The length of the original XP SP3 atapi.sys file (which lives in c:\windows\system32\drivers\) is 96,512 bytes. The malware version on Patrich W. Barnes’ website has the same length, so this doesnt help. Furthermore, most people don’t understand “sha1sums” and do not have sha1sum.exe on their PC.
The binaries are mostly identical; the malware version has 4 bytes changed at the beginning of the file, while, interestingly, it’s version information block has been overwritten with the apparent malware code, probably leaving all original functionality intact.
Therefore, a modified atapi.sys by this particular malware can *probably* easily be identified on a running system by right-clicking c:\windows\system32\drivers\atapi.sys (Explorer must be configured to show system files): a *completely missing* Version tab in the file properties dialog box definitely means you’ve got a problem.
However, a present Version tab doesn’t necessarily mean your system is okay. The malware *may* have saved the version info data to a separate file (or the registry) before overwriting the section in atapi.sys.
Therefore, I’m very interested to know if anyone observes missing version info in atapi.sys on an (unpatched, otherwise it would BSOD) XP PC.
posted by Bitwiper, Fri Feb 12 2010, 00:55″
Well-loved. Like or Dislike:
5 
0
Just checked my ‘old’ atapi.sys – rootkit infected apparently (although AVG found nothing when run under the infected system). So it looks like there is a lot of merit in this theory, as my PC BSOD’ed…
Like or Dislike:
0 
0
2 weeks ago I had problems completely unsolved by AVG 9.x
Malwarebytes cleaned up the machine in one swipe except for one item which was cleaned up by emailing their SUPERB tech support.
AVG= shaken faith I am afraid.
Like or Dislike:
1 
0
Each item has it’s strengths. I have to use AVG, MalwareBytes, SuperAntiSpyware, Spybot Search and Destroy to keep my machines clean. It’s a huge battle. I would love to find one single product that does everything. I would sign up as a reseller in a heartbeat.
Like or Dislike:
2 
0
Just curious. What do you do on your PC that requires all those products to keep it clean?
Like or Dislike:
1 
0
Got a Vista Home Premium system here that I’m working on for one of my users (side biz… clean/repair systems) and it’s blue-screening after updating Tuesday night / Wednesday. The error is 0x00000007E and the failing internal that is mentioned is *always* SCFLTR.SYS.
Is this the same problem as the Windows XP machines are having? FWIW, I had one machine I had to rebuild at work today after auto-updates. Would not even start in safe mode, due to Deep Freeze having been installed. Needless to say I did not reinstall DF when I rebuilt the system.
Anyway, if anyone knows how to fix a Vista system that has started blue screening immediately after installing Windows updates, I’d love to hear!
Like or Dislike:
0 
0
I’m not certain this is a related problem, but since it’s a BSoD issue that appears to have started after installing the update, I’ll report it.
Windows XP boots up OK, but an attempt to shut down or restart results in a BSoD most of the time. Also, my computer no longer connects to my cable modem, either by plugging in the Ethernet cable or through wireless. (A USB Verizon Wireless Broadband internet connection still works.)
If, following some advice on the Lenovo notebooks forum, I go into Device Manager and uninstall the Network Adapter (an Intel 82566MM Gigabit Network Connection), I can then access the Internet via my Ethernet cable connection the next time I boot up (the driver automatically reloads), but the connection is gone after the next shutdown and bootup.
Like or Dislike:
0 
0
I would recommend everyone install the Recovery Console on the hard drive.
\winnt32.exe /cmdcons
(XP machines)
Very handy and frees you from needing the CD in most cases.
MS removed this tool in Win 7 (sigh)
Well-loved. Like or Dislike:
4 
0
I think the starting phrase is a bit misleading to general public:
“If you use Windows XP and haven’t yet updated your system with the applicable security updates that Microsoft issued Tuesday, you might want to hold off for a bit.”
Microsoft bashing aside, I would still rather recommend having latest security updates immediately deployed rather than expose the system for attacks due to a risk of 0,0001% chance of getting BSoD. Or is there any statistic on how many systems were affected by this…
Like or Dislike:
2 
4
This post has been updated several times with many recommendations, including a workaround instead of installing the patch.
Like or Dislike:
2 
0
Microsoft is looking at this.
http://blogs.technet.com/msrc/archive/2010/02/11/restart-issues-after-installing-ms10-015.aspx
Like or Dislike:
0 
0
I was unaffected by this M$ update – nice for a change!
Like or Dislike:
0 
1
21 PC’s patched with it so far, no problems.
6 PC’s installed it but haven’t rebooted yet.
4 PC’s downloaded but not installed it yet.
0 PC’s with BSoD so far.
All according to my WSUS.
Like or Dislike:
1 
0
Hi. I was one of the users to receive the BSOD after installing the latest Microsoft updates. I was able to use the recovery disc to uninstall the updates and get my computer back up and running. However, now AVG is picking up a Trojan named: Trojan Horse Pakes.AW I do not know definitely if this is the malware associated with the update problem, but it is the only malware that I have found with my scanning. This Trojan likes to disable system restore, and creates temp files & folders within the following directory: C:\Windows\temp\ I can delete some of these files, but they reappear after about 5-10min. There are also files that cannot be deleted and are being used by the process/program. In task manager, under the process tree, it is named svchost.exe, and is a SYSTEM file. Obviously not the real executable. I have tried to go into safe mode in order to disable the virus but at the safe mode logon screen it freezes up. Does anyone else have any information that can be helpful?
Like or Dislike:
1 
0
All this withstanding, I think the best solution is to do a
Whole System Image BACKUP prior to doing ANY MS updates.
I have made this a habit before any software update so
that I can put everything back IF there is a problem.
I have used and recommended Acronis True Image in the past, but hesitate to do so now. I have not updated
to their latest products as there are many bugs. Their
forum is full of major problems. I have stuck with the
Echo 9.7 version with good results.
Like or Dislike:
0 
0
It is not the KB that is the real issue, it is now been determined PCs that BSOD after this update are infected with the Tdss rootkit.
Stop blaming Microsoft.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1381423,00.html
.
Hot debate. What do you think?
3 
5
And thanks to this KB a great many people are alerted to the presence of a rootkit in their systems.
Like or Dislike:
1 
1
Even if the problem is caused by a rootkit infection, it is still basically Microsoft’s fault because they are the ones who insisted that computer companies stop shipping the operating system CDs with the computers. They claim that was to prevent piracy, however there are other ways to prevent it.
Like or Dislike:
1 
2
Proper computing hygiene is always the end users requirement.
Like or Dislike:
1 
2
I think most of us already knew a rootkit or other form of malware could be responsible. Not everyone is blaming Microsoft. Some of us are just trying to repair our machines. Does anyone have any information regarding how to remove the rootkit and Trojan that I mentioned in my previous post?
Like or Dislike:
2 
0
It is the TDL3 rootkit that is causing this trouble. The rootkit infects the hard disk driver, usually atapi.sys or iaStor.sys or whatever hard disk driver you have.
Due to the very advanced stealthy nature of this rootkit, no major AV is currently able to discover or remove the infection. This infection is spreading since October 2009.
Hitman Pro 3.5 is the only public AV that is able to detect and properly remove the rootkit, for free. There exists some public tools that remove older variants. Some vendors have a private tool to remove the rootkit. They keep it private as the rootkit’s authors are constantly changing its armor and they don’t want the authors to counter their removal tactics.
Since November 11, Hitman Pro cleaned over 16.000 TDL3 infections. That should say something about the spreading of this rootkit.
Also see this thread about the rootkit:
http://www.google.com/support/forum/p/Web+Search/thread?tid=6df7e15519290612&hl=en
Well-loved. Like or Dislike:
5 
0
Mike, you can Google for ‘Antivirus Boot Images’
I ran across this one, and use the Kaspersky Disc all the time in my security practice.
http://www.raymond.cc/blog/archives/2008/12/11/13-antivirus-rescue-cds-software-compared-in-search-for-the-best-rescue-disk/
Like or Dislike:
1 
0
How to remove Malware:Trojan, Virus, Worm, spyware, adware or other Malware
http://www.tips29.com/2009/01/how-to-remove-common-malwaretrojan.html
Like or Dislike:
0 
0
I just put up a new post after interviewing a security expert who found a bunch of Windows systems having this problem had previously been infected with a rootkit.
http://www.krebsonsecurity.com/2010/02/rootkit-may-be-culprit-in-recent-windows-crashes/
Like or Dislike:
3 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
4 
13
You’re blaming someone else for having a rootkit/Trojan on your PC, hahaha! Good one.
Like or Dislike:
2 
2
Macs are fine but just remember to turn on your firewall. It think the firewall is turned off by default from the manufacturer. You may also want to turn on private browsing in Safari and/or use Opera or Firefox for the mac. Also, Intego sells some pretty good antivirus and firewall software for the mac.
Like or Dislike:
0 
1
Thank you Brian.
That article proves that the Pakes Trojan is indeed part of this rootkit, and probably the culprit for installing it in the first place. If we replace the driver with the new one that may prevent the rootkit from not working, but other aspects of the malware/trojan will still exist.
This is what I’m talking about:
That Virustotal scan pointed at a stealthy rootkit that goes by several different names, including “TDSS” and “Pakes”. For its part, Microsoft’s Security Essentials anti-virus tool detects the invader as Win32/Alureon.A.
Basically, its got all different names.
Steps to fix this problem:
1.) Uninstall the update conflicting with the rootkit so that there is no longer the BSOD.
2.) Replace the atapi.sys driver.
3.) Run appropiate anti-malware software to get rid of the rest of the malware.
I got a feeling most people will not know how to do this unfortunately. Oh well =/
Like or Dislike:
0 
0
Please note to back out the offending patch as suggested one must KNOW the ADMINISTRATOR PASSWORD to get into the Recovery Console as well….FYI
Like or Dislike:
0 
0
@John: Instead of the recovery console consider using Linux to back out the problematic patch.
http://blogs.computerworld.com/15595/using_linux_to_back_out_a_windows_xp_patch
And, although Microsoft says it pulled MS10-015, it installed for me on two PCs on Feb. 17th.
http://blogs.computerworld.com/15606/has_the_problematic_windows_patch_been_pulled_or_not
Like or Dislike:
2 
0
Was unable find or uninstall the KB977165 patch that is being talked about all over the web. I ended up renaming the c:\windows\system32\drivers\SCFltr.sys and rebooted and it worked!!!
Like or Dislike:
0 
0
Hi Brian
(KB977165)Works fine on my Xp SP3 PC
It worked yesterday fine->My Upgrades all worked after upgrading with
New Patchs.But this Morning I uninstalled the Patch(KB977165).
Then Run it without the patch and still worked fine today.
So i’m glad i made backup of the Patch after hearing they were pulling the Patch off for awhile untill they find what happened in the first place to cause all these BLUE SCREENS OF DEATH=BSD.
My thinking is thier was alot of “Malware found on these Machines.
Plus you have to take in the fact most “Die-Hard” WinXP USERS are still useing “SP2″<-Anwser to problem XP Computers not UPTO DATE.
If not up to date or don't know anything about "Malware your up the Creek without a Padle……….
2.Its a Damm Shame when Users have to by a Computer that don't include a System Disk.I think we should "kick" who ever trys to sell a "Computer Without a System Disk This Sucks and it needs to stop.
Mark
Like or Dislike:
0 
4
Brian
I forgot to say i’m a Affiate of Sunbelt.
Also Now beta Testing Vipre.
Alex had some of your news on his blog or i would’t found out what happened…..
Mark
Like or Dislike:
0 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
1 
7
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
2 
10
There are several options to maintain data. I ANAPCT (am not a PC tech) but I can think of a few (besides replacing the atapi.sys file which is the consensus baddie):
1. Repair install of Windows
2. Remove the HDD from the PC, install it in another PC as a slave, retrieve data
3. Place HDD in a different PC, set it as boot drive, do a repair install, get your data back
4. Do a parallel install of Windows, get your data back, then delete the old Windows folder
In fact, usually the ONLY way all your data us trashed (Windows is in a separate folder from just about everything else) is if your HDD is dead, and no way could that be MSFT’s fault.
Like or Dislike:
3 
0
I just read this article then clicked on the link to read about installing Windows from a USB drive. My computer briefly locked up then rebooted. I think the site at the link might be infected. Can you check this out? I am not using the computer while I do some research from another computer. This is the link that caused a problem, it is from your article: DO NOT CLICK ON THIS LINK!!!!
http://www.vandomburg.net/installing-windows-xp-from-usb/
Like or Dislike:
2 
0
Lovely, I just spent all day reinstalling a customer’s system because its hard drive “went bad” for no reason. Thanks Microsoft.
Like or Dislike:
2 
0
Thanks for the info! The orignal steps posted at the top works perfectly on a Dell Vostro 200 XPSP3 with the same issue. There was the same stop code but no reference to a PAGE_FAULT_IN_NONPAGED_AREA though. This is probably because detail errors are off or something. Be sure to disable Automatic Updates as soon as you reboot because the first thing this one did was re-install the already downloaded update again!! Good thing this is easy to fix! Thanks again for the post.
Like or Dislike:
2 
0
GIATI PREPEI NA XRHSIMOPOIHTE WINDOWS???
XA8HKAN TA LINUX KAI TA FREE BSD
Like or Dislike:
0 
5
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
0 
9