If you use Windows XP and haven’t yet updated your system with the applicable security updates that Microsoft issued Tuesday, you might want to hold off for a bit. Turns out, a non-trivial number of XP users are reporting that their systems suffer from the dreaded Blue Screen of Death (BSoD) and fall into an interminable reboot loop after installing the latest batch of patches from Redmond.
The problem seems to be affecting only some XP systems. This thread on a Microsoft.com answers forum seems to include a fix that works. However, the fix requires users to have their XP install CD handy (in a practice that should be outlawed, many computer makers get away with shipping systems without an install/reinstall disc)
According to the support forum threads I’ve seen on this, affected users noticed the problem on the reboot following the installation of Tuesday’s patch batch. The folks who complained of the bootup problem said the BSOD error page is accompanied by the message “PAGE_FAULT_IN_NONPAGED_AREA”.
If you’re experiencing the above-described problems after installing Tuesday’s bundle of updates, follow these steps, which a number of affected users have said seem to fix the problem:
1. Boot from your Windows XP CD or DVD and start the recovery console (see this link on how to use recovery console)
Once you are in the Repair Screen..
2. Type this command: CHDIR $NtUninstallKB977165$\spuninst
3. Type this command: BATCH spuninst.txt
4. Type this command: systemroot
5. When complete, type this command: exit
Unfortunately, there is an entire subset of users who might be in for a whole mess more work to fix this kind of problem: Netbook users. One of the things that makes netbooks so light and small is that they do not have optical (CD/DVD-ROM) drives. If you’re a netbook user who has this problem AND a copy of a Windows XP install CD handy and a computer with a CD drive, you may still be able to rescue your system by building a custom XP install/bootup disc on a USB drive.
If all of that sounds like too much work, home users are eligible for no-charge support by calling 1-866-PCSAFETY (and/or 1-866-234-6020 and/or 1-800-936-5700) in the United States and in Canada. Microsoft says there is no-charge for support calls that are associated with security updates.
Update, 8:34 a.m. ET: Based on a review of various help forums discussing this problem, it appears that the problematic update is KB977165 (MS010–15:Vulnerabilities in Windows kernel could allow elevation of privilege”). Note that systems experiencing a BSoD may do so or hang in Safe Mode when loading the system driver “mups.sys”.
The help instructions above have been modified to specify the removal of just this one patch. A previous version of this blog post included instructions for removing all of the patches Microsoft shipped for XP systems on Tuesday.
Update, Feb. 12, 10:09 a.m. ET: Microsoft has a blog post up acknowledging this problem, saying that it stopped shipping the problematic update via Windows Update as soon as it recognized the issue. Redmond says it is still investigating the cause of the conflict. Microsoft notes that in lieu of applying the patch, XP users can use Microsoft’s click+install “Fix it” tool, which disables the vulnerable Windows component. That workaround is available here.
Related posts:
- 13 Ways to Protect Your Windows PC
- Microsoft Issues Emergency Fix for IE Flaw
- Microsoft, Adobe Issue Security Updates
- Adobe Ships Critical Shockwave Update
- Exploit in the Wild for New Internet Explorer Flaw
Tags: bsod, microsoft patches, PAGE_FAULT_IN_NONPAGED_AREA, reboot loop, windows






I think the starting phrase is a bit misleading to general public:
“If you use Windows XP and haven’t yet updated your system with the applicable security updates that Microsoft issued Tuesday, you might want to hold off for a bit.”
Microsoft bashing aside, I would still rather recommend having latest security updates immediately deployed rather than expose the system for attacks due to a risk of 0,0001% chance of getting BSoD. Or is there any statistic on how many systems were affected by this…
This post has been updated several times with many recommendations, including a workaround instead of installing the patch.
Microsoft is looking at this.
http://blogs.technet.com/msrc/archive/2010/02/11/restart-issues-after-installing-ms10-015.aspx
I was unaffected by this M$ update – nice for a change!
21 PC’s patched with it so far, no problems.
6 PC’s installed it but haven’t rebooted yet.
4 PC’s downloaded but not installed it yet.
0 PC’s with BSoD so far.
All according to my WSUS.
Hi. I was one of the users to receive the BSOD after installing the latest Microsoft updates. I was able to use the recovery disc to uninstall the updates and get my computer back up and running. However, now AVG is picking up a Trojan named: Trojan Horse Pakes.AW I do not know definitely if this is the malware associated with the update problem, but it is the only malware that I have found with my scanning. This Trojan likes to disable system restore, and creates temp files & folders within the following directory: C:\Windows\temp\ I can delete some of these files, but they reappear after about 5-10min. There are also files that cannot be deleted and are being used by the process/program. In task manager, under the process tree, it is named svchost.exe, and is a SYSTEM file. Obviously not the real executable. I have tried to go into safe mode in order to disable the virus but at the safe mode logon screen it freezes up. Does anyone else have any information that can be helpful?
All this withstanding, I think the best solution is to do a
Whole System Image BACKUP prior to doing ANY MS updates.
I have made this a habit before any software update so
that I can put everything back IF there is a problem.
I have used and recommended Acronis True Image in the past, but hesitate to do so now. I have not updated
to their latest products as there are many bugs. Their
forum is full of major problems. I have stuck with the
Echo 9.7 version with good results.
It is not the KB that is the real issue, it is now been determined PCs that BSOD after this update are infected with the Tdss rootkit.
Stop blaming Microsoft.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1381423,00.html
.
And thanks to this KB a great many people are alerted to the presence of a rootkit in their systems.
Even if the problem is caused by a rootkit infection, it is still basically Microsoft’s fault because they are the ones who insisted that computer companies stop shipping the operating system CDs with the computers. They claim that was to prevent piracy, however there are other ways to prevent it.
Proper computing hygiene is always the end users requirement.
I think most of us already knew a rootkit or other form of malware could be responsible. Not everyone is blaming Microsoft. Some of us are just trying to repair our machines. Does anyone have any information regarding how to remove the rootkit and Trojan that I mentioned in my previous post?
It is the TDL3 rootkit that is causing this trouble. The rootkit infects the hard disk driver, usually atapi.sys or iaStor.sys or whatever hard disk driver you have.
Due to the very advanced stealthy nature of this rootkit, no major AV is currently able to discover or remove the infection. This infection is spreading since October 2009.
Hitman Pro 3.5 is the only public AV that is able to detect and properly remove the rootkit, for free. There exists some public tools that remove older variants. Some vendors have a private tool to remove the rootkit. They keep it private as the rootkit’s authors are constantly changing its armor and they don’t want the authors to counter their removal tactics.
Since November 11, Hitman Pro cleaned over 16.000 TDL3 infections. That should say something about the spreading of this rootkit.
Also see this thread about the rootkit:
http://www.google.com/support/forum/p/Web+Search/thread?tid=6df7e15519290612&hl=en
Mike, you can Google for ‘Antivirus Boot Images’
I ran across this one, and use the Kaspersky Disc all the time in my security practice.
http://www.raymond.cc/blog/archives/2008/12/11/13-antivirus-rescue-cds-software-compared-in-search-for-the-best-rescue-disk/
How to remove Malware:Trojan, Virus, Worm, spyware, adware or other Malware
http://www.tips29.com/2009/01/how-to-remove-common-malwaretrojan.html
I just put up a new post after interviewing a security expert who found a bunch of Windows systems having this problem had previously been infected with a rootkit.
http://www.krebsonsecurity.com/2010/02/rootkit-may-be-culprit-in-recent-windows-crashes/
Hidden due to low comment rating. Click here to see.
You’re blaming someone else for having a rootkit/Trojan on your PC, hahaha! Good one.
Macs are fine but just remember to turn on your firewall. It think the firewall is turned off by default from the manufacturer. You may also want to turn on private browsing in Safari and/or use Opera or Firefox for the mac. Also, Intego sells some pretty good antivirus and firewall software for the mac.
Thank you Brian.
That article proves that the Pakes Trojan is indeed part of this rootkit, and probably the culprit for installing it in the first place. If we replace the driver with the new one that may prevent the rootkit from not working, but other aspects of the malware/trojan will still exist.
This is what I’m talking about:
That Virustotal scan pointed at a stealthy rootkit that goes by several different names, including “TDSS” and “Pakes”. For its part, Microsoft’s Security Essentials anti-virus tool detects the invader as Win32/Alureon.A.
Basically, its got all different names.
Steps to fix this problem:
1.) Uninstall the update conflicting with the rootkit so that there is no longer the BSOD.
2.) Replace the atapi.sys driver.
3.) Run appropiate anti-malware software to get rid of the rest of the malware.
I got a feeling most people will not know how to do this unfortunately. Oh well =/
Please note to back out the offending patch as suggested one must KNOW the ADMINISTRATOR PASSWORD to get into the Recovery Console as well….FYI
@John: Instead of the recovery console consider using Linux to back out the problematic patch.
http://blogs.computerworld.com/15595/using_linux_to_back_out_a_windows_xp_patch
And, although Microsoft says it pulled MS10-015, it installed for me on two PCs on Feb. 17th.
http://blogs.computerworld.com/15606/has_the_problematic_windows_patch_been_pulled_or_not
Was unable find or uninstall the KB977165 patch that is being talked about all over the web. I ended up renaming the c:\windows\system32\drivers\SCFltr.sys and rebooted and it worked!!!
Hi Brian
(KB977165)Works fine on my Xp SP3 PC
It worked yesterday fine->My Upgrades all worked after upgrading with
New Patchs.But this Morning I uninstalled the Patch(KB977165).
Then Run it without the patch and still worked fine today.
So i’m glad i made backup of the Patch after hearing they were pulling the Patch off for awhile untill they find what happened in the first place to cause all these BLUE SCREENS OF DEATH=BSD.
My thinking is thier was alot of “Malware found on these Machines.
Plus you have to take in the fact most “Die-Hard” WinXP USERS are still useing “SP2″<-Anwser to problem XP Computers not UPTO DATE.
If not up to date or don't know anything about "Malware your up the Creek without a Padle……….
2.Its a Damm Shame when Users have to by a Computer that don't include a System Disk.I think we should "kick" who ever trys to sell a "Computer Without a System Disk This Sucks and it needs to stop.
Mark
Brian
I forgot to say i’m a Affiate of Sunbelt.
Also Now beta Testing Vipre.
Alex had some of your news on his blog or i would’t found out what happened…..
Mark
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
There are several options to maintain data. I ANAPCT (am not a PC tech) but I can think of a few (besides replacing the atapi.sys file which is the consensus baddie):
1. Repair install of Windows
2. Remove the HDD from the PC, install it in another PC as a slave, retrieve data
3. Place HDD in a different PC, set it as boot drive, do a repair install, get your data back
4. Do a parallel install of Windows, get your data back, then delete the old Windows folder
In fact, usually the ONLY way all your data us trashed (Windows is in a separate folder from just about everything else) is if your HDD is dead, and no way could that be MSFT’s fault.
I just read this article then clicked on the link to read about installing Windows from a USB drive. My computer briefly locked up then rebooted. I think the site at the link might be infected. Can you check this out? I am not using the computer while I do some research from another computer. This is the link that caused a problem, it is from your article: DO NOT CLICK ON THIS LINK!!!!
http://www.vandomburg.net/installing-windows-xp-from-usb/
Lovely, I just spent all day reinstalling a customer’s system because its hard drive “went bad” for no reason. Thanks Microsoft.
Thanks for the info! The orignal steps posted at the top works perfectly on a Dell Vostro 200 XPSP3 with the same issue. There was the same stop code but no reference to a PAGE_FAULT_IN_NONPAGED_AREA though. This is probably because detail errors are off or something. Be sure to disable Automatic Updates as soon as you reboot because the first thing this one did was re-install the already downloaded update again!! Good thing this is easy to fix! Thanks again for the post.
GIATI PREPEI NA XRHSIMOPOIHTE WINDOWS???
XA8HKAN TA LINUX KAI TA FREE BSD
Hidden due to low comment rating. Click here to see.