February 11, 2010

If you use Windows XP and haven’t yet updated your system with the applicable security updates that Microsoft issued Tuesday, you might want to hold off for a bit. Turns out, a non-trivial number of XP users are reporting that their systems suffer from the dreaded Blue Screen of Death (BSoD) and fall into an interminable reboot loop after installing the latest batch of patches from Redmond.

The problem seems to be affecting only some XP systems. This thread on a Microsoft.com answers forum seems to include a fix that works. However, the fix requires users to have their XP install CD handy (in a practice that should be outlawed, many computer makers get away with shipping systems without an install/reinstall disc)

According to the support forum threads I’ve seen on this, affected users noticed the problem on the reboot following the installation of Tuesday’s patch batch. The folks who complained of the bootup problem said the BSOD error page is accompanied by the message “PAGE_FAULT_IN_NONPAGED_AREA”.

If you’re experiencing the above-described problems after installing Tuesday’s bundle of updates, follow these steps, which a number of affected users have said seem to fix the problem:

1. Boot from your Windows XP CD or DVD and start the recovery console (see this link on how to use recovery console)

Once you are in the Repair Screen..

2. Type this command: CHDIR $NtUninstallKB977165$\spuninst

3. Type this command: BATCH spuninst.txt

4. Type this command: systemroot

5. When complete, type this command: exit

Unfortunately, there is an entire subset of users who might be in for a whole mess more work to fix this kind of problem: Netbook users. One of the things that makes netbooks so light and small is that they do not have optical (CD/DVD-ROM) drives. If you’re a netbook user who has this problem AND a copy of a Windows XP install CD handy and a computer with a CD drive, you may still be able to rescue your system by building a custom XP install/bootup disc on a USB drive.

If all of that sounds like too much work, home users are eligible for no-charge support by calling 1-866-PCSAFETY (and/or 1-866-234-6020 and/or 1-800-936-5700) in the United States and in Canada. Microsoft says there is no-charge for support calls that are associated with security updates.

Update, 8:34 a.m. ET: Based on a review of various help forums discussing this problem, it appears that the problematic update is KB977165 (MS010–15:Vulnerabilities in Windows kernel could allow elevation of privilege”). Note that systems experiencing a BSoD may do so or hang in Safe Mode when loading the system driver “mups.sys”.

The help instructions above have been modified to specify the removal of just this one patch. A previous version of this blog post included instructions for removing all of the patches Microsoft shipped for XP systems on Tuesday.

Update, Feb. 12, 10:09 a.m. ET: Microsoft has a blog post up acknowledging this problem, saying that it stopped shipping the problematic update via Windows Update as soon as it recognized the issue. Redmond says it is still investigating the cause of the conflict. Microsoft notes that in lieu of applying the patch, XP users can use Microsoft’s click+install “Fix it” tool, which disables the vulnerable Windows component. That workaround is available here.

95 thoughts on “New Patches Cause BSoD for Some Windows XP Users

  1. ATTak

    I think the starting phrase is a bit misleading to general public:

    “If you use Windows XP and haven’t yet updated your system with the applicable security updates that Microsoft issued Tuesday, you might want to hold off for a bit.”

    Microsoft bashing aside, I would still rather recommend having latest security updates immediately deployed rather than expose the system for attacks due to a risk of 0,0001% chance of getting BSoD. Or is there any statistic on how many systems were affected by this…

    1. BrianKrebs Post author

      This post has been updated several times with many recommendations, including a workaround instead of installing the patch.

  2. seafsee

    I was unaffected by this M$ update – nice for a change!

  3. Rick

    21 PC’s patched with it so far, no problems.

    6 PC’s installed it but haven’t rebooted yet.

    4 PC’s downloaded but not installed it yet.

    0 PC’s with BSoD so far.

    All according to my WSUS.

  4. Mike

    Hi. I was one of the users to receive the BSOD after installing the latest Microsoft updates. I was able to use the recovery disc to uninstall the updates and get my computer back up and running. However, now AVG is picking up a Trojan named: Trojan Horse Pakes.AW I do not know definitely if this is the malware associated with the update problem, but it is the only malware that I have found with my scanning. This Trojan likes to disable system restore, and creates temp files & folders within the following directory: C:\Windows\temp\ I can delete some of these files, but they reappear after about 5-10min. There are also files that cannot be deleted and are being used by the process/program. In task manager, under the process tree, it is named svchost.exe, and is a SYSTEM file. Obviously not the real executable. I have tried to go into safe mode in order to disable the virus but at the safe mode logon screen it freezes up. Does anyone else have any information that can be helpful?

  5. me4833

    All this withstanding, I think the best solution is to do a
    Whole System Image BACKUP prior to doing ANY MS updates.

    I have made this a habit before any software update so
    that I can put everything back IF there is a problem.

    I have used and recommended Acronis True Image in the past, but hesitate to do so now. I have not updated
    to their latest products as there are many bugs. Their
    forum is full of major problems. I have stuck with the
    Echo 9.7 version with good results.

    1. Perspective

      And thanks to this KB a great many people are alerted to the presence of a rootkit in their systems.

    2. Jackie Johnson

      Even if the problem is caused by a rootkit infection, it is still basically Microsoft’s fault because they are the ones who insisted that computer companies stop shipping the operating system CDs with the computers. They claim that was to prevent piracy, however there are other ways to prevent it.

  6. Mike

    I think most of us already knew a rootkit or other form of malware could be responsible. Not everyone is blaming Microsoft. Some of us are just trying to repair our machines. Does anyone have any information regarding how to remove the rootkit and Trojan that I mentioned in my previous post?

    1. Erik Loman

      It is the TDL3 rootkit that is causing this trouble. The rootkit infects the hard disk driver, usually atapi.sys or iaStor.sys or whatever hard disk driver you have.

      Due to the very advanced stealthy nature of this rootkit, no major AV is currently able to discover or remove the infection. This infection is spreading since October 2009.

      Hitman Pro 3.5 is the only public AV that is able to detect and properly remove the rootkit, for free. There exists some public tools that remove older variants. Some vendors have a private tool to remove the rootkit. They keep it private as the rootkit’s authors are constantly changing its armor and they don’t want the authors to counter their removal tactics.

      Since November 11, Hitman Pro cleaned over 16.000 TDL3 infections. That should say something about the spreading of this rootkit.

      Also see this thread about the rootkit:

  7. Marc

    Today I threw out my PC!! I am sick of Microsoft!! I have important work to do and my PC/ XP will not start.

    From now on I am a Mac user!!

    1. Rick

      You’re blaming someone else for having a rootkit/Trojan on your PC, hahaha! Good one.

    2. Marina

      Macs are fine but just remember to turn on your firewall. It think the firewall is turned off by default from the manufacturer. You may also want to turn on private browsing in Safari and/or use Opera or Firefox for the mac. Also, Intego sells some pretty good antivirus and firewall software for the mac.

  8. Mike

    Thank you Brian.
    That article proves that the Pakes Trojan is indeed part of this rootkit, and probably the culprit for installing it in the first place. If we replace the driver with the new one that may prevent the rootkit from not working, but other aspects of the malware/trojan will still exist.

    This is what I’m talking about:

    That Virustotal scan pointed at a stealthy rootkit that goes by several different names, including “TDSS” and “Pakes”. For its part, Microsoft’s Security Essentials anti-virus tool detects the invader as Win32/Alureon.A.

    Basically, its got all different names.

    Steps to fix this problem:
    1.) Uninstall the update conflicting with the rootkit so that there is no longer the BSOD.
    2.) Replace the atapi.sys driver.
    3.) Run appropiate anti-malware software to get rid of the rest of the malware.

    I got a feeling most people will not know how to do this unfortunately. Oh well =/

  9. John in Texas

    Please note to back out the offending patch as suggested one must KNOW the ADMINISTRATOR PASSWORD to get into the Recovery Console as well….FYI

  10. Ben

    Was unable find or uninstall the KB977165 patch that is being talked about all over the web. I ended up renaming the c:\windows\system32\drivers\SCFltr.sys and rebooted and it worked!!!

  11. Mark Toman

    Hi Brian

    (KB977165)Works fine on my Xp SP3 PC
    It worked yesterday fine->My Upgrades all worked after upgrading with
    New Patchs.But this Morning I uninstalled the Patch(KB977165).
    Then Run it without the patch and still worked fine today.
    So i’m glad i made backup of the Patch after hearing they were pulling the Patch off for awhile untill they find what happened in the first place to cause all these BLUE SCREENS OF DEATH=BSD.
    My thinking is thier was alot of “Malware found on these Machines.
    Plus you have to take in the fact most “Die-Hard” WinXP USERS are still useing “SP2″<-Anwser to problem XP Computers not UPTO DATE.
    If not up to date or don't know anything about "Malware your up the Creek without a Padle……….
    2.Its a Damm Shame when Users have to by a Computer that don't include a System Disk.I think we should "kick" who ever trys to sell a "Computer Without a System Disk This Sucks and it needs to stop.


  12. Mark Toman

    I forgot to say i’m a Affiate of Sunbelt.
    Also Now beta Testing Vipre.
    Alex had some of your news on his blog or i would’t found out what happened…..


  13. zekeman

    Did it ever occur to anyone that the more we have to use our computer that the more vulnerable we are to attach. That 33 percent of all computers in the world are infected. That one percent of the people own 90 percent of the world and that the poor working stiff just works to pay an interest payment for a place to lay his weary head after a hard day’s work. That when you get mad at Home Depot and tell them that you’re going down the street to Lowe’s that they don’t care because the same guy probably owns it. That it’s like all the wise men said, happiness can’t be bought because it’s a state of mind, in inside job, that all that I’m trying to do now is not give a nervous breakdown to all the people that are defending this problem. That someone in a wheel chair with no limbs can be the happiest person in the world. It’s all a state of mind so where is the sympathy, that’s all I want to know?

  14. shawna

    1- for all those people out there saying “its just in ur head, nothings wrong with mine” youre lucky. alot of people told me i was just making it up, when the update royally screwed my pc..
    2- microsoft says theyll help, but beware, they will tell you its your fault, its a hardware issue, you need to take it to your manufacturer, or to a pc tech, and they will not pay, or theyll tell you the only reason the update messed up your pc, is because it was either infected with a virus, malware, spyware, adware.. (EVEN THOUGH IT WASNT”

    3- if youre one of those people out there, who’s computer has crashed because the update, and it wont let you boot from disk. it wont give you that option, im sorry but you wont be able to save your pictures & files (unless you wanna pay $1200 or more).. but to at least have a running computer, im sorry but you wont get to have xp.. my computer had that problem.. and it wouldnt boot from the xp disk.. and i tried 10 different disks.. microsoft argued that it was hardware, or my fault.. or that the update messed up my pc due to malware & etc.. i argued with them.. the guy was a paki, who decided to tell me to speak english, even though he couldnt speak a lick of english. so he argued, and called me a bitch and then hungup on me.. so microsoft isnt really helpful..

    ANYWHO.. those who cant boot from disk to correct the problem.. the only choice is to either A) throw your pc out in the trash.. or B) load vista or 7 on it.. its the only way youll get it to work.. im sorry but its true.. i couldnt load xp.. at all.. but vista and 7 works.. i wish i could give good news.. but.. im sorry… thats the only option i know of..


    1. wahnula

      There are several options to maintain data. I ANAPCT (am not a PC tech) but I can think of a few (besides replacing the atapi.sys file which is the consensus baddie):

      1. Repair install of Windows
      2. Remove the HDD from the PC, install it in another PC as a slave, retrieve data
      3. Place HDD in a different PC, set it as boot drive, do a repair install, get your data back
      4. Do a parallel install of Windows, get your data back, then delete the old Windows folder

      In fact, usually the ONLY way all your data us trashed (Windows is in a separate folder from just about everything else) is if your HDD is dead, and no way could that be MSFT’s fault.

  15. JohnSolomons

    I just read this article then clicked on the link to read about installing Windows from a USB drive. My computer briefly locked up then rebooted. I think the site at the link might be infected. Can you check this out? I am not using the computer while I do some research from another computer. This is the link that caused a problem, it is from your article: DO NOT CLICK ON THIS LINK!!!!

  16. Greg

    Lovely, I just spent all day reinstalling a customer’s system because its hard drive “went bad” for no reason. Thanks Microsoft.

  17. Anthony

    Thanks for the info! The orignal steps posted at the top works perfectly on a Dell Vostro 200 XPSP3 with the same issue. There was the same stop code but no reference to a PAGE_FAULT_IN_NONPAGED_AREA though. This is probably because detail errors are off or something. Be sure to disable Automatic Updates as soon as you reboot because the first thing this one did was re-install the already downloaded update again!! Good thing this is easy to fix! Thanks again for the post.



  19. dina

    The most reliable work on the Internet!

    This work – work on the Internet. With it the unexperienced user will consult even. It is the MOST RELIABLE way well to earn from any other variants offered on sites. Why the reliable? Yes because‚ having read it to the end (do not regret 5 minutes!!!)‚ you will understand‚ in what SENSE of action of the given system and, accordingly, real earnings that it not next «deceit»‚ and system which really WORKS!!! For good money reception, of course, it is necessary to work well how to be told‚ free cheese only in a mousetrap‚ but all your work will be is made without leaving the house‚ is exclusive behind the computer.
    I offer you system about which and itself first was sceptical. However‚ in difference from many similar offers‚ it WORKS!!! Everything written more low‚ I the same as also you once read for the first time‚ but all having considered‚ I have made a choice and here, as you can see, I am engaged in it.
    For undertaking of your “business” you will need to spend only 7 dollar. Believe‚ it not «deceit»‚ and these 7 dollar will not go to my pocket or a pocket developer the given system. Why? You will understand‚ having read the given information up to the end.
    Whether you if someone tells will believe‚ what it is possible to earn some thousand dollars for 3-4 weeks at an investment of all 7 dollar? At once I warn‚ your income depends on your efforts and time spent by you! Certainly‚ I do not promise to you that dollars will fall down at once on you a rain‚ at first you will earn on 4-10 dollar a day‚ and can and in a week. But here the main diligence and diligence‚ and then – PATIENCE‚ and already same 4 dollar you will earn not for a week‚ and it is possible to tell for FEW SECONDS! And in a week at you it will already turn out 3-5 thousand!!! Probably and it is more‚ once again I repeat that it will depend on your diligence and spent time.
    That is primary from you it is required‚ so it: to create a purse in payment system Liberty reserve (as it to make‚ it is painted in the instruction more low). To fill up a purse on 7 dollar. Then to list on on seven purses (their numbers are specified in the instruction more low). I assure you‚ these 7 dollar you precisely in any way do not lose‚ because they to you to return‚ and even to hundred‚ in thousand times more‚ YOU are convinced Of IT‚ when will understand SENSE of the GIVEN SYSTEM of earnings‚ having read the given information up to the end. I warn‚ money at you will appear not in the first put‚ and can at all in the second and not in the third. But it is not necessary to lower hands since 7 dollar you already will lose yours (as you will suspect that moment)‚ simply operate with accuracy under the instruction and all will turn out‚ I promise to you! I at this stage too have faced it when has given 7 dollar‚ did all with accuracy as is told in the instruction‚ and any money to me did not come. But I especially was not upset‚ because initially suspected that it «deceit»‚ means itself and is guilty. But only in couple of weeks I have found out the first (the truth‚ at first insignificant) receipts on my purse. It was 4 dollar. Well‚ has calmed myself that I at least not 7 dollar have lost‚ and to 4 me though have returned. Well through a week has once again looked in a purse‚ expected there to see at least next 4 dollar‚ but my surprise when I have found out that in me in a purse 220 dollar was great! These are mine 7 dollar have returned to me in **** the multiple size!!!! I at first have thought that it is any error that all this purse in general a lie and money in it artificial. But it was convinced of the return when held this money which has been removed from a purse‚ already cash. And with each week the sum of a purse increased in a geometrical progression!! Why? You will understand‚ having read the information up to the end.

    And now I will tell to you how it works and‚ the most important thing‚ why? I promise to you that if you in accuracy will observe more low listed instructions you will start to receive much more money‚ than you thought‚ without applying on it special efforts. Follow the instruction‚ and money will start to arrive on your purse. And‚ the most important thing that illegal in it is not present anything! All Legally. An abstract mathematics. And your contribution makes only 7 dollar. You than do not risk‚ but it works and works SUCCESSFULLY!
    And so that you should make:
    1 STEP: to Come on system Liberty site reserve to the address http://www.libertyreserve.com Familiarize with the given system and as it works.
    – be registered! Registration in system liberty reserve will occupy what that time, read reports of information., and also observe registration rules.
    Further it is necessary to fill up the account on 7 dollar. Before it read with ways of replenishment: http://www.libertyreserve.com “ways of input usd”. To fill up the account‚ choose any way of replenishment offered by system convenient for you. (For me, for example, the most convenient way is purse replenishment through terminals‚ I think‚ now in any city they are. Now it is necessary to translate on 1 dollar on each of more low listed purses‚ At transfer of money to each of purses‚ in the field it is NECESSARY to write “Note” «I ask to enter me in the list liberty reserve» (without inverted commas) and then network moderators will include you in system.

    1. U7627633
    2. U0727036
    3. U5486455
    4. U2507267
    5. U9257038
    6. U9339021
    7. U5611219
    – Now ATTENTION! Delete from this list the FIRST (TOP) purse and move on its place a purse‚ which at number 2. Then the THIRD – to the place of the second‚ the FOURTH – to the place of the third . Under figure 7 now it is empty. Enter there number of the purse!
    – I repeat‚ you necessarily should send on each of 7 purses on 1 dollar‚ differently network moderators liberty reserve you simply not will are included in system.
    – Now the most important thing. Given article (already with number of your purse in 7th line) needs to be placed on various sites‚ forums etc. the Primary goal – to find new clients‚ but already for itself. That your income was essential‚ it is necessary to place given article at not less than 200 forums‚ news lines and work sites.Than it is more – that above your income. Placing of this article at 200 forums guarantees to you the income of $3000 in a current of two months. It is a minimum! It is more than placings – more income, thus, in a geometrical progression‚ it is already necessary for YOU!!!
    A little bit I will explain‚ as well as why you in any case win‚ and the 7 dollar can precisely return! We will tell‚ from 200 placings I will receive only 5 answers. I.e. it is 5 people will become interested in this announcement and will send on 1 dollar on purses. My number of a purse is in announcements of these people on 7 positions‚ therefore I will earn 5 dollar. (Very small sum). Now these 5 people do 200 placings of the given announcement (my purse already on 6th position since they have moved the list for the line upwards and on 7th position the purses have entered). And only on 5 people answer that first 5‚ it already 25 dollar. Further these do 25 people on 200 placings (with my purse on 5th position) and only 5 answer‚ my income already 125 dollar. Now these 125 people‚ having placed and having received only 5 answers‚ give to me 625 dollar. Further‚ these do 625 people also on 200 placings and even if it will be answered only with 5 people‚ I already from it have 3125 dollar. Further‚ these 3125 people will make 200 placings‚ and it will be answered only with five I already receive 15625 dollar (my purse on 2nd positions). Now these will make 15625 people even on 200 placings and it are answered with 5 persons‚ it is 78125 dollar! Impressive figure‚ whether not so? If do not trust‚ count all it on the calculator! And such here the figure at you will turn out even in the event that will answer on 5 persons‚ and if on 10? Represent‚ how it will increase?!! You think‚ what people will not answer such announcement? And think that THOUSAND people from every corner of the globe join the Internet and read these articles every day the same as also you now read this! So the quantity of new users will grow still for a long time. Already on some sites there are articles of this kind. And it means that the given SYSTEM WORKS!!!
    When you already will be on 1st position‚ and then and at all take off from the list‚ it will be necessary to send again on the data of 7 purses 7 dollar again to appear on 7th line (all to make‚ as well as did in the beginning with moving of purses on a line above). I think already now these 7 dollar will not be for you the big money with your income!!!

    One more moment: Some people have started to write that already tested in this kind of earnings and receipts was a little‚ or was not in general‚ asserting that forums dazzle with announcements with their articles. It not so! It is the most effective and reliable system for today. The participant earns nothing only in 2-uh cases: 1) If he has sent article less‚ than on 50 forums; 2) If it is dishonest.
    If YOU do not list on 1 dollar on 7 purses‚ you simply WILL not be included in system libertyreserve the purses‚ accordingly on the purse you do not receive any receipts.

    The same will occur‚ if will start to subtilize and enter the purses. Because to deceive system of registration of the list liberty reserve purses it is impossible‚ and it is not favourable. Each computer has a name‚ each person has nameplate data‚ and at purse installation the computer name is fixed. Believe to me that inventors of system HAVE considered ALL! So at fair participants no problems will exist.

    Still I will tell about some nuances of placing of article on sites.
    – We open a search engine ‚ Google.com‚ yahoo.com etc.)
    – We write in a line of search a phrase «work to add vacancy» (without inverted commas)
    It is possible simply “work”‚ and there already on a site will find «to add vacancy»
    – Thousand pages references on which result on millions various sites and the forums devoted to a theme “work” will open. Be not frightened‚ if on a site where you have wanted to place the announcement‚ already there are similar. It once again confirms that the given system works!
    – Enter into fields the data. It is possible to bring them the same as they are brought for this article. Vacancy placing – specify: other fields of activity‚ an information technology or the Internet. A period of storage – on all 30 days. If want really big the income then put a period of storage 1 (or 3) day and send the given announcement everyone 1 (or 3) day then you will have many clients to whom you will send this file.
    – One nuance concerning a field a city. You should choose ALL cities one after another‚ since the letter And and finishing J.Vy’s letter should publish announcements for EACH city. Is better‚ if you make it in one day (it will occupy 2-3 hours since sending announcements on each city‚ you will need to change only a city‚ all other data will remain) then it will be possible to forget about this site for a while‚ and then again to repeat. What for it is necessary to fill all cities. It is checked already up that when the person searches for work and comes on this site‚ he chooses the reference search of vacancies‚ there it is usually necessary to fill a field a city and if you publish article only for one city people from other cities never will see your announcement. For this reason the announcement needs to be placed for each city separately. It considerably will increase quantity of your clients and, accordingly, size of your income.

    Here now you are completely acquainted with all nuances of the given system. I hope‚ the SENSE of its action to you is clear?

Comments are closed.