Windows Patch Leaves Many XP Users With Blue Screens

CWmike writes "Tuesday's security updates from Microsoft have crippled Windows XP PCs with the notorious Blue Screen of Death, users have reported on the company's support forum. Complaints began early yesterday, and gained momentum throughout the day. 'I updated 11 Windows XP updates today and restarted my PC like it asked me to,' said a user identified as 'tansenroy' who kicked off a growing support thread: 'From then on, Windows cannot restart again! It is stopping at the blue screen with the following message: 'A problem has been detected and Windows has been shutdown to prevent damage to your computer.' Others joined in with similar reports. Several users posted solutions, but the one laid out by 'maxyimus' was marked by a Microsoft support engineer as the way out of the perpetual blue screens."

ha ha suckers!!!

[gandhi_2]

first po

Stop OxOOOOOOFC (OxB5FD7D64, Ox76F3E963, OxB5FD7CDC, OxOOOOOOO1)

A problem has been detected and windows has been shut down to prevent damage to your computer.

Re:ha ha suckers!!!

Please don't joke about this. I have been affected, and at the worst possible time, too. I have to submit my PhD dissertation tomorrow, and I don't know what the fuck I'm supposed to do now.

I can't boot up, and I have one of those HP computers that has everything built into the screen, so I can't even take the hard drive out.

I CAN'T GET MY FUCKING PHD DISSERTATION. I AM SO FUCKED.

Re:ha ha suckers!!!

[biryokumaru]

It's not like the hard drive is bad. Just use knoppix or something. You're pretty dumb for someone getting a PhD. Maybe this is just the gods way of sending you a message.

Re:ha ha suckers!!!

What I don't get is why people don't bother backing up important things like that.

Re:ha ha suckers!!!

[Beardo+the+Bearded]

First, take a deep breath. The most important rule is "Don't Panic".

Next, you download a Linux distro with a LiveCD. Ubuntu's a little bloaty, but it's got a lot of drivers right out of the box. If you've got internet access, you should be able to do that. If not, then you'll have to contact a friend with access or do it from the lab. Grab a beer while you wait -- it'll be a while.

Burn the liveCD and boot with that. You might have to edit your BIOS settings to boot from CD first. Choose the "try Ubuntu without making any changes to your computer" option. Once it boots up, you'll be able to access your hard drive, and most importantly, your dissertation. Print the fucking thing, email it to your gmail account, and while you're at it, email what you've got to your professor. Let him know that you're "having computer problems, so I'm sending what I could recover in the meantime." Remember that computers fail all the time so you have to keep copies of important papers on physically separate systems.

You're apparently a smart enough guy to get a PhD, so you should be able to figure out how to navigate Ubuntu. It's basically the same as Windown, but with the bar on the top instead of the bottom. My daughter's six and she can use Puppy Linux.

Actually, you could probably use Puppy. The whole OS is only 150MB, so it'll download in a much shorter time than Ubuntu. It's not quite as polished, but I've had good luck with it.

Re:ha ha suckers!!!

first po
Stop OxOOOOOOFC (OxB5FD7D64, Ox76F3E963, OxB5FD7CDC, OxOOOOOOO1)

A problem has been detected and windows has been shut down to prevent damage to your computer.

Look, if he was bluescreening he wouldn't bother to type "0x0000FFFF" He'd just say it.

"Oooooooo FFFFFFFF..."

Re:ha ha suckers!!!

[david_thornley]

AC didn't say what his or her major was. I'd expect different computer competencies from a Computer Science major and a French Literature major. Or, given that AC is on Slashdot, perhaps an Anthropology major.

Re:ha ha suckers!!!

[harrkev]

Agreed.

As long as you haven't turned on file encryption (only an option with XP Pro), you can easily recover everything. Do this:

1) Go to a friend's computer. Download and burn a copy of your favorite linux distro (I use Ubuntu).

2) Live-boot from the CD.

3) Mount the hard drive.

4) Insert your favorite USB storage device (make sure it is large enough).

5) Copy ALL important files to the USB drive (probably safest to copy your entire user directory, if your USB drive is big enough.

6) When done, re-format your hard drive and re-install XP.

7) Update your system completely.

8) Re-install all applications you need (office, etc.)

9) Copy your important files off of the USB drive.

Really, it is time-consuming, but I have had to do this exact same process for friends a bunch of times.

As far as the PhD goes, go up to step 5, and then use the friend's computer to print everything. Do steps 6-8 some other day.

Re:ha ha suckers!!!

[interkin3tic]

You're pretty dumb for someone getting a PhD

I'm not sure if I should laugh at how wrong this is, or cry because of how wrong this is.

Re:ha ha suckers!!!

[DJRumpy]

Well that and the fact that the fix is a bit easier that formatting and reinstalling. From TFA:
I had the same problem. Since I didn't have time to identify which one of today's updates caused the problem, I removed them all and now my computer is back to normal.

Follow these steps:

1. Boot from your Windows XP CD or DVD and start the recovery console (see this Microsoft article for help with this step)

Once you are in the Repair Screen..

2. Type this command: CHDIR $NtUninstallKB978262$\spuninst

3. Type this command: BATCH spuninst.txt

4. Type this command: systemroot

5. Repeat steps 2 - 4 for each of the following updates provided by FindMeFollowMe:

        * KB978262
        * KB971468
        * KB978037
        * KB975713
        * KB978251
        * KB978706
        * KB977165
        * KB975560
        * KB977914

6. When complete, type this command: exit

Your computer should restart and everything should be back to normal.

Re:ha ha suckers!!!

[element-o.p.]

I'm sure there's a joke in there regarding LaTeX and safe computing somewhere...

Re:ha ha suckers!!!

[Pentium100]

Microsoft Windows is not a new product. If you don't know that it can't be counted on to work like a normal computer, that doesn't just mean you're not technical. It means you have been living under a rock for 20 years.

Strange, under my rock, Windows XP/2003 work well, I rarely have to restart my computers and when I do it is usually because of a hardware problem, long power outage (long enough to discharge UPS batteries) or because I am installing some software that needs a reboot. I get bluescreens very rarely.

for example:

Current System Uptime: 28 day(s), 3 hour(s), 27 minute(s), 48 second(s)
 
Since 2009.03.27:
 
          System Availability: 99.9270%
                  Total Uptime: 321d 11h:16m:42s
                Total Downtime: 0d 5h:38m:22s
                Total Reboots: 11
    Mean Time Between Reboots: 29.25 days
            Total Bluescreens: 0

Those 5 hours? Most of them were spent when I added more RAM, but had either a bad module or a bad slot, so I took that long to finally give up and disable 4 modules from BIOS, leaving 3GB (instead of 5GB what I wanted and 1GB of what was before). That was ~28 days ago. Then there were a few power outages and this PC was connected to a smaller UPS. IIRC only one of those 11 reboots was because the PC froze for some reason.

OS: 2003

Re:ha ha suckers!!!

[BabyDuckHat]

That's almost as user friendly as Linux right there.

Re:ha ha suckers!!!

[Sanat]

Actually it is * KB977165 only that needs to be un-installed.

 

Re:ha ha suckers!!!

[icannotthinkofaname]

You're pretty dumb for someone getting a PhD.

Because "getting a PhD" == "being an expert in everything"

Except for the part where it doesn't. It's more like "being an impressive expert in one field"

Did you even bother to figure out what the AC's degree is in? How do you the AC should know how to deal with something like that happening?

Re:ha ha suckers!!!

[westyx]

Of course not. Same folder, different name.

Re:ha ha suckers!!!

My grandma is going to do this? Clearly, Windows is not ready for the desktop.

Re:ha ha suckers!!!

[paganizer]

I've been doing that with "XCOPY" on my dos 6.21 box.

Did you see the solution?

[Cryacin]

All I keep hearing in my head is:
They put the update in, you take the update out!
They put the update in, shake your laptop all about!
"You do the hokey pokey and you uninstall the patch! That's what it's all about!"

"ooooh... the windows bluescreen."
"ooooh... the windows bluescreen."
"ooooh... the windows bluescreen."
"That's what it's all about!"

Liars!

[interkin3tic]

You know how I know they are lying? They are posting complaints online. We designed this patch -specifically- to stop online complaints about updates. They clearly haven't actually updated.

-Bill Gates

What?

[dangitman]

'I updated 11 Windows XP updates today...

You updated your updates? You're doing it wrong.

Re:What?

[Arthur+Grumbine]

To be fair, his computer had just been pimped by Xzibit...

Need confirmation

[dave562]

An MVP poster in the thread claims that KB977165 causes the problem, and that the problem only occurs on computers that have been compromised by exploit code. The patch in question patches the NT kernel executable files.

If it is true that only compromised computers blue screen then it's hard to fault Microsoft for their patch code choking when it stumbles across the exploit code.

I wonder if they are going to push out an updated patch that at least performs some sort of sanity checking before attempting to modify the files. I doubt it. They'll just pass the buck and tell users that their computers were already hosed and that the BSOD is a "feature" and that they should have re-installed the OS anyway (because we all know that once your Windows box is pwnt, the only way to deal with it is full format and re-install).

Re:Need confirmation

[Hatta]

If it is true that only compromised computers blue screen then it's hard to fault Microsoft for their patch code choking when it stumbles across the exploit code.

It's pretty easy to fault them for not taking a checksum before they patch to ensure that the file isn't modified. If it is, warn the user.

Re:Need confirmation

[RobDude]

Sort of.....

You can't really blame MS for a crash that happens because the .DLLs/code on someone's machine has been modified by a malicious 3rd party.

But, you can expect an MS (or any other OS) to take appropriate actions to avoid patching a file that isn't exactly what is expected.

What you'd really hope for, is that when a problem is detected during the update process (IE - Crap - this .DLL isn't the .DLL we expect. Something is wrong!' - instead of modifying the .DLL it would present the user with some meaningful information like, 'Hey - this patch failed. You probably have a virus....you should get that fixed'. Or something similar.

It's possible that the patch took some reasonable efforts to ensure the patch would only be applied as expected; but I don't know. I do know that, even if it did, it didn't work.

There is a world of difference between an 'infected' Windows machine that has some annoying pop-ups showing up every 15 minutes, but is otherwise functional, and a Windows machine that won't boot because of a recently installed patch.

Re:Need confirmation

[russotto]

There is a world of difference between an 'infected' Windows machine that has some annoying pop-ups showing up every 15 minutes, but is otherwise functional, and a Windows machine that won't boot because of a recently installed patch.

Yeah. The owner of the machine would rather have the former... while everyone else on the Internet would rather they had the latter, as the former is probably sending out spam and trying to infect every other machine it can find as well.

Re:Need confirmation

[bertok]

If it is true that only compromised computers blue screen then it's hard to fault Microsoft for their patch code choking when it stumbles across the exploit code.

It's pretty easy to fault them for not taking a checksum before they patch to ensure that the file isn't modified. If it is, warn the user.

Microsoft patches are file-level, not delta-patches. They always overwrite complete files, and never try to modify files in-place.

That's why their patches are so huge, if there's a systematic error in many related files, then they all need to be replaced in their entirety.

It's a waste of bandwidth, but it's much more reliable.

I suspect what happened here is that Microsoft replaced one of two related files, but the other file was modified by the root-kit, and the mixed versions don't work together any more.

Re:Need confirmation

[initialE]

It's bad news for Microsoft at so many levels -
1. it's a 17-year-old bug
2. The disclosure and proof-of-concept attack was done by Google, clearly not Microsoft's best friend
3. Microsoft was forced to release a patch that is not fully tested
4. The cure is worse than the illness
5. Lots of windows users find out they have been compromised for how long? Nobody really knows!
6. The only remedy now is to restore your computer to it's previous state, which means you carry on using your computer in it's compromised state

Re:Saw this last month

[Dorkmunder]

From the comments over a DShield on this topic http://isc.sans.org/diary.html?storyid=8209 it looks like this might be the case again

Intentional?

[Jawshie]

Well duh... How is Microsoft supposed to make any more money from you if they don't trash their old OS?

Just close your eyes and chant

[harris+s+newman]

Windows costs less, is more secure, and superior to opensource OS's. And hope your boss hears you before your fired.

Re:Just close your eyes and chant

[Tetsujin]

Windows costs less, is more secure, and superior to opensource OS's.

And hope your boss hears you before your fired.

Before my fired what?

Re:Just close your eyes and chant

[ZarathustraDK]

Before my fired what?

Don't correct me, your fired.

Regards
you're Boss

Re:Remove automatic updates from your slipstream

[Savage-Rabbit]

Here is a list of Microsoft stuff to remove from your XP slipstream:

Automatic Updates (for reasons related to the article)
Windows media player (including 6.4) because it downloads codecs at will.
Accessibility Options (unless you need them)
ClipBook Viewer (useless)
Games
Internet Games ...

Long list, wouldn't it be simpler to just remove Windows XP in it's entirety from your PC and replace it with something else?

I always wait for a while

[reboot246]

I let Windows inform me about updates, and I choose when to download them and install them. If nobody else has any problems after a week or so, then and only then will I download and install the updates. I learned a long time ago not to trust anything from Microsoft.

I'd like to thank all of you who beta tested the updates for me!

A quick fix

[Bloom+Berg]

from ars: Users in the thread have tracked down a fix, though it requires using a copy of the Windows disc (or for netbook users without an optical drive, a bootable USB drive with Windows on it): Boot from your Windows XP CD or DVD and start the recovery console (see KB307654 for help with this step) Type this command: CHDIR $NtUninstallKB977165 $\spuninst Type this command: BATCH spuninst.txt Type this command: systemroot Good luck. When complete, type this command: exit

Lucky Me

[Penguinshit]

Fortunately I didn't get bitten by this. I would be devastated. Here's why:

I am quadriplegic with a tracheostomy to breathe. That means no keyboard or mouse and no auditory input. I control my computer with eye movement (the only muscles I still fully control) tracked via infrared camera. Almost every system built to assist communication for people like me are built on top of WinXP. There is a Mac version I have heard of but AFAIK doesn't do full control like the one I use. There is no Linux availability at all (oh how I wish).

So I am stuck. This system is my voice and my window to the world (travel is a major production requiring a team of assistants). it controls my immediate environment (tv, lights, etc.). It represents the last bit of independence I possess. It is a Tablet so "pop in the CD isn't so easy.

I am very careful to avoid viruses and other malware (always was when i was healthy and Win32 was only a secondary OS for me then). But to be stabbed in the back would be utterly devastating to me. It could be weeks before I could get qualified help (Nerd Herd, etc. need not apply).

Windows cannot start again. So?

[gestalt_n_pepper]

You say this like it's a *bad* thing...

Re:microsoft screws users again. Why is this news?

[Beardo+the+Bearded]

The problem with Linux is that it's inarticulate. Look at Ubuntu, which is arguably the easiest way to get someone to use Linux if they're from a Windows background.

It works great, it's faster, and most configurations work right out of the box. if you have one of the few configurations that have been checked by the developers. (If you've got an ATI card like I do, Fuck You.) If you've got an older machine without one of the specific wireless cards detailed in document XR-122-65_rev_a_kernel26.6.1, you can with ndiswrapper and wpasupplicant. Rolling back the kernel version will also improve compatibilty on older systems. All of thse commands can be found on forums online, so there's lots of support for... ...what the FUCK are you talking about, Beardo? My machine USED to work, and now it doesn't and that's because I listened to you.

Windows is dominant because they write and market to people who aren't technical users. Read that bolded sentence again. Apple is hauling up their maketshare for the same reason -- they are marketing to the vast majority of people that want a computer but didn't spend their childhood in the CS lab. My dad doesn't want to learn how to use a command line to set up the email. My wife, lead tech support for distance education for a College, didn't like Ubuntu because of the Flash problem.

NOBODY GIVES A FUCK ABOUT PROPRIETARY DRIVERS. IF THE SHIT DOESN'T WORK THEN IT IS A LINUX PROBLEM. (Yes, even if it isn't.)

Hell, MS still has their ridiculous search, when you could just drop to a shell and type "dir *foo*.ext /s | more" and be done in 10 seconds. But you see, if you weren't the kind of person who reads /., I just a) bored you and b) acted condescending and c) said something unintelligible.

Linux is a spectacular tool, but like calipers, $30 ESD wirecutters, or my $200 soldering station, just aren't the right tool for the majority of people out there. If the developers get their heads out of their asses and learn how to market the software AND give the public what it wants, then and only then will Linux get its fair share of the market.

Re:The nut behind the wheel

[Sir_Lewk]

Uuuuuuuh..... A home user? Re-read that quotation that you so handily provided one more time.

I updated 11 Windows XP updates today and restarted my PC like it asked me to

See it?

my PC

It's singular. He applied updates to a single computer.

What sort of loon thinks that expecting home users to somehow test patches from their goddamn vendor before applying them is acceptable?

Re:microsoft screws users again. Why is this news?

[cetialphav]

If the developers get their heads out of their asses and learn how to market the software AND give the public what it wants, then and only then will Linux get its fair share of the market.

The question is why would developers want to expand their market share among the non-technical users? Personally, I could care less if my mom uses Linux. You know why? Because she is not a developer and will not contribute one line of code to the OSS world. I want Linux to develop a following among the technical/programmer crowd. This means a larger developer base, which means a greater pace of improvement. This has been happening consistently for the 15 years I've been using Linux and that keeps me happily on this platform. Its all about Developers! Developers! Developers! to me. Microsoft and Apple can have all the rest.

When someone decides that there is money in getting non-techies onto Linux, they will be able to polish Linux into something really slick. Ubuntu is trying, but there really doesn't seem to be enough money in it now so they aren't able to apply a lot of resources to it. Who knows? There may never be any real money in that kind of market (for Linux, anyway).

One copy... on a floppy!

[KingSkippus]

When I was in college, a friend of mine who lived down the hall from me came to my door one day frantically knocking. She had stored the only copy of her PhD dissertation on a floppy disk, and the disk had gotten corrupted, and she didn't know what to do.

I poked around on it for a little while, trying out a disk sector editor I had to see if I could recover anything, and I couldn't. It was just lost, period.

She ended up going dumpster-diving. She had thrown away a printed hard copy the day before, and they hadn't taken the trash away yet. She was literally in the trash dumpster, sifting through two apartment buildings' worth of trash to find it, and spent that entire night retyping it from scratch.

I felt sorry for her, and I remember thinking, "Well, I guess that's one way to learn a lesson that you'll never forget..." I was also really glad that I wasn't her significant other, because you know who would have been sifting through that dumpster.

Potential cause for the blue-screens

[ThePeeWeeMan]

It seems like someone's figured out what was causing the bluescreens... from the MS forum thread:

I had an Eee PC with XP Home brought to me with this same problem. I rolled back KB977165, rebooted and the system worked fine. I reapplied KB977165 and the rest of the updates available at Microsoft Update, and the problem returned. I replaced %System32%\drivers\atapi.sys with a clean version from a XP SP3 distribution folder and rebooted... voila! Problem solved.

For reference, the SHA1SUMs of the atapi.sys files:

Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6

Working:
a719156e8ad67456556a02c34e762944234e7a44

If anyone wants to look at the non-working atapi.sys:
https://patrickwbarnes.com/pub/atapi.sys

I will be looking at this more in-depth. If I find anything more, it will be posted in a follow-up comment at the ISC:
http://isc.sans.org/diary.html?storyid=8209

UPDATE :
I uploaded the non-working atapi.sys file to VirusTotal, and this is the result:
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

Apparently, this update problem is the result of an infection.

Re:One copy... on a floppy!

[steelfood]

Ph.D. on a floppy? Should we get off your lawn?