Windows Patch Leaves Many XP Users With Blue Screens

CWmike writes "Tuesday's security updates from Microsoft have crippled Windows XP PCs with the notorious Blue Screen of Death, users have reported on the company's support forum. Complaints began early yesterday, and gained momentum throughout the day. 'I updated 11 Windows XP updates today and restarted my PC like it asked me to,' said a user identified as 'tansenroy' who kicked off a growing support thread: 'From then on, Windows cannot restart again! It is stopping at the blue screen with the following message: 'A problem has been detected and Windows has been shutdown to prevent damage to your computer.' Others joined in with similar reports. Several users posted solutions, but the one laid out by 'maxyimus' was marked by a Microsoft support engineer as the way out of the perpetual blue screens."

ha ha suckers!!!

[gandhi_2]

first po

Stop OxOOOOOOFC (OxB5FD7D64, Ox76F3E963, OxB5FD7CDC, OxOOOOOOO1)

A problem has been detected and windows has been shut down to prevent damage to your computer.

Re:ha ha suckers!!!

Please don't joke about this. I have been affected, and at the worst possible time, too. I have to submit my PhD dissertation tomorrow, and I don't know what the fuck I'm supposed to do now.

I can't boot up, and I have one of those HP computers that has everything built into the screen, so I can't even take the hard drive out.

I CAN'T GET MY FUCKING PHD DISSERTATION. I AM SO FUCKED.

Re:ha ha suckers!!!

What I don't get is why people don't bother backing up important things like that.

Re:ha ha suckers!!!

[Beardo+the+Bearded]

First, take a deep breath. The most important rule is "Don't Panic".

Next, you download a Linux distro with a LiveCD. Ubuntu's a little bloaty, but it's got a lot of drivers right out of the box. If you've got internet access, you should be able to do that. If not, then you'll have to contact a friend with access or do it from the lab. Grab a beer while you wait -- it'll be a while.

Burn the liveCD and boot with that. You might have to edit your BIOS settings to boot from CD first. Choose the "try Ubuntu without making any changes to your computer" option. Once it boots up, you'll be able to access your hard drive, and most importantly, your dissertation. Print the fucking thing, email it to your gmail account, and while you're at it, email what you've got to your professor. Let him know that you're "having computer problems, so I'm sending what I could recover in the meantime." Remember that computers fail all the time so you have to keep copies of important papers on physically separate systems.

You're apparently a smart enough guy to get a PhD, so you should be able to figure out how to navigate Ubuntu. It's basically the same as Windown, but with the bar on the top instead of the bottom. My daughter's six and she can use Puppy Linux.

Actually, you could probably use Puppy. The whole OS is only 150MB, so it'll download in a much shorter time than Ubuntu. It's not quite as polished, but I've had good luck with it.

Re:ha ha suckers!!!

first po
Stop OxOOOOOOFC (OxB5FD7D64, Ox76F3E963, OxB5FD7CDC, OxOOOOOOO1)

A problem has been detected and windows has been shut down to prevent damage to your computer.

Look, if he was bluescreening he wouldn't bother to type "0x0000FFFF" He'd just say it.

"Oooooooo FFFFFFFF..."

Re:ha ha suckers!!!

[harrkev]

Agreed.

As long as you haven't turned on file encryption (only an option with XP Pro), you can easily recover everything. Do this:

1) Go to a friend's computer. Download and burn a copy of your favorite linux distro (I use Ubuntu).

2) Live-boot from the CD.

3) Mount the hard drive.

4) Insert your favorite USB storage device (make sure it is large enough).

5) Copy ALL important files to the USB drive (probably safest to copy your entire user directory, if your USB drive is big enough.

6) When done, re-format your hard drive and re-install XP.

7) Update your system completely.

8) Re-install all applications you need (office, etc.)

9) Copy your important files off of the USB drive.

Really, it is time-consuming, but I have had to do this exact same process for friends a bunch of times.

As far as the PhD goes, go up to step 5, and then use the friend's computer to print everything. Do steps 6-8 some other day.

Re:ha ha suckers!!!

[DJRumpy]

Well that and the fact that the fix is a bit easier that formatting and reinstalling. From TFA:
I had the same problem. Since I didn't have time to identify which one of today's updates caused the problem, I removed them all and now my computer is back to normal.

Follow these steps:

1. Boot from your Windows XP CD or DVD and start the recovery console (see this Microsoft article for help with this step)

Once you are in the Repair Screen..

2. Type this command: CHDIR $NtUninstallKB978262$\spuninst

3. Type this command: BATCH spuninst.txt

4. Type this command: systemroot

5. Repeat steps 2 - 4 for each of the following updates provided by FindMeFollowMe:

        * KB978262
        * KB971468
        * KB978037
        * KB975713
        * KB978251
        * KB978706
        * KB977165
        * KB975560
        * KB977914

6. When complete, type this command: exit

Your computer should restart and everything should be back to normal.

Re:ha ha suckers!!!

[Pentium100]

Microsoft Windows is not a new product. If you don't know that it can't be counted on to work like a normal computer, that doesn't just mean you're not technical. It means you have been living under a rock for 20 years.

Strange, under my rock, Windows XP/2003 work well, I rarely have to restart my computers and when I do it is usually because of a hardware problem, long power outage (long enough to discharge UPS batteries) or because I am installing some software that needs a reboot. I get bluescreens very rarely.

for example:

Current System Uptime: 28 day(s), 3 hour(s), 27 minute(s), 48 second(s)
 
Since 2009.03.27:
 
          System Availability: 99.9270%
                  Total Uptime: 321d 11h:16m:42s
                Total Downtime: 0d 5h:38m:22s
                Total Reboots: 11
    Mean Time Between Reboots: 29.25 days
            Total Bluescreens: 0

Those 5 hours? Most of them were spent when I added more RAM, but had either a bad module or a bad slot, so I took that long to finally give up and disable 4 modules from BIOS, leaving 3GB (instead of 5GB what I wanted and 1GB of what was before). That was ~28 days ago. Then there were a few power outages and this PC was connected to a smaller UPS. IIRC only one of those 11 reboots was because the PC froze for some reason.

OS: 2003

Re:ha ha suckers!!!

[BabyDuckHat]

That's almost as user friendly as Linux right there.

Re:ha ha suckers!!!

[Sanat]

Actually it is * KB977165 only that needs to be un-installed.

 

Re:ha ha suckers!!!

[westyx]

Of course not. Same folder, different name.

Re:ha ha suckers!!!

My grandma is going to do this? Clearly, Windows is not ready for the desktop.

Did you see the solution?

[Cryacin]

All I keep hearing in my head is:
They put the update in, you take the update out!
They put the update in, shake your laptop all about!
"You do the hokey pokey and you uninstall the patch! That's what it's all about!"

"ooooh... the windows bluescreen."
"ooooh... the windows bluescreen."
"ooooh... the windows bluescreen."
"That's what it's all about!"

Liars!

[interkin3tic]

You know how I know they are lying? They are posting complaints online. We designed this patch -specifically- to stop online complaints about updates. They clearly haven't actually updated.

-Bill Gates

What?

[dangitman]

'I updated 11 Windows XP updates today...

You updated your updates? You're doing it wrong.

Need confirmation

[dave562]

An MVP poster in the thread claims that KB977165 causes the problem, and that the problem only occurs on computers that have been compromised by exploit code. The patch in question patches the NT kernel executable files.

If it is true that only compromised computers blue screen then it's hard to fault Microsoft for their patch code choking when it stumbles across the exploit code.

I wonder if they are going to push out an updated patch that at least performs some sort of sanity checking before attempting to modify the files. I doubt it. They'll just pass the buck and tell users that their computers were already hosed and that the BSOD is a "feature" and that they should have re-installed the OS anyway (because we all know that once your Windows box is pwnt, the only way to deal with it is full format and re-install).

Re:Need confirmation

[russotto]

There is a world of difference between an 'infected' Windows machine that has some annoying pop-ups showing up every 15 minutes, but is otherwise functional, and a Windows machine that won't boot because of a recently installed patch.

Yeah. The owner of the machine would rather have the former... while everyone else on the Internet would rather they had the latter, as the former is probably sending out spam and trying to infect every other machine it can find as well.

Re:Saw this last month

[Dorkmunder]

From the comments over a DShield on this topic http://isc.sans.org/diary.html?storyid=8209 it looks like this might be the case again

Re:Remove automatic updates from your slipstream

[Savage-Rabbit]

Here is a list of Microsoft stuff to remove from your XP slipstream:

Automatic Updates (for reasons related to the article)
Windows media player (including 6.4) because it downloads codecs at will.
Accessibility Options (unless you need them)
ClipBook Viewer (useless)
Games
Internet Games ...

Long list, wouldn't it be simpler to just remove Windows XP in it's entirety from your PC and replace it with something else?

Re:Just close your eyes and chant

[Tetsujin]

Windows costs less, is more secure, and superior to opensource OS's.

And hope your boss hears you before your fired.

Before my fired what?

A quick fix

[Bloom+Berg]

from ars: Users in the thread have tracked down a fix, though it requires using a copy of the Windows disc (or for netbook users without an optical drive, a bootable USB drive with Windows on it): Boot from your Windows XP CD or DVD and start the recovery console (see KB307654 for help with this step) Type this command: CHDIR $NtUninstallKB977165 $\spuninst Type this command: BATCH spuninst.txt Type this command: systemroot Good luck. When complete, type this command: exit

Lucky Me

[Penguinshit]

Fortunately I didn't get bitten by this. I would be devastated. Here's why:

I am quadriplegic with a tracheostomy to breathe. That means no keyboard or mouse and no auditory input. I control my computer with eye movement (the only muscles I still fully control) tracked via infrared camera. Almost every system built to assist communication for people like me are built on top of WinXP. There is a Mac version I have heard of but AFAIK doesn't do full control like the one I use. There is no Linux availability at all (oh how I wish).

So I am stuck. This system is my voice and my window to the world (travel is a major production requiring a team of assistants). it controls my immediate environment (tv, lights, etc.). It represents the last bit of independence I possess. It is a Tablet so "pop in the CD isn't so easy.

I am very careful to avoid viruses and other malware (always was when i was healthy and Win32 was only a secondary OS for me then). But to be stabbed in the back would be utterly devastating to me. It could be weeks before I could get qualified help (Nerd Herd, etc. need not apply).

Re:Just close your eyes and chant

[ZarathustraDK]

Before my fired what?

Don't correct me, your fired.

Regards
you're Boss

One copy... on a floppy!

[KingSkippus]

When I was in college, a friend of mine who lived down the hall from me came to my door one day frantically knocking. She had stored the only copy of her PhD dissertation on a floppy disk, and the disk had gotten corrupted, and she didn't know what to do.

I poked around on it for a little while, trying out a disk sector editor I had to see if I could recover anything, and I couldn't. It was just lost, period.

She ended up going dumpster-diving. She had thrown away a printed hard copy the day before, and they hadn't taken the trash away yet. She was literally in the trash dumpster, sifting through two apartment buildings' worth of trash to find it, and spent that entire night retyping it from scratch.

I felt sorry for her, and I remember thinking, "Well, I guess that's one way to learn a lesson that you'll never forget..." I was also really glad that I wasn't her significant other, because you know who would have been sifting through that dumpster.

Potential cause for the blue-screens

[ThePeeWeeMan]

It seems like someone's figured out what was causing the bluescreens... from the MS forum thread:

I had an Eee PC with XP Home brought to me with this same problem. I rolled back KB977165, rebooted and the system worked fine. I reapplied KB977165 and the rest of the updates available at Microsoft Update, and the problem returned. I replaced %System32%\drivers\atapi.sys with a clean version from a XP SP3 distribution folder and rebooted... voila! Problem solved.

For reference, the SHA1SUMs of the atapi.sys files:

Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6

Working:
a719156e8ad67456556a02c34e762944234e7a44

If anyone wants to look at the non-working atapi.sys:
https://patrickwbarnes.com/pub/atapi.sys

I will be looking at this more in-depth. If I find anything more, it will be posted in a follow-up comment at the ISC:
http://isc.sans.org/diary.html?storyid=8209

UPDATE :
I uploaded the non-working atapi.sys file to VirusTotal, and this is the result:
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

Apparently, this update problem is the result of an infection.