Forgot your password?
typodupeerror
Bug Security Windows Technology

Windows Patch Leaves Many XP Users With Blue Screens 658

Posted by timothy
from the could-be-worse-could-be-raining dept.
CWmike writes "Tuesday's security updates from Microsoft have crippled Windows XP PCs with the notorious Blue Screen of Death, users have reported on the company's support forum. Complaints began early yesterday, and gained momentum throughout the day. 'I updated 11 Windows XP updates today and restarted my PC like it asked me to,' said a user identified as 'tansenroy' who kicked off a growing support thread: 'From then on, Windows cannot restart again! It is stopping at the blue screen with the following message: 'A problem has been detected and Windows has been shutdown to prevent damage to your computer.' Others joined in with similar reports. Several users posted solutions, but the one laid out by 'maxyimus' was marked by a Microsoft support engineer as the way out of the perpetual blue screens."
This discussion has been archived. No new comments can be posted.

Windows Patch Leaves Many XP Users With Blue Screens

Comments Filter:
  • by gandhi_2 (1108023) on Thursday February 11, 2010 @06:40PM (#31106338) Homepage

    first po

    Stop OxOOOOOOFC (OxB5FD7D64, Ox76F3E963, OxB5FD7CDC, OxOOOOOOO1)

    A problem has been detected and windows has been shut down to prevent damage to your computer.

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Oh God. WHY did you use the letter instead of the number? *shudder*
    • by Anonymous Coward on Thursday February 11, 2010 @06:50PM (#31106484)

      Please don't joke about this. I have been affected, and at the worst possible time, too. I have to submit my PhD dissertation tomorrow, and I don't know what the fuck I'm supposed to do now.

      I can't boot up, and I have one of those HP computers that has everything built into the screen, so I can't even take the hard drive out.

      I CAN'T GET MY FUCKING PHD DISSERTATION. I AM SO FUCKED.

      • Re:ha ha suckers!!! (Score:4, Informative)

        by biryokumaru (822262) * <biryokumaru@gmail.com> on Thursday February 11, 2010 @07:00PM (#31106638)
        It's not like the hard drive is bad. Just use knoppix or something. You're pretty dumb for someone getting a PhD. Maybe this is just the gods way of sending you a message.
        • by Anonymous Coward on Thursday February 11, 2010 @07:03PM (#31106672)

          What I don't get is why people don't bother backing up important things like that.

          • by KingSkippus (799657) on Thursday February 11, 2010 @08:48PM (#31108022) Homepage Journal

            When I was in college, a friend of mine who lived down the hall from me came to my door one day frantically knocking. She had stored the only copy of her PhD dissertation on a floppy disk, and the disk had gotten corrupted, and she didn't know what to do.

            I poked around on it for a little while, trying out a disk sector editor I had to see if I could recover anything, and I couldn't. It was just lost, period.

            She ended up going dumpster-diving. She had thrown away a printed hard copy the day before, and they hadn't taken the trash away yet. She was literally in the trash dumpster, sifting through two apartment buildings' worth of trash to find it, and spent that entire night retyping it from scratch.

            I felt sorry for her, and I remember thinking, "Well, I guess that's one way to learn a lesson that you'll never forget..." I was also really glad that I wasn't her significant other, because you know who would have been sifting through that dumpster.

        • by david_thornley (598059) on Thursday February 11, 2010 @07:09PM (#31106758)

          AC didn't say what his or her major was. I'd expect different computer competencies from a Computer Science major and a French Literature major. Or, given that AC is on Slashdot, perhaps an Anthropology major.

        • Re:ha ha suckers!!! (Score:5, Informative)

          by harrkev (623093) <kfmsd@@@harrelsonfamily...org> on Thursday February 11, 2010 @07:10PM (#31106770) Homepage

          Agreed.

          As long as you haven't turned on file encryption (only an option with XP Pro), you can easily recover everything. Do this:

          1) Go to a friend's computer. Download and burn a copy of your favorite linux distro (I use Ubuntu).

          2) Live-boot from the CD.

          3) Mount the hard drive.

          4) Insert your favorite USB storage device (make sure it is large enough).

          5) Copy ALL important files to the USB drive (probably safest to copy your entire user directory, if your USB drive is big enough.

          6) When done, re-format your hard drive and re-install XP.

          7) Update your system completely.

          8) Re-install all applications you need (office, etc.)

          9) Copy your important files off of the USB drive.

          Really, it is time-consuming, but I have had to do this exact same process for friends a bunch of times.

          As far as the PhD goes, go up to step 5, and then use the friend's computer to print everything. Do steps 6-8 some other day.

          • Re: (Score:3, Funny)

            by NatasRevol (731260)

            Windows is cheap if your time is worth nothing!

            Depending on your install disc, amount of files & apps to install, this could take up to a whole day!

        • by interkin3tic (1469267) on Thursday February 11, 2010 @07:22PM (#31106962)

          You're pretty dumb for someone getting a PhD

          I'm not sure if I should laugh at how wrong this is, or cry because of how wrong this is.

        • Re: (Score:3, Insightful)

          by trytoguess (875793)

          Intelligence, even extreme intelligence in something doesn't imply aptitude in all common things. I mean, what you think every person on slashdot is a well adjusted social individual?

        • by icannotthinkofaname (1480543) on Thursday February 11, 2010 @09:27PM (#31108362) Journal

          You're pretty dumb for someone getting a PhD.

          Because "getting a PhD" == "being an expert in everything"

          Except for the part where it doesn't. It's more like "being an impressive expert in one field"

          Did you even bother to figure out what the AC's degree is in? How do you the AC should know how to deal with something like that happening?

          • Re: (Score:3, Informative)

            by sillybilly (668960)
            PhD stands for philosophiae doctor - teacher of philosophy.

            The following assumes there is a limited, finite mental capacity for humans:

            "Philosophers are people who know less and less about more and more, until they know nothing about everything. Scientists are people who know more and more about less and less, until they know everything about nothing." (quote from somebody smart)

            Therefore PhD in science is an oxymoron. Actually, no it's not. You can both know everything about nothing, and nothing ab
      • Re:ha ha suckers!!! (Score:5, Informative)

        by Beardo the Bearded (321478) on Thursday February 11, 2010 @07:06PM (#31106712)

        First, take a deep breath. The most important rule is "Don't Panic".

        Next, you download a Linux distro with a LiveCD. Ubuntu's a little bloaty, but it's got a lot of drivers right out of the box. If you've got internet access, you should be able to do that. If not, then you'll have to contact a friend with access or do it from the lab. Grab a beer while you wait -- it'll be a while.

        Burn the liveCD and boot with that. You might have to edit your BIOS settings to boot from CD first. Choose the "try Ubuntu without making any changes to your computer" option. Once it boots up, you'll be able to access your hard drive, and most importantly, your dissertation. Print the fucking thing, email it to your gmail account, and while you're at it, email what you've got to your professor. Let him know that you're "having computer problems, so I'm sending what I could recover in the meantime." Remember that computers fail all the time so you have to keep copies of important papers on physically separate systems.

        You're apparently a smart enough guy to get a PhD, so you should be able to figure out how to navigate Ubuntu. It's basically the same as Windown, but with the bar on the top instead of the bottom. My daughter's six and she can use Puppy Linux.

        Actually, you could probably use Puppy. The whole OS is only 150MB, so it'll download in a much shorter time than Ubuntu. It's not quite as polished, but I've had good luck with it.

        • Re: (Score:3, Insightful)

          by alvieboy (61292)

          "The most important rule is "Don't Panic"."

          The second one: "Install Linux"

          (Douglas would be proud of this one).

      • Re: (Score:3, Informative)

        by S.O.B. (136083)

        Don't bother with a live CD like one of the other posters recommended. Try the System Rescue CD [sysresccd.org]. It's a lot faster to download and has all the tools you'll need to get your dissertation off your computer.

      • Re: (Score:3, Interesting)

        by pz (113803)

        Assuming this isn't a troll --

        1. Sit. Down. Breathe.

        2. Go to the store and fill a shopping bag full of fatty snax, Doritos, Pringles, Kit-Kat bars, Coke, Red Bull, etc.

        3. Bring your computer and the bag to the university IT department and beg for help. Let them know that you don't care about the computer (because compared to N years of effort, one computer is nothing), just the contents of the hard drive.

        4. While the IT department is working on your computer, go to your departmental administrative office

      • Re: (Score:3, Insightful)

        by 1s44c (552956)

        I CAN'T GET MY FUCKING PHD DISSERTATION. I AM SO FUCKED.

        You can still get your data off but it might not be easy. Your local PC shop should be able to do it.

        People like me have been telling people like you not to trust windows for -DECADES-. You thought we were ignorant bigots and ignored us. Now you are suffering from the very problems we warned you about countless times. I don't mean to sound uncaring but you brought this on yourself.

    • by Anonymous Coward on Thursday February 11, 2010 @07:09PM (#31106756)

      first po
      Stop OxOOOOOOFC (OxB5FD7D64, Ox76F3E963, OxB5FD7CDC, OxOOOOOOO1)

      A problem has been detected and windows has been shut down to prevent damage to your computer.

      Look, if he was bluescreening he wouldn't bother to type "0x0000FFFF" He'd just say it.

      "Oooooooo FFFFFFFF..."

  • by Cryacin (657549) on Thursday February 11, 2010 @06:41PM (#31106366)
    All I keep hearing in my head is:
    They put the update in, you take the update out!
    They put the update in, shake your laptop all about!
    "You do the hokey pokey and you uninstall the patch! That's what it's all about!"

    "ooooh... the windows bluescreen."
    "ooooh... the windows bluescreen."
    "ooooh... the windows bluescreen."
    "That's what it's all about!"
  • Saw this last month (Score:2, Informative)

    by Anonymous Coward

    I saw and fixed a similar issue in January. A particular KB had patched a .dll that was in fact rootkit infected, breaking the reference to some function call. Windows BSOD'd, claiming the whole partition was unmountable. Rolled back the KB in Recovery Console, sanitized the OS, and reapplied the KB. Problem solved.

    • by Dorkmunder (950796) on Thursday February 11, 2010 @06:50PM (#31106492)
      From the comments over a DShield on this topic http://isc.sans.org/diary.html?storyid=8209 [sans.org] it looks like this might be the case again
    • Does the Windows update process, in fact, just naively apply patches to files that have the correct name and path, without verifying hashes or signatures, thus running a very high risk of breaking hard any file that had been slightly modified?

      Or was this some subtler and more complex situation, where the modified file itself was fine; but some tampered-with component was depending on the precise behavior of the modified file?
      • by e2d2 (115622)

        But why would that be a problem for them? The files they are updating are in their charge so no one else should be updating them. Do you mean a conflict with their own previous releases?

        That being said signatures are a feature of security updates and any other software released by MS; They always sign their releases. Not sure about hash checking.

      • Re: (Score:3, Interesting)

        by Johnno74 (252399)

        Does the Windows update process, in fact, just naively apply patches to files that have the correct name and path, without verifying hashes or signatures, thus running a very high risk of breaking hard any file that had been slightly modified?

        Or was this some subtler and more complex situation, where the modified file itself was fine; but some tampered-with component was depending on the precise behavior of the modified file?

        Sounds like that is exactly what this is. The file being patched isn't infected, but the rootkit has some dependancy on the exact layout of this file, and when the file is updated by the patch the rootkit (accidently) causes a bluescreen. Possibly the rootkit tries to patch the in-memory image of this file, which messes things up.

        What I find really frightening about this situation is how widespread the rootkit that is causing this problem is. Most people have no idea they were infected. (and still do, t

  • by PolygamousRanchKid (1290638) on Thursday February 11, 2010 @06:45PM (#31106436)

    . . . my Windows XP updates get pushed, pulled or shoved down my throat . . . this sounds like an excellent reason to clone my hard disk before rebooting, and logging on to my company's network . . .

    • Good idea. I have my updates set to ask to download and ask to install. On download I'm reminded I need a backup, so I shut down the system without installing the updates, do the backup, boot to install, reboot, cross fingers.

      Is anyone doing rsync backups (ooh, maybe even snapshots) of XP? Can rsync handle all the fs info needed to get a good backup? Right now I am indeed imaging the whole drive.

    • by denobug (753200)
      Running a patch server so I can personally release patches as I please.
  • Liars! (Score:5, Funny)

    by interkin3tic (1469267) on Thursday February 11, 2010 @06:50PM (#31106482)

    You know how I know they are lying? They are posting complaints online. We designed this patch -specifically- to stop online complaints about updates. They clearly haven't actually updated.

    -Bill Gates

  • What? (Score:5, Funny)

    by dangitman (862676) on Thursday February 11, 2010 @06:50PM (#31106486)

    'I updated 11 Windows XP updates today...

    You updated your updates? You're doing it wrong.

  • Need confirmation (Score:5, Interesting)

    by dave562 (969951) on Thursday February 11, 2010 @06:50PM (#31106490) Journal

    An MVP poster in the thread claims that KB977165 causes the problem, and that the problem only occurs on computers that have been compromised by exploit code. The patch in question patches the NT kernel executable files.

    If it is true that only compromised computers blue screen then it's hard to fault Microsoft for their patch code choking when it stumbles across the exploit code.

    I wonder if they are going to push out an updated patch that at least performs some sort of sanity checking before attempting to modify the files. I doubt it. They'll just pass the buck and tell users that their computers were already hosed and that the BSOD is a "feature" and that they should have re-installed the OS anyway (because we all know that once your Windows box is pwnt, the only way to deal with it is full format and re-install).

    • by Hatta (162192) on Thursday February 11, 2010 @07:05PM (#31106710) Journal

      If it is true that only compromised computers blue screen then it's hard to fault Microsoft for their patch code choking when it stumbles across the exploit code.

      It's pretty easy to fault them for not taking a checksum before they patch to ensure that the file isn't modified. If it is, warn the user.

      • by jedidiah (1196) on Thursday February 11, 2010 @07:13PM (#31106824) Homepage

        I was thinking that perhaps mebbe they should have a backup copy of that pre-patched kernel somewhere and give you the option to boot from it as a failsafe.

      • Re:Need confirmation (Score:5, Informative)

        by bertok (226922) on Thursday February 11, 2010 @07:46PM (#31107314)

        If it is true that only compromised computers blue screen then it's hard to fault Microsoft for their patch code choking when it stumbles across the exploit code.

        It's pretty easy to fault them for not taking a checksum before they patch to ensure that the file isn't modified. If it is, warn the user.

        Microsoft patches are file-level, not delta-patches. They always overwrite complete files, and never try to modify files in-place.

        That's why their patches are so huge, if there's a systematic error in many related files, then they all need to be replaced in their entirety.

        It's a waste of bandwidth, but it's much more reliable.

        I suspect what happened here is that Microsoft replaced one of two related files, but the other file was modified by the root-kit, and the mixed versions don't work together any more.

      • Re: (Score:3, Insightful)

        by Rockoon (1252108)
        This doesnt make sense.

        Even if the file was modified, over-writing it with a valid one will not cause a problem under normal operation.

        When the file is over-written, those modifications that you are thinking of are gone. The modifications can't come back from the grave as ghosts and cause a problem.

        The only way there can be a problem is if 'something else' is making an assumption about that file incorrectly, and that does not mean that the assumption is that the file has been modified. More likely the
      • Re: (Score:3, Interesting)

        It's pretty easy to fault them for not taking a checksum before they patch to ensure that the file isn't modified. If it is, warn the user.

        You're both missing what's actually happening here.

        1} The "patch code" doesn't choke. The patched kernel does next reboot.
        2} The patch doesn't touch the infected file.

        The problem appears to be a compromised atapi.sys driver. Is it really reasonable for Microsoft's patch to the kernel to react gracefully to whatever corruption is present in that driver? I know the obvious is that Windows should fail gracefully on any fault, but really... we don't have any clue what's present in that file.

        Summary: patch pa

    • One extreme measure is to use software like Deep Freeze, coupled with an antivirus program. Maybe a good ad blocker firewall to prevent malicious ads from infecting one's machine.

    • by RobDude (1123541) on Thursday February 11, 2010 @07:07PM (#31106726) Homepage

      Sort of.....

      You can't really blame MS for a crash that happens because the .DLLs/code on someone's machine has been modified by a malicious 3rd party.

      But, you can expect an MS (or any other OS) to take appropriate actions to avoid patching a file that isn't exactly what is expected.

      What you'd really hope for, is that when a problem is detected during the update process (IE - Crap - this .DLL isn't the .DLL we expect. Something is wrong!' - instead of modifying the .DLL it would present the user with some meaningful information like, 'Hey - this patch failed. You probably have a virus....you should get that fixed'. Or something similar.

      It's possible that the patch took some reasonable efforts to ensure the patch would only be applied as expected; but I don't know. I do know that, even if it did, it didn't work.

      There is a world of difference between an 'infected' Windows machine that has some annoying pop-ups showing up every 15 minutes, but is otherwise functional, and a Windows machine that won't boot because of a recently installed patch.

      • by russotto (537200) on Thursday February 11, 2010 @07:11PM (#31106792) Journal

        There is a world of difference between an 'infected' Windows machine that has some annoying pop-ups showing up every 15 minutes, but is otherwise functional, and a Windows machine that won't boot because of a recently installed patch.

        Yeah. The owner of the machine would rather have the former... while everyone else on the Internet would rather they had the latter, as the former is probably sending out spam and trying to infect every other machine it can find as well.

      • As you may have read elsewhere, MS doesn't use context or offset diffs. They just replace files. So the case you speak of is unlikely.

        The most likely case is that people who are having the problem have a foreign DLL in their system that calls directly into an offset into this DLL without version checking it. This DLL does so because it's a rootkit, and it wants to fly under the radar. When you change this DLL that other DLL is now calling into invalid code.

        But the problem here is this other DLL is bad. It i

    • Re:Need confirmation (Score:5, Interesting)

      by initialE (758110) on Thursday February 11, 2010 @07:58PM (#31107458)

      It's bad news for Microsoft at so many levels -
      1. it's a 17-year-old bug
      2. The disclosure and proof-of-concept attack was done by Google, clearly not Microsoft's best friend
      3. Microsoft was forced to release a patch that is not fully tested
      4. The cure is worse than the illness
      5. Lots of windows users find out they have been compromised for how long? Nobody really knows!
      6. The only remedy now is to restore your computer to it's previous state, which means you carry on using your computer in it's compromised state

  • Intentional? (Score:4, Insightful)

    by Jawshie (919956) on Thursday February 11, 2010 @06:53PM (#31106528)
    Well duh... How is Microsoft supposed to make any more money from you if they don't trash their old OS?
  • by harris s newman (714436) on Thursday February 11, 2010 @06:54PM (#31106536)
    Windows costs less, is more secure, and superior to opensource OS's. And hope your boss hears you before your fired.
  • My machine has a hard drive partition with the "recovery" disk.

    I think I have automatic patches turned off on the XP box but I have automatic patching on the windows 7 box.

    I think I'm going to figure out how to turn it off when I get home.

  • Several users posted solutions, but the one laid out by 'maxyimus' was marked by a Microsoft support engineer as the way out of the perpetual blue screens.

    I don't think this is the solution you were thinking of. The linked solution [microsoft.com] has these notes:

    # Proposed As Answer byFred_H 21 hours 11 minutes ago

    # Marked As Answer by Cody - Support Engineer Microsoft Support, Moderator 20 hours 13 minutes ago

    # Unmarked As Answer by Cody - Support Engineer Microsoft Support, Moderator 20 hours 12 minutes ago

    So it seems "Cody - Support Engineer Microsoft Support, Moderator" had second thoughts about a minute after marking this as the solution.

    [Disclaimer: I run Linux, not

  • by reboot246 (623534) on Thursday February 11, 2010 @07:18PM (#31106898) Homepage
    I let Windows inform me about updates, and I choose when to download them and install them. If nobody else has any problems after a week or so, then and only then will I download and install the updates. I learned a long time ago not to trust anything from Microsoft.

    I'd like to thank all of you who beta tested the updates for me!
  • A quick fix (Score:5, Informative)

    by Bloom Berg (1743432) on Thursday February 11, 2010 @07:25PM (#31107012)
    from ars [arstechnica.com]: Users in the thread have tracked down a fix, though it requires using a copy of the Windows disc (or for netbook users without an optical drive, a bootable USB drive with Windows on it): Boot from your Windows XP CD or DVD and start the recovery console (see KB307654 for help with this step) Type this command: CHDIR $NtUninstallKB977165 $\spuninst Type this command: BATCH spuninst.txt Type this command: systemroot Good luck. When complete, type this command: exit
  • by Animats (122034) on Thursday February 11, 2010 @07:30PM (#31107104) Homepage

    Resistance is futile. You WILL upgrade to Windows 7 as instructed. We are in full control of your computer. Your computer will remain deactivated until you comply with our instructions. You have no alternative but to obey.

  • Lucky Me (Score:5, Interesting)

    by Penguinshit (591885) on Thursday February 11, 2010 @07:37PM (#31107188) Homepage Journal
    Fortunately I didn't get bitten by this. I would be devastated. Here's why:

    I am quadriplegic with a tracheostomy to breathe. That means no keyboard or mouse and no auditory input. I control my computer with eye movement (the only muscles I still fully control) tracked via infrared camera. Almost every system built to assist communication for people like me are built on top of WinXP. There is a Mac version I have heard of but AFAIK doesn't do full control like the one I use. There is no Linux availability at all (oh how I wish).

    So I am stuck. This system is my voice and my window to the world (travel is a major production requiring a team of assistants). it controls my immediate environment (tv, lights, etc.). It represents the last bit of independence I possess. It is a Tablet so "pop in the CD isn't so easy.

    I am very careful to avoid viruses and other malware (always was when i was healthy and Win32 was only a secondary OS for me then). But to be stabbed in the back would be utterly devastating to me. It could be weeks before I could get qualified help (Nerd Herd, etc. need not apply).

    • Re: (Score:3, Interesting)

      by Arccot (1115809)

      Almost every system built to assist communication for people like me are built on top of WinXP. There is a Mac version I have heard of but AFAIK doesn't do full control like the one I use. There is no Linux availability at all (oh how I wish).

      Hmmm... that's pretty interesting. What's the software you normally use, and what's the device? There's tons of OSS developers out there just looking for a worthy cause.

  • by gestalt_n_pepper (991155) on Thursday February 11, 2010 @07:53PM (#31107404)

    You say this like it's a *bad* thing...

  • by Erikderzweite (1146485) on Thursday February 11, 2010 @08:08PM (#31107564)

    From TFA: "To regain control of their PCs, users were told to boot from their Windows XP installation disc, launch the Recovery Console and enter a series of commands."

    STOP COPYING LINUX ALREADY!

  • by ThePeeWeeMan (77957) on Thursday February 11, 2010 @09:50PM (#31108534) Journal

    It seems like someone's figured out what was causing the bluescreens... from the MS forum thread:

    I had an Eee PC with XP Home brought to me with this same problem. I rolled back KB977165, rebooted and the system worked fine. I reapplied KB977165 and the rest of the updates available at Microsoft Update, and the problem returned. I replaced %System32%\drivers\atapi.sys with a clean version from a XP SP3 distribution folder and rebooted... voila! Problem solved.

    For reference, the SHA1SUMs of the atapi.sys files:

    Non-working:
    bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6

    Working:
    a719156e8ad67456556a02c34e762944234e7a44

    If anyone wants to look at the non-working atapi.sys:
    https://patrickwbarnes.com/pub/atapi.sys [patrickwbarnes.com]

    I will be looking at this more in-depth. If I find anything more, it will be posted in a follow-up comment at the ISC:
    http://isc.sans.org/diary.html?storyid=8209 [sans.org]

    UPDATE :
    I uploaded the non-working atapi.sys file to VirusTotal, and this is the result:
    http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529 [virustotal.com]

    Apparently, this update problem is the result of an infection.

  • by Torodung (31985) on Thursday February 11, 2010 @11:09PM (#31109060) Journal

    There were 8 freaking OS security patches in this last patch Tuesday. It must have been a joy to track down the one update that was causing the problem (KB977165).

    I have honest pangs of sympathy for the poor sucker that had to figure out that that one update was rendering infected systems unbootable.

    This is why monoculture sucks. *Healthy* cultures are diverse. "Mono" doesn't enter into it. Pun very much intended.

    --
    Toro

To do nothing is to be nothing.

Working...