Windows Patch Leaves Many XP Users With Blue Screens 658
CWmike writes "Tuesday's security updates from Microsoft have crippled Windows XP PCs with the notorious Blue Screen of Death, users have reported on the company's support forum. Complaints began early yesterday, and gained momentum throughout the day. 'I updated 11 Windows XP updates today and restarted my PC like it asked me to,' said a user identified as 'tansenroy' who kicked off a growing support thread: 'From then on, Windows cannot restart again! It is stopping at the blue screen with the following message: 'A problem has been detected and Windows has been shutdown to prevent damage to your computer.' Others joined in with similar reports. Several users posted solutions, but the one laid out by 'maxyimus' was marked by a Microsoft support engineer as the way out of the perpetual blue screens."
Saw this last month (Score:2, Informative)
I saw and fixed a similar issue in January. A particular KB had patched a .dll that was in fact rootkit infected, breaking the reference to some function call. Windows BSOD'd, claiming the whole partition was unmountable. Rolled back the KB in Recovery Console, sanitized the OS, and reapplied the KB. Problem solved.
Re:Saw this last month (Score:5, Informative)
Re:ha ha suckers!!! (Score:4, Informative)
Re:ha ha suckers!!! (Score:5, Informative)
First, take a deep breath. The most important rule is "Don't Panic".
Next, you download a Linux distro with a LiveCD. Ubuntu's a little bloaty, but it's got a lot of drivers right out of the box. If you've got internet access, you should be able to do that. If not, then you'll have to contact a friend with access or do it from the lab. Grab a beer while you wait -- it'll be a while.
Burn the liveCD and boot with that. You might have to edit your BIOS settings to boot from CD first. Choose the "try Ubuntu without making any changes to your computer" option. Once it boots up, you'll be able to access your hard drive, and most importantly, your dissertation. Print the fucking thing, email it to your gmail account, and while you're at it, email what you've got to your professor. Let him know that you're "having computer problems, so I'm sending what I could recover in the meantime." Remember that computers fail all the time so you have to keep copies of important papers on physically separate systems.
You're apparently a smart enough guy to get a PhD, so you should be able to figure out how to navigate Ubuntu. It's basically the same as Windown, but with the bar on the top instead of the bottom. My daughter's six and she can use Puppy Linux.
Actually, you could probably use Puppy. The whole OS is only 150MB, so it'll download in a much shorter time than Ubuntu. It's not quite as polished, but I've had good luck with it.
Re:ha ha suckers!!! (Score:5, Informative)
Agreed.
As long as you haven't turned on file encryption (only an option with XP Pro), you can easily recover everything. Do this:
1) Go to a friend's computer. Download and burn a copy of your favorite linux distro (I use Ubuntu).
2) Live-boot from the CD.
3) Mount the hard drive.
4) Insert your favorite USB storage device (make sure it is large enough).
5) Copy ALL important files to the USB drive (probably safest to copy your entire user directory, if your USB drive is big enough.
6) When done, re-format your hard drive and re-install XP.
7) Update your system completely.
8) Re-install all applications you need (office, etc.)
9) Copy your important files off of the USB drive.
Really, it is time-consuming, but I have had to do this exact same process for friends a bunch of times.
As far as the PhD goes, go up to step 5, and then use the friend's computer to print everything. Do steps 6-8 some other day.
Re:I dont' HAVE a DVD or CD... it's a hard drive p (Score:2, Informative)
You can install the recovery console as a boot option:
http://support.microsoft.com/kb/307654 [microsoft.com]
(You should have an I386 folder somewhere)
It is more complicated for Vista and later:
http://blogs.msdn.com/winre/archive/2007/01/12/how-to-install-winre-on-the-hard-disk.aspx [msdn.com]
A quick fix (Score:5, Informative)
Re:ha ha suckers!!! (Score:1, Informative)
I'm sure something as important as a PhD dissertation which you have no doubt be working on for many months or years has been properly backed up? Right? You wouldn't take the risk of someone stealing your PC, spilling water on the box, having a hard drive failure for something that critical to your future career. Right?
I have all my documents automatically copied to a secure network document store, I copy them to a thumb drive every day and to a larger usb drive every week. I'm taking about meaningless notes and information I may never even read again or need. Something like a PhD dissertation should probably be taken more seriously that leaving it on some computer waiting for one of a hundred different catastrophes to occur so I can blame anyone but myself.
Re:Need confirmation (Score:5, Informative)
If it is true that only compromised computers blue screen then it's hard to fault Microsoft for their patch code choking when it stumbles across the exploit code.
It's pretty easy to fault them for not taking a checksum before they patch to ensure that the file isn't modified. If it is, warn the user.
Microsoft patches are file-level, not delta-patches. They always overwrite complete files, and never try to modify files in-place.
That's why their patches are so huge, if there's a systematic error in many related files, then they all need to be replaced in their entirety.
It's a waste of bandwidth, but it's much more reliable.
I suspect what happened here is that Microsoft replaced one of two related files, but the other file was modified by the root-kit, and the mixed versions don't work together any more.
Re:ha ha suckers!!! (Score:3, Informative)
Don't bother with a live CD like one of the other posters recommended. Try the System Rescue CD [sysresccd.org]. It's a lot faster to download and has all the tools you'll need to get your dissertation off your computer.
Re:I dont' HAVE a DVD or CD... it's a hard drive p (Score:4, Informative)
You can install the recovery console as a boot option:
http://support.microsoft.com/kb/307654 [microsoft.com]
(You should have an I386 folder somewhere)
It is more complicated for Vista and later:
http://blogs.msdn.com/winre/archive/2007/01/12/how-to-install-winre-on-the-hard-disk.aspx [msdn.com]
Nope. If you follow that link, you'll see you still need the Windows XP DVD to install the recovery console. Sadly, it was not uncommon for XP systems to be sold with no recovery console. My Toshiba laptop (I'll never buy another) did not come with a Windows XP DVD, merely a "product recovery disk" which wipes everything off the hard drive and does a fresh install. No recovery console available. Apparently there's a huge difference between buying a computer that comes with XP and buying a computer that comes with "XP installed."
Re:I dont' HAVE a DVD or CD... it's a hard drive p (Score:2, Informative)
As I alluded to in my comment, all you need is the I386 folder. It is mostly likely present at C:\I386.
(I am typing this on a computer that did not come with an installation disc; I used the I386 folder to build one (with SP3 slip-streamed in). I have used that CD to install Windows into a VM.)
Re:wtf (Score:2, Informative)
why are you people still using xp?
Because -
a) I already own a license
b) It suits my needs
c) It's what my employer requires me to have on my at-home on-call PC. Since they're footing the bill, I can hardly complain. See a) and b) above.
One word - HIBERFIL.SYS (Score:2, Informative)
Try this before the "maxyimus" fix - boot Ubuntu or Systernals ERD and delete that pesky HIBERFIL.SYS and the $RECYCLER while your at it. Reboot to a functional computer. If this doesn't fix then "maxyimus" it is.
Re:ha ha suckers!!! (Score:3, Informative)
In Windows XP the user folder is usually located in C:\Documents and Settings\username.
In Vista and Win 7 it is usually C:\Users\username.
Files specific to that user's accounts are stored under those directories such as Desktop, Documents etc.
Re:Why On Earth Do People Still Use Window? (Score:4, Informative)
XP is a 10 years old OS that was meant to be decomissioned years ago
Microsoft has had 10 years to introduce fixes to whatever problems Windows XP has. Systems are supposed to get MORE stable as they age, not get worse or show no improvement over time.
Re:ha ha suckers!!! (Score:5, Informative)
Actually it is * KB977165 only that needs to be un-installed.
Re:ha ha suckers!!! (Score:3, Informative)
A handy guide:
Re:ha ha suckers!!! (Score:4, Informative)
I know you meant it as a joke, but single user mode (and "recovery console" equivalents on install disks) are far more capable than Windows' recovery console.
Potential cause for the blue-screens (Score:5, Informative)
It seems like someone's figured out what was causing the bluescreens... from the MS forum thread:
I had an Eee PC with XP Home brought to me with this same problem. I rolled back KB977165, rebooted and the system worked fine. I reapplied KB977165 and the rest of the updates available at Microsoft Update, and the problem returned. I replaced %System32%\drivers\atapi.sys with a clean version from a XP SP3 distribution folder and rebooted... voila! Problem solved.
For reference, the SHA1SUMs of the atapi.sys files:
Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6
Working:
a719156e8ad67456556a02c34e762944234e7a44
If anyone wants to look at the non-working atapi.sys:
https://patrickwbarnes.com/pub/atapi.sys [patrickwbarnes.com]
I will be looking at this more in-depth. If I find anything more, it will be posted in a follow-up comment at the ISC:
http://isc.sans.org/diary.html?storyid=8209 [sans.org]
UPDATE :
I uploaded the non-working atapi.sys file to VirusTotal, and this is the result:
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529 [virustotal.com]
Apparently, this update problem is the result of an infection.
Re:ha ha suckers!!! (Score:1, Informative)
(1) go to www.ubuntu.com
(2) download ISO and burn to CD
(3) boot the PC to Unbuntu CD
(4) navigate to your Windows user folder and find your f------ dissertation
(5) email it to yourself (if Ubuntu connects to your network) OR copy to USB drive
Dissertation Problem solved.
Re:ha ha suckers!!! (Score:3, Informative)
In fact, in Gnome, it works just like Windows: grab the bar (actually, Gnome calls it a "panel") and drag it to the screen edge you want it at. You can also have more than one of them, if you want; by default Gnome gives you two, on the top and bottom, but the right click menu on a panel gives you the options to add more panels or to delete the one you're right-clicking. Two works nicely since you can do more with a Gnome panel than a Windows bar; you can easily make your own quicklaunch icons, you'll generally have multiple menus on it (instead of one big Start menu) and it's where your Workspace Switcher lives (if only Windows had something that useful out of the box), in addition to doing absolutely everything the Windows bar does. It's all user-configurable, too.
Re:ha ha suckers!!! (Score:3, Informative)
The following assumes there is a limited, finite mental capacity for humans:
"Philosophers are people who know less and less about more and more, until they know nothing about everything. Scientists are people who know more and more about less and less, until they know everything about nothing." (quote from somebody smart)
Therefore PhD in science is an oxymoron. Actually, no it's not. You can both know everything about nothing, and nothing about everything, at the same time. You can have limit(x->infinity)x*1/2x+1/2x*x=1, or infinity*0+0*infinity=1, a finite number.
Re:ha ha suckers!!! (Score:3, Informative)
You lost me here.....windows has the equivalent of /home directories??
Yes.
I don't use windows that much [...]
Clearly, since it's something that appeared in Windows around 12-13 years ago.
Re:ha ha suckers!!! (Score:3, Informative)
No, you read it wrong.
The current uptime was 28 days.
The total up/downtime was used to calculate availability, which was ~99.92%. So, during that time(2009 03 27 - 2010 02 12), the computer was working 321 days (not continuously) and not working 5 hours (also not continuously) with a total of 11 reboots during that time which means average 29 days between reboots (even though most of those reboots were used all one after the other when fixing a hardware problem).
I think this is pretty stable. As I said, only one reboot was because the PC froze (and as such could be blamed on Windows, I do not know the actual cause), others were because of a hardware problem, hardware addition or power failure, all of which cannot be blamed on Windows.
Re:ha ha suckers!!! (Score:3, Informative)
Whoa.
I just did a little research on this; KB977165, the apparent cause of this, is the "fix" for the recently reported "17 year old vulnerability", which (as far as I can tell) was nothing of the sort, but the NTVDM (MSA979682).
The NTVDM is a "feature", not a bug; any exploit of it is something that was by design allowed to happen; Microsoft "patching it" is a Scary Thing.
That we are seeing blue-screens from this is not surprising. it IS surprising that they are trying to play this off as a XP-only problem, since essentially every version of windows is reporting problems.
Rootkit false positive? (Score:2, Informative)
My machines are running ok but I thought I'd look to see if KB977165 which is reported to cause the blue screens was on any of them. It was installed on one machine and not on another. So I thought I'd check a few more things that others say may be causing the problem.
It has been suggested that atapi.sys in the system32/drivers folder might be rootkitted by the update. I compared the SHA-1 hash of atapi.sys on both machines and they were the same (A719156E8AD67456556A02C34E762944234E7A44) so, apparently, update KB977165 didn't change that file in my case.
Some people are saying that atapi.sys is infected with a rootkit. I ran scanned the file through Jotti.com and it found nothing. I also scanned the file at VirusTotal.com and only eSafe reported a problem as follows:
eSafe 7.0.17.0 2010.02.11 Win32.Rootkit
I think this is a false positive since I have identical copies of atapi.sys on both machines and both show the same result on eSafe.
It's possible, I suppose, that I was rooted by something other than the Windows updates but, so far, Sysinternals Rootkit Revealer has shown nothing suspicious.
Do these results agree with anybody elses?
Re:One copy... on a floppy! (Score:2, Informative)
I'm not going to claim however that HFS was solely to blame, it's always possible that corruption occurred due the ocasional kernel panic on OSX, or bombs in the old days or applications doing something wonky, but it happened, and more often then the (more numerous) windows installations.
In the end though, it doesn't really matter, in most circumstances the corruption wasn't fatal and we had good backups, and there is no such thing as a perfect computer
Re:Lucky Me (Score:3, Informative)
But you're probably right...
Re:Lucky Me (Score:3, Informative)