Windows XP Update KB977165 Causing BSOD

[MM PC Solutions]

I have come across 2 pc's with this exact problem, found this info & thought others may find it useful.

Some windows XP machines after installing the update KB977165 released February 9th 2010 will cause a BSOD on windows XP with the stop message STOP Error 0x0000007E. Its unclear whether a Malware infection has to be present on the machine to conflict with the update. Haven't gotten that far yet.

Don't worry though, there is a fix.

You can uninstall the update via the recovery console using the following instructions thanks to Meridian Networks from the Dell support community.

1) Boot off a windows xp setup cd to the recovery console
2) Change directories to the uninstall directory of update in question: At the C:\windows prompt, type "CD $NtUninstallKB977165$\spuninst" and press Enter.
3). Run in the uninstall script for that update: At the prompt, type "BATCH spuninst.txt" and press Enter. This executes the txt file as a batch script.

You'll also want to boot into safe mode and set automatic updates to download but do not install. Other wise when you boot into windows it will automatically reinstall the update*.

Microsoft has posted an offical response to the issue which you can read here. In a nutshell they state that they do not know the exact cause of the issue and pulled the patch from Windows Update* as they continue to investigate the problem.

 

[Alan22]

Thanks for the issue. I received 3 calls yesterday about this.

Situations like this remind me why I do things the way I do them. I have 3 clients that have 51 retail locations between them. All the computers run XP Pro SP3. I configured them not to auto update just for this reason. I remember a few years ago when an update blue screened XP and I had a heck of a time visiting all the locations that were affected (it was about a dozen locations that were affected).

I visit each location at least once every two months to perform general maintenance on their systems and I install updates manually at that time, avoiding situations like this. I always say there's a method to my madness

 

[Avgsmoe]

Tested and confirmed- unfortunately
Thx to Ars

 

[hyfidel]

There is a story linked on Slashdot about how this may be linked to a previous rootkit infection. If you revert the hotfix, you may want to do a complete scan and checkout atapi.sys

 

[Avgsmoe]

The 2 machines I've seen this on so far had a clean atapi.sys, but they did have that problem, just not when the update was applied.

EDIT: Just had this problem on a third that was clean as a whistle

 

[othersteve]

I've seen this also on a machine with a stock atapi.sys. It's an interesting story to be sure (and TDSS is a punk), but it doesn't seem to be the case exclusively here. Nevertheless, thanks for the heads-up.

 

[iisjman07]

^^
Oh god damn that atapi.sys rootkit is everywhere

 

[AtYourService]

anyone who needs to remove the atapi.sys infection should use this tool
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

 

[wimwauters]

Thanks for the issue. I received 3 calls yesterday about this.

Situations like this remind me why I do things the way I do them. I have 3 clients that have 51 retail locations between them. All the computers run XP Pro SP3. I configured them not to auto update just for this reason.

Same here. Once every few years Microsoft will override this of course, because they can

I remember a few years ago when an update blue screened XP and I had a heck of a time visiting all the locations that were affected (it was about a dozen locations that were affected).

I visit each location at least once every two months to perform general maintenance on their systems and I install updates manually at that time, avoiding situations like this.

You might want to consider running a windows server at your office with the WSUS service. You could then sign off updates on your central server, which will then give your clients' computers the go ahead for the updates.

2 months is a long wait to apply security updates.

I always say there's a method to my madness

Spot on

I normally wait for the next Friday-evening to sign things off, which gives Microsoft just enough time to pull the dodgy updates

 

[Wheelie]

I saw this BSOD problem this week on about 5 computers and every one of them had the TDSS atapi.sys infected files. Do note that the only AV tool I have found that detects the infected file is Kaspersky's online file submit scanner tool. Nothing else detects it. I pulled the hard drive on every machine and slaved it up to a clean PC and scanned at Kaspersky, removed the offending file(s) and replaced it with a clean version from the uninfected PC. Worked like a charm.

 

[MrUnknown]

I worked on a XP computer today that was throwing a BSOD error 0x7E

 

[B Trevathan]

I hate when something like this happens in front of a client, I remember a long time ago I was setting up an internet connection for a client, I showed them how to connect and while we was online the computer installed two updates so I shutdown and restarted before giving the computer back and when it restarted BSOD, she looked at me like I messed her computer up. I told her what happen and I would fix it, I put in the XP CD to uninstall the updates and it asked for the password, she says she doesn't use a password but her daughter may know it so she calls her daughter on the phone and she said she doesn't have it and then they start yelling and cussing each other over the phone. Long story short, I reset the password and uninstalled the updates and turned off automatic updates. She called me the other day "This things blue screening again" Fun, fun.

 

[Packrat1947]

I just picked up a Sony laptop today with the same STOP issue. I'll try the fix in the .a.m.

Packrat1947

 

[Packrat1947]

This worked for me

Here's what happened on the Sony. I tried booting into the recovery console but there was a password that I didn't know about.

Booted to Ophcrack 2.3 and recovered it. Then back to the recovery console and entered the commands. The result was "11 files copied' Exited out and booted into XP normally.

Right now I'm working on a cloned drive. When I'm done, I'll clone back again.

Packrat1947

 

[Mr I]

same situation here, confirmed. Thanks for sharing

 

[Packrat1947]

Further investigation reveals that google searches are being redirected. So I'm rootkit hunting now.

Packrat1947

 

[Packrat1947]

TDSS killer found the infected atapi.sys and corrected matters. The re-directs issue was resolved.

Packrat1947

 

[Packrat1947]

From Kasperky's forum. This issue is also found on Windows 7 64 bit installs.

It appears the some folks are using Ubuntu to replace the atapi.sys file if its size/date is incorrect. There is a lot of confusion on the Win 7 issue. Some think it is a Kaspersky issue. Anyhow, the atapi.sys gets modified and BSODs occur even in safe mode.

I guess we should keep a collection of clean atapi.sys files in our toolkits.

Packrat1947

 

[iisjman07]

Just for future reference here's a clean copy of atapi.sys

View attachment atapi.zip

 

[Larry Sabo]

I have atapi.sys, ndis.sys, iastor.sys and http.sys on my flash drive but when providing remote support, if you run a virus/malware scan that buggers any of the originals, on reboot you're done until someone goes on-site to replace them.

What I'd like to see, is a utility that checks the originals to see if they are infected and if so, replaces them on reboot so I don't get locked out from continuing remotely. Or hell, just replaces them on demand to eliminate that possibility. Should only take a minute to do so as a first-step task before getting into the thick of it.