"booting from a Windows CD or DVD"
If you're lucky enough to have one...
Thankfully we do, though at least as equally thankfully we also managed to avoid this problem!
Applying the latest patches from Microsoft can cause Windows XP machines to crash with the infamous blue screen of death. Updating systems with the MS10-015 bulletin, which addresses "important" vulnerabilities in Windows Kernel, can cause machines to lock up when restarted before falling into a never-ending reboot loop. The …
I always disable automatic updates, but I always manually apply updates when the notification comes up.... except today when I had a chance to read this (and other ) article and now I can wait for M$ to fix the problem.
Being up to date is very important, but it is even more important to make informed decisions on patch management. I don't have blind faith that every patch is safe.
Disabling them completely is not a good idea, but setting it to the option where it will notify you of the existence of updates without blindly installing them is sensible. Then you can install them when it's convenient for you.
I've had a machine doing something overnight before now that I hadn't realised was set to install updates. Along comes an update, machine reboots on its own in the middle of the night, goodbye to what it was doing and I lose time because it failed to complete the test run.
Around November, a patch was released that wouldn't bluescreen, but also put certain combinations of PC's in the never ending boot condition, making me a very busy person. Many people thought a "virus" broke their computers, and I'm somewhat tempted to agree. Haven't found a way out other than to revert the patch and stop windows updates altogether.
Just a couple of months ago, several of our Windows XP machines got screwed up by a false-positive antivirus alert which caused the antivirus service to delete critical system files. We couldn't believe it at first, all users login to limited accounts but the weak link was the antivirus service.
The machines wouldn't boot normally but did boot into safemode. Unfortunately, the System Restore facility failed so we couldn't just roll back to a restore point. While manually restoring the system, Microsoft's anti-piracy subsystem kicked in, rendering the system useless as it disallowed safemode logins.. and the system wouldn't boot normally. So we were locked out because Windows didn't think its licence had been activated, but we couldn't login to register/activate it!
Now just a couple of months later, this has happened.. an official Microsoft update has rendered the systems unusable again!
We're now looking at deploying a Debian-based Linux distribution on all our desktops. Microsoft Windows is a far too unstable for serious business use!
microsoft are doing this on purpose to get people away from xp altogether cause they know people wont move to vista or 7 because either they cant afford to move or there systems dont support the new os. chances are there system wont support it the drivers in particular my mothers laptop is over 4 5 years old it came preinstalled with xp home and ive tried 7 on it and straight away loads of features got disabled when i did so i solved buy moving back to xp using the recovery cd.
The linked MS thread has info here. Seems that the problem may be due to the TDSS rootkit. Replacing the infected atapi.sys that this POS puts in place with a kosher one on affected machines seems to fix the problem (as does uninstalling the "dodgy" patch - for which instructions are provided).
This would explain why those machines affected don't seem to have anything else in common by way of configuration.
If this does turn out to be the root (hah) cause, I don't think we can blame MS......well, not for this particular cockup anyway. I'll keep the flamethrower on standby 'til a definitive answer turns up.
I just got settled into my new place, internet just tuned up after 3 days of withdrawl...Good Ol Microsoft Update! I went into reboot cycling, tried fixing it, spent 4 hours on the phone (mostly on HOLD) intermittantly interrupted by some thick indian accented individual NEVER mentioning.."Ohh that...we know about that" Even after describing my problem.
Now they make the push to upgrade...the only thing I'm likely to upgrade to is LINUX (wonder how Mandrake is...haven't used that in a while). I just KNEW I was going to find this cheezy steamin pile of BAD NEWS!! I had a feelin this was the cause, now it's confirmed!
Wandering around the internet looking at this wonderful new achievement from Microsoft I think it may not be just Win XP.
Quote from "Ars Technica" dot com
"The majority of users who are complaining about the issue are on Windows XP, but some users in the thread mention this occurs for them on Windows Server 2003 and Windows Vista."
I've noticed other issues on some machines I've updated- including previously stable machines dropping wireless connections, and any previous installed clients for managing connections (such as the MSI manager) being disabled in favour of allowing Windows manage connections. I've had to reinstall drivers and apps on 3 different systems thus far. I'm far from happy.......
Once upon a time Windows XP SP2 when it first came out after installtion broke my firewire card driver from initialising properly. If you left the network enabled in windows it would not boot just a black screen. Had to pull the card out and disable it.
Then with vista I did one of those "hiigh priority updates" which cause the machine to be stuck in a reboot loop, and the only way of fixing it was to plug the drive into a linux machine and delete the pending.xml file. On installing the update a second time it was fine.
This is the crappiness you expect from Microsoft, learn to live with it.
Ahh... perfect. This solved a puzzle I had with a Toshiba laptop. After following the instructions in the Microsoft post, the BSOD has gone.
I had a different error number for the STOP, but fixed the same way by uninstalling that update.
(Good to see MS put the answer at the TOP of that thread instead of having to wade through a discussion)
My recipe: keep the Windows/applications system partition separate and small (15 GB plus hibernation file, page file 4000 MB on a separate volume), and back it up regularly, particularly before a Windows Update session. But do apply those updates promptly, because bad people examine them specifically to find out how to hack computers that haven't got 'em.
Maybe a failed update will work when applied a second time - for instance if the order of different updates matters. If you leave an update off, note the description of the risk that it addresses, and avoid doing the risky thing e.g. clicking on hyperlinks in e-mail.
I've been using Knoppix 6.2 Linux on bootable CD or USB stick, and specifically partimage, to make a single copy of volume C split into 333 MB files (which pack nicely onto CDs or DVD), but I'm planning to switch to ntfsclone because partimage apparently has a problem with volumes containing bad sectors(?) I had an unpleasant virus-type experience while using SystemRescueCD which may not have been its fault.
If you don't use hibernation or if you disable it before backing up, a hidden file C:\hiberfil.sys equal to your RAM size is NOT included in the backed-up volume. If something goes wrong with Windows (and it has), you can just boot Linux and restore C to the way it was. (We don't need no steenking restore points!)
Of course the saying applies "You only THINK you've got a backup" - it's better to have a fallback position in case your latest backup fails when you try to restore. Also, verify your CDs or DVDs, including by comparing files to the files on disk.
Keeping your backups away from nosy people is an exercise you can work out for yourself!
... (but it may not be true) that it seems to be tied to certain device drivers or even perhaps device firmware. If so then MS testing probably wasn't as thorough as it should be. However, if this does turn out to be the case I'm willing to bet MS will manage to spin it that the drivers concerned did not comply with Windows standards.
Of course it might not be the case at all, I don't think we've had a single BSoD reported out of over 4000 XP machines patched this week and that covers a huge variety of hardware.
I am dealing with this issue on a customers PC as I type. Having read many of the posts on this problem I would just give the following summary.
The most common trigger for this issue appears to be a pre-existing malware infection - especially a Rootkit infection of the ATAPI.SYS file. The key givaway for this infection is that the infected ATAPI.SYS file has no Version Tab when you look at its properties panel. Replacing this file with a clean copy can be the start of the cleanup and often allows you to boot the system. The following link may be helpfull:
https://patrickwbarnes.com/blog/2010/02/microsoft-update-kb977165-triggering-widespread-bsod/
"It's still unclear why affected systems throw a wobbler while other near-identical Win XP PCs chug along quite happily after the updates are applied."
If you can figure this one out, perhaps you can tell me why of 6 identical brand new XP latitudes we got in recently, two wouldn't run windows update and one was missing the 'RunOnce' reg key, meaning it wouldn't install VPN software.
This happened me before with Thinkpads. Booted two brand new identical ones up, one bluescreened straight away
It's not ones and zeros, it's blood and tears.
Simon
As this begs the question: "How was the rootkit code injected into a device driver - running in the inner sanctum of the OS - in the first place ?" (atapi.sys: filename extension would imply that this is a device driver. If the rest of the name is as descriptive this would seem to be the driver responsible for a rather common physical disk interface, so being able to patch this is equivalent to full access to the raw disk devices under its control.)
User running as Admin (BAD BAD BAD BAD BAD but too many shops do it so they can put all the stuff that should be in startup scripts or managed properly in login scripts and so they can talk users through doing *anything*), directed to dodgy site which downloads .exe. .exe sets registry keys to copy new atapi.sys on next boot, just as if a windows update or service pack had done it. There's a writeup here http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html on how TDSS does it. I've found this on two or three machines where some support company from Hell thinks that the output from 'net localgroup administrators" should include the line "NT Authority\Authenticated Users" (I kid you not, bunch of fuckwits.
No !!!
I will definitely NOT learn to live with it. The shoddy "products" that Micro$lop has been putting out for the past 15 - 20 years made me move to Linux to get some stability and reliability back in the Nineties.
I refuse to tolerate and/or pay for inferior quality workmanship ANYWHERE, including computers that I use and/or maintain. Therefore, since my most charitable interpretation of "MS" comes out as "Mediocre Software" I keep as far away from the Rubbish from Redmond as I possibly can.
So thats fine, you dont need to whine about it here. If you're having an issue caused by this on a machine running the afformentioned OS, then sure, whine all you like. But you have no case or point here, because you dont use XP, or Vista, or any MS product.
And in general, the 'hilarious' misspellings and alterbate names for Microsoft havent been funny for what... 15-20 years now? If you would like to be critical about a piece of software, then please, adopt less of a whiny, adolescent tone about it.
And for the record? An install of Xp has lasted me over 6 years now, through 2 system rebuilds, and has only ever bluescreened through wonky graphics card drivers on 3 occasions. So there, you see? Its only a crap OS if you treat it like one. Just like any system, in fact.
A virus interpretation of this is the sort of thing that could become a runaway rumour without foundation, or without in the majority of cases.
I believe I can recall two separate cases where a story has been started that a normal file belonging to Microsoft Windows or to a common application is a virus and you must delete it, where this isn't the case at all. I think in at least one of these cases, deleting the file interferes with use of your computer.
Then again, maybe you're right, and atapi.sys is infected. Or is a driver for out-of-date hardware in some cases. Or...
If it is that - does that mean that your computer will boot if you remove the CD/DVD disc drive?
Go on! It can't hurt!
After the "fix" my XP PC would not load isasse.exe (i.e. wouldn't boot properly) because it could not find dnsapi.dll
It looked like the directory structure was knackered. Eventually fixed it using dskchk from the install DVD. It may not have been directly linked to the MS patch, but the timing is distinctly suspicious. Previously the PC had been well behaved.
Windows update has just installed Office 2007 SP1 and SP2 on my PC, and tried to install the Office Genuine Advantage bits as well (this failed)
I find this odd as I do not have any version of Office installed, and have not had it installed since my last format and re-install.
I have had to tell update to ignore this update in future, but the update web page still reminds me I have said to ignore it.
Anyone else had a similar problem with recent updates?
...to be responsible and run some AV with regularity and consistency. Not to mention actually understanding your computer even just a bit. Computers are like babies, you have to feed them the right stuff and wipe their smelly behinds periodically.
The way I see it those that got the problem asked for it. Enjoy!!
I had already pushed it out (but not installed) when this news came up. Tested it on a number of systems one at a time, and none had any problems. Of course my systems are WAY locked down and my proxy has extensive block lists (thank God my boss is savvy and blows off all the complaints), so the systems are as likely to be clean as any Windows box is....
I'm still installing it in waves just in case.
Penguin cuz as a Windows sysadmin I know enough to refuse to allow it in my house.
This post has been deleted by its author
Avast has not flagged any issues recently. Scanning atapi.sys reports nothing. Using Sha1Sum on it reports the supposedly "good" result, plus there is a Version tab full of rubbish.
Virustotal says the file is infected with eSafe Win32.Rootkit, gory info below:
http://www.virustotal.com/analisis/b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9-1266022402
(matching SHA1)
HitmanPro scanned and reported nothing (it queried BeebEm but said no more so I guess that means it was okay). I ran it again and it said nothing at all.
ComboFix did "a bunch of stuff" (that's the technical description <g>) which resulted in a few things being messed around, some minor config changes, but on the flip side the machine boots marginally faster.
HitmanPro again, because I'm both slightly paranoid AND desperate.
How accurate is virustotal? Is my atapi.sys infected or not? I won't be installing the update because recovery with an eeePC (no optical media) is less than pleasant. I'd still really like to know if I've been rootkitted or not. Do I trust a website I've only just found as a result of this problem, or do I trust a majority vote?
BTW, for those of you not sure which update is the potential problem, as we would not normally see "MS10-015", it is the patch labelled "kb977165".
I rebooted before intending to apply all of the updates except the troublesome one, when I noticed I had a boot menu - with a new Recovery Console option (thanks to Combofix). So I selected ALL of the updates (generally better safe than sorry, no) and upon the reboot prompt, I held a little piece of paper with the uninstall commands in my right hand, my left hand on my heart, eyes tightly closed, breath held...
...until, thirty six seconds later I heard the startup jingle. No blue screen, just Nyuu looking at me as the backdrop image.
I hope Ms Bee posts both of these messages of mine as there is a kind of moral to this story. Fair enough, I *may* still be rootkitted (although the SHA1 matches that of a "good" atapi.sys and I'm not a crazy download-and-install-everything browser), but on the other hand the evidence is starting to suggest that the infection report is not entirely correct. Thus, the moral, is to take things like that with a pinch of salt. And a dash of wasabi. And a sprig of parsley just to be "posh".
Smiley face, because...
The latest Defender update has destroyed two Vista machines, and one now claims that the OS installed by Dell OEM is not genuine. So, I sent an email to Microstuff asking for their assistance in a law suit against Dell. I had to call the Gujariati lady in Delhi to reactivate which is a delight.
Of course Windows is crap. Their enterprise model is thievery negating any possibility that their software would be a quality offering. Is Ballmer looking more and more like Don Rickles, or is that just me?
Makes one grateful for the Turkish government and Pardus 2009.1.