Microsoft Update KB977165 triggering widespread BSOD

One of Microsoft’s “Patch Tuesday” security fixes is triggering a widespread “Blue Screen of Death” problem.  The cause is not the update itself, but an existing infection.  So far, reports suggest that this problem affects Windows XP and Windows Vista.

Once the update is applied and the system rebooted, Windows will bluescreen at boot.  When booted to Safe Mode, the system will freeze.

Removing the update from the Windows Recovery Console or using live media will get the system booting again, at least until the update is reapplied.

I have found that the root cause is an infection of %System32%\drivers\atapi.sys, and that replacing this file with a clean version will get the system booting normally.

This is not the first time that an infection hitting atapi.sys has caused updates to trigger bluescreens.  If you are running Windows and have not yet applied this update, make sure you scan your computer thoroughly for infections before applying this update.  If you are experiencing this problem, get your computer to a professional that can replace the infected atapi.sys and clean any other malware from your computer.

References:

http://isc.sans.org/diary.html?storyid=8209

http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1

Detailed Repair Instructions

Using the Windows XP Recovery Console

1. Boot from your Windows installation CD

Insert your Windows installation CD and boot your computer. If your computer is not set to boot from CD first, you may need to reconfigure your BIOS or press a boot menu key (often F12, F8 or Esc). If you are unsure of how to do this, consult your favorite geek. As soon as the boot starts, you should see a message like “Press any key to boot from CD…” – press a key.

2. Start the Recovery Console

After the CD loads (it may take a minute), you will be presented with a few choices. One of these options is to start a recovery by pressing “R”. Press “R” to launch the Recovery Console.

* You may be asked to choose a Windows installation. If so, choose the damaged installation (probably “1″).
* You may be prompted for the Administrator password. If you do not have one, press “Enter”.

3. Identify your CD drive letter

You should now be at the command prompt. Enter the following command:

map

Look for the drive letter for your CD drive. It may look something like this:

D: \Device\CdRom0

In this case, your CD drive is “D:”.

4. Replace ATAPI.SYS

Enter the following, replacing “D:” with your CD drive:

cd system32\drivers
ren atapi.sys atapi.old
expand D:\i386\atapi.sy_

You should see the message “1 file(s) expanded.” – this indicates you have succeeded.

5. Reboot and scan for malware

Reboot your computer. With a little luck, your computer will now boot normally. Because this problem is caused by malware, you should immediately scan your computer with up-to-date antivirus software.

UPDATE:

An atapi.sys infection may not be the only cause of this blue screen. While it does seem to be the most common cause, other infected drivers or drivers that make incorrect references to the updated kernel bits may also cause blue screens after this update is applied. Make sure you scan any computer with up-to-date antivirus software that can detect rootkits and check for updated drivers for your computer before applying this update.

UPDATE 2:

I have placed these instructions on my wiki.  Any further changes will be posted there.

84 thoughts on “Microsoft Update KB977165 triggering widespread BSOD

  1. Wow. I am not a professional and only know enough about dos to screw things up…but your instructions were clear and logical and did exactly what you said….windows is back up and happy (?) again.

    Ironically though, it was my mac laptop that allowed me to find this page so I could figure out the error and (2 hours later) find your excellent directions to fix it. Many, Many thanks.

  2. @rainbopotter

    “As after it was finished went to a BLACK screen of death, yes I said black! When rebooted, it told me that there was no registry, then no hard drive!”

    If your computer said you have no hard drive, then you have far more serious issues than a software update. I would suggest running some thorough diagnostics on your HDD. Simplest place to start would be the manufacturer of your HDD, as most of them offer a free diagnostic tool for download.

  3. We’ve had a number of these come to us lately. Replacing the atapi.sys helps get the system back on its feet, but I highly suggest scanning as well. We’ve found numerous RootKits after rebooting which may have caused the issue in the first place. Some A/V programs are already corrupt, so I suggest ComboFix as a way to remove the majority of them BEFORE scanning with your A/V solution!

  4. I have found bogus atapi.sys on multiple computers. It defeats AVG and AVAST!. However I have found one way to detect whether the thing is bogus or not. You must be able to install the suspect drive in a “good” computer or external drive that can be mounted on a “good” PC. Once done, search the suspect drive for atapi.sys and you will see the same size and date/time stamp for the one in %windir%\system32\drivers as in other legitimate locations like the service pack folders. However if atapi.sys is bogus it will only show the following details: size and date created or size and date modified, depending on whether you mouse over or get properties. A legitimate file will show the name, OS, version, copyright, etc. AND the bogus file will show all those if you try to get it’s properties when booted, i.e. not mounted in an enclosure. VERY stealthy.
    All machines that were identified as having the bogus ATAPI.SYS and had it replaced with legitimate versions installed KB977165 without error.

  5. Hi Pat….

    pulling hair out here…. I followed your instruction on how to re-place atapi.. but keep getting “wrong command” is there anything I’m missing??? re did it like 9 times now….

    Thanks

  6. yeah i seem to be having same problem as frank followed all steps but when i try replacing atapi. in the recovery console i get the parameter is not valid message is there any way around this or any ideas would be greatly appreciated

  7. wooohoo.. got it fixed!!! ( doing the pee peee dance)

    Just took the HD out, and put it in a External HD chaise, you can do the same by putting it in another PC with and open HD slot….. get a good copy of atapi.sys or go to the GOOD Pc’s Wn/Sys32/dir folder.. and copy it to the desktop… when you open the BAD HD go to that folder and replace it with the good one…. put the HD back in, and reboot, as you hit the F8 key, go to \most resent Config\ ( or how ever it reads) and click that….. Windows opens up like always…… Gawd that sucker is bad news…. Glad it’s gone!!!

  8. My WinCd has long since disappeared into the black hole of my office. Anyway to get this file from a download?

  9. Thank you!!! This saved my life, when I was ready to format the drive!

    not only did it solve the boot-time bsod, but also a bsod from hiberfil.sys when hybernation was called :)

  10. I’ve had the BSOD occur via the KB977165 update and fixed it once using the atapi.sys fix mentioned above. Stupid me forgot to turn off automatic updates and it did it again. However this time there is no atapi.sys or KB977165 uninstall folder to use this time. Using ‘dir’ shows they don’t exist. What now?

  11. Sadly Ilso has BSOD and tried to deal with it before I saw this and I had no idea which of the updates caued the problem. Fotunately I back up all e-mails on a weekly basis to CD. I then reinstalled XPpro/SP3 from scratcth and updated including KB977165 and all was OK. I am in the processm of teiously installig all my programs and rescuing e-mails. Thank you Microsoft!

  12. Here’s a variation on this one: I ran Win Update this morning since Secunia’s PSI keeps complaining I don’t have XP SP3 installed. Win Update found KB977165 available for my PC, which I thought was odd since I usually run updates on Patch Tuesdays. Downloads, installs, and then starts prompting me to reboot. As I begin shutting down programs to reboot, I notice my task bar suddenly went from 4 icons wide in the systray (I run the task bar vertical on right of my screen), to 1 icon wide. Tried to grab it and pull it back out to normal width – no go. Checked that it wasn’t locked – it wasn’t. Mouse pointer would show the edge was grabbable, but couldn’t grab it out. Rebooted, hoping it would resolve itself. When the system came back up, I was greeted with a ‘Visual C++ Runtime Library’ error, pointing at ‘RoxWatchTray.exe’ – a legit Roxio helper app. Taskbar was virtually gone – just a thin gray line along the right side of the screen, with no hint of a Start button. Every attempt to launch Win Update would result in the request coming up in Firefox, which can’t access Win Update. Even manually typing in the URL into IE would trigger it to be brought up in Firefox. Couldn’t do much at that point, so I launched a reinstall of XP. I’m in the process of reapplying SP2. Don’t know what to make of it – I’m pretty careful with dark alleys on the Net (use Firefox w/ NoScript, eEye Blink, etc.), so I don’t know if it’s indicating I’ve got malware in some other driver, or if it didn’t get along with my flavor of Roxio all that well.

  13. So is this update thing resulting in a BSOD as a result of a malware infection a Windows exclusive? My Linux box doesn’t seem to have those problems.

    Hm!

  14. I have a question, I did get the blue screen of death. Then, I got script errors everytime I opened internet explorer 8, I went back to ie 7, now I am getting pop ups! I have scanned with norton, malware bytes, ad-aware, spybot. Malwarbytes found two items, quarentind them, but I did this before following the instructions above. My question is: am I having OTHER issues? Or, is it because, I ran the scans before following instructions? I am not seeing anyone else stating, they are getting pop ups, so??? Any suggestions?. I am now, going to delete the update, and follow all instructions, but again, I have not seen anyone state, they are getting pop ups, and I only got the blue screen of death once. However, everytime, I get online, everything freezes, I have rebooted at least 15 times before I ran malwarebytes, but still getting popups. any additional info would be helpful. Thanks

  15. Thursday, March 11.
    Yep..just joined that BlueScreenClub! XP 5.1 with IE7. KB977165 keeps wanting to Download, but process Fails each time.
    UhhhBoy, I think I’m in trouble!

  16. Great articles and it’s so helpful. I want to add your blog into my rrs reader but i can’t find the rrs address. Would you please send your address to my email? Thanks a lot!

  17. I’ve got the same problem as Don, can’t find my XP CD. Is there anywhere to download the driver?

    I also read that there are 5 other drivers that can be infected, but can’t seem to find the list again. Any help there as well.

    Thanks.

  18. atapi.sys is protected by copyright, and the license does not permit me (or any other third party) to share it. If you have lost your original media, you may be able to retrieve atapi.sys from another computer, or you may have to get replacement media.

    The other most commonly infected driver is iastor.sys.

  19. CRAP! I did exactly as instructed. I have two XP systems that were affected by this. The Toshiba worked but the stupid Samsung is still going through reboot loop (this has been happening at the exact same time after the exact same update). With the samsung laptop the old atapi.sys seems to be replaced as it says “expanded” but no luck. Any suggestions?

  20. Ok I did exactly as instructed on two XP systems that are infected. The toshiba worked perfectly afterwards but the samsung didn’t. In recovery mode it even says “…expanded” so it definitely replaced the atapi.sys but it’s still going through it’s blue screen reboot loop. Any suggestions? This had to have been after the sp3 update because I updated both laptops at the same time and both started this crap about the same time. No problems before. Any helps appreciated!

  21. I am being offered this update and whether I try & install it or decline it stays in my taskbar.

    Incredibly annoying. Big screwup by MS.

  22. I ACCIDENTALLY got myself to this Web Site today {I can only assume that I clicked on a Link to this Page, while not meaning to. I guess I was not watching my Arrow/Cursor close enough}.
    I had no reason to read what I have spent the last Hour reading, but I did so anyway because it was like i REALLY got into Rod Serling’s “The Twilight Zone.”

    After reading one hour of, what to me is horror at the needless waste of time you all are subjecting yourselves to, I HAVE A SOLUTION FOR ALL OF YOU, and I KNOW 99% of you have read or heard this before: People, you can avoid ALL of your complaints and ALL of your wasted time just by
    BUYING YOURSELF AN APPLE “MACINTOSH”!!! I have been using “MACS,” exclusively since 1993–and I have NEVER had to do anything similar to the “patches” and “fixes” that I have spent the last hour reading you all complain about!
    Jesus, Buy yourselves a “Macintosh.!!!” This stuff never happens to us!!

  23. I also downloaded the KB977165 update and nothing works right – I need to know a way to delete it as I cant use recovery console as I would probably make matters worse as I am not that computer savvy
    Thanks for any help you could give

  24. For lisa:

    lisa, boot Windows to Safe Mode with Networking, load Malware Bytes and make sure it is updated, then run a scan. It sounds like you have a fake AV infection.

  25. Hi SIDNEY LOHR, thanks for your input!

    Since you probably don’t have much PC experience (being a Mac user), a better use of your time might better spent pursuing those things with which you are probably more experienced: eg wrapping your lips around tubular objects and creating suction.

  26. I did this and am hoping it’s the solution to my problem. I have a computer that has BSOD 4 times now. Two days ago I finally just reloaded it and installed all updates, it worked fine for 2 days and it happened again. It doesn’t crash periodically, so I won’t know if this worked until Monday. My question is, if I completely copied a user profile before I reloaded the computer, can this malware infect the file again when I paste it into the fresh windows installation?

  27. To restore computer, pray thus: “Black Madonna, hear my prayer!” (The Black Madonna is another Name Title for Our Lady of Czestochowa, Poland’s famous and POWERFUL Virgin Mary Shrine Image – it works if you have faith). God’s Blessings on your day!

  28. How do you get a Windows Install CD? My machine came already installed with the I386 on the C: Drive?

    Is there a way to do in safe mode, or create a boot CD?

  29. Very useful advice thank you. I had the BSOD problem on a frieds PC. STOP x00000050 error and reference to a .sys file that I couldn’t find any information about on the web. I booted into repair mode and located the dubious file in Windows\System32\Drivers, renamed to old and rebooted OK. Obviously for essential system files this won’t be any good but if it’s a rootkit like mine….

  30. I was getting a message to load the KB977165 as a update. I could never get it to download and now it has not shown up as a needed download. Did Microsoft take the download down because of all these issues? Besides the only time I get the BSOD is when my system is rebooting and then it only lasts for about a minute. My sysytem has always done that and I have never been able to figure out why. Never seems to cause a issue, so what is the deal with that?

  31. This information was well written and very useful. It only took me 20 min. to fix the problem.

    Thanks!

  32. I am 58 years old and have no clue on how to do this “crap”Are some of these things being installed so we have to BUY something? Just wondering.The person(I’m sure in India) told me to call microsoft to get more memory.I can’t go to control panel and uninstall this unwanted stuff that is taking up space and I’ve noticed a bunch of things that I did not add on there I can’t uninstall after I purchased Norton anti 2010.Am I just “paranoid”???

Comments are closed.