Recovering from KB977165 BSOD

From Patrick W. Barnes
Jump to: navigation, search

In February of 2010, many Windows XP and Windows Vista users found that their computers would display the Blue Screen of Death when they rebooted after updates. The cause for the majority of these users was a conflict between the update for KB977165 and a rootkit on the system. Even booting to Safe Mode was disabled.

Shortly after this incident, Microsoft temporarily withdrew the update and applied logic to its update services to avoid installing this update when the rootkit is detected on the system. This same logic is used on subsequent updates that make similar changes. In order to trigger this issue, the update (or another like it) must be manually installed. Additionally, the makers of the rootkit have since updated the rootkit to prevent this problem on more recently infected systems.

Repair Instructions

Removing the update using the Windows Recovery Console or using live media will get the system booting again, at least until the update is reapplied.

Replacing the infected driver file will get the system booting normally. The most frequently infected file to cause this failure is:

%System32%\drivers\atapi.sys

Using the Windows XP Recovery Console

  1. Boot from your Windows installation CD
    Insert your Windows installation CD and boot your computer. If your computer is not set to boot from CD first, you may need to reconfigure your BIOS or press a boot menu key (often F12, F8 or Esc). If you are unsure of how to do this, consult your favorite geek. As soon as the boot starts, you should see a message like “Press any key to boot from CD…” – press a key.
  2. Start the Recovery Console
    After the CD loads (it may take a minute), you will be presented with a few choices. One of these options is to start a recovery by pressing “R”. Press “R” to launch the Recovery Console.
    • You may be asked to choose a Windows installation. If so, choose the damaged installation (probably “1″).
    • You may be prompted for the Administrator password. If you do not have one, press “Enter”.
  3. Identify your CD drive letter
    You should now be at the command prompt. Enter the following command:
    map
    Look for the drive letter for your CD drive. It may look something like this:
    D: \Device\CdRom0
    In this case, your CD drive is “D:”.
  4. Replace ATAPI.SYS
    Enter the following, replacing “D:” with your CD drive:
    cd system32\drivers
    ren atapi.sys atapi.old
    expand D:\i386\atapi.sy_
    You should see the message “1 file(s) expanded.” – this indicates you have succeeded.
  5. Reboot and scan for malware

Reboot your computer. With a little luck, your computer will now boot normally. Because this problem is caused by malware, you should immediately scan your computer with up-to-date antivirus software.

References