WARNING : KB977165 Can/May/Will Cause BSODs for Some Windows XP Users

[MowGreen]

New Patches Cause BSoD for Some Windows XP Users
http://www.krebsonsecurity.com/2010/02/new-patches-cause-bsod-for-some-windows-xp-users/

BLUE SCREEN, UNABLE TO BOOT AFTER WINDOWS XP UPDATE TODAY
http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1/

A workaround to remove KB977165 and a method to mitigate the
vulnerability this update addresses has been posted in the above Windows
Update forum by Kevin Hau of Microsoft:

" Hello Everyone,

I wanted to thank everyone for the great information and discusion in
this thread!

We have found that there is only one patch that requires un-installation
to resolve the blue screen issue. KB977165 is the patch in question, the
other patches do not seem to cause the blue screen behaviour and do not
need to be uninstalled.

With that in mind, here's the updated solution steps:

1. Boot from your Windows XP CD or DVD and start the recovery console
(see this Microsoft article for help with this step)

Once you are in the Repair Screen..

2. Type this command: CHDIR $NtUninstallKB977165$\spuninst

3. Type this command: BATCH spuninst.txt

4. When complete, type this command: exit

IMPORTANT: If you are able to uninstall the patch and get back into
Windows, in order to stay protected you can use the following automated
solution which secures your PC against the vulnerabilities that are
resolved with KB977165 until you can successfully get the update
installed without the blue screens.

Please see the link below for the article describing the vulnerability
that is fixed with KB977165 and how you can get protected without
installing the actual KB update:

http://support.microsoft.com/kb/979682

I also wanted to thank maxyimus for the great thread, and LThibx for
their participation as well!

Thanks,

Kevin "

MowGreen
================
* -343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

[TaurArian]

Hi Mow

Have you posted this also in :
http://social.answers.microsoft.com/Forums/en-US/vistawu/threads

K

"MowGreen" <mowg...@nowandzen.com> wrote in message
news:%23Kb8up2...@TK2MSFTNGP05.phx.gbl...

[MowGreen]

Good Morning and, no, Mam. Just here and in XP General. Be my guest as
spending too much time in the WU "forum" hurts my eyes <w>

MowGreen
================
* -343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

[MowGreen]

For those who are following this thread, if any, the update has been
pulled from Windows Update:
http://blogs.technet.com/msrc/archive/2010/02/11/restart-issues-after-installing-ms10-015.aspx

[hdnlan]

Hello Mowgreen. Your comment that KB977165 had been removed from windows
update doesn't seem to be true. When I go to the site, it still offers the
update.

"MowGreen" wrote:

> .
>

[Etaoin Shrdlu]

It was there when I checked this morning.

[MowGreen]

My comment stems from:
http://blogs.technet.com/msrc/archive/2010/02/11/restart-issues-after-installing-ms10-015.aspx

Specifically ( I added the * * )-
" Our initial analysis suggests that the issue occurs after installing
MS10-015 (KB977165). However, we have not confirmed that the issue is
specific to MS10-015 or if it is an interoperability problem with
another component or third-party software. Our teams are working to
resolve this as quickly as possible.* * We also stopped offering this
update through Windows Update as soon as we discovered the restart
issues. * * However, those using enterprise deployment systems such as
SMS or WSUS will still see and be able to deploy these packages. "

If the update is still being offered, then the above statement by *MS*
is incorrect.

MowGreen
================
* -343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

[MowGreen]

*Clarification* - the update is no longer being offered via automatic
updating. It's still present on the WU/MU sites.

MowGreen
================
* -343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

[Swerbo]

I can't even boot off my WinXP SP2 CDROM, now WTH do I do?

Wow, this really sucks bad. Anyone?

[MowGreen]

If you have entered the system's setup and configured it to boot from
the CD/DVD first and it still will not load the CD, it's a clear
indication that there is a root kit present.
What happened is that the update broke the root kit's 'functionality'
which in turn affected the CD player.

Suggest you request assistance from Microsoft via one of these methods
as they are still trying to track down the specific nature of these
non-booting XP systems:
http://blogs.technet.com/msrc/archive/2010/02/12/update-restart-issues-after-installing-ms10-015.aspx

" we encourage customers who feel they have been impacted by this to
contact our Customer Service and Support group by either going to
https://consumersecuritysupport.microsoft.com or by calling
1-866-PCSafety (1-866-727-2338). "

For the above link to CSS, suggest you use the below link so as to skip
the initial steps and save a little time:
https://consumersecuritysupport.microsoft.com/default.aspx?productKey=pcsafetymalware&ct=phonets&supportLinkphonets=Phone

For the " What would you like assistance with? " option, choose Other.

For the " Be specific when you describe your problem. Please include
details such as error codes or messages to help us promptly send you the
most likely solution to your issue." field, inform them that
Security updates were installed, the system would not restart, the
system can not boot from CD, and you've been told by an MVP that there's
a strong likelihood that a root kit is present that has rendered the
system inoperable due to the installation of KB977165.

MowGreen
================
* -343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

[PA Bear [MS MVP]]

Update - Restart Issues After Installing MS10-015
<QP>
In our continuing investigation in to the restart issues related to MS10-015
that a limited number of customers are experiencing, we have determined that
malware on the system can cause the behavior. We are not yet ruling out
other potential causes at this time and are still investigating. Please
review our blog post from yesterday for additional information.

One of the key components when investigating issues like this are obtaining
memory dumps from computers experiencing the problem. In order to get the
information we need to fully analyze the issue, some of our support
engineers have actually driven to customer locations and picked up affected
systems so we can get the needed crash data directly and help inform our
investigation. For more information about memory dumps, please see:
http://support.microsoft.com/kb/254649.

We encourage customers to follow our "Protect Your PC" best practices and
always have up to date anti-virus software running on their systems to help
prevent malware infections. For customers who do not have anti-virus
software, you can either scan your system using our online tool at
http://safety.live.com or you can install Microsoft Security Essentials for
free.

This can be a difficult issue to solve once a computer is in an un-bootable
state so we encourage customers who feel they have been impacted by this to

contact our Customer Service and Support group by either going to
https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety

(1-866-727-2338). International customers can find local support contact
numbers here: http://support.microsoft.com/common/international.aspx.
</QP>
Source:
http://blogs.technet.com/msrc/archive/2010/02/12/update-restart-issues-after-installing-ms10-015.aspx

<QP>
Earlier today I made a post about a potential issue with MS10-015. We are
still investigating this but I wanted to provide some additional clarity on
what I mean when I said we stopped offering the update via Windows Update.
To be more precise, we basically turned off the Automatic Update system for
this bulletin. This means that computers that have our recommended setting
to automatically look for, download, and install high priority updates, will
not pull this update down. They will still get all the other relevant
updates. You can still go to Windows Update and manually select and install
the update and you can still obtain the update package from the Download
Center.
Please check back here for more updates on this issue as we will post
additional information as it becomes available.
</QP>
Source:
http://blogs.technet.com/msrc/archive/2010/02/12/february-2010-security-bulletin-webcast.aspx
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002

[Jim Madsen]

My 2 cents worth.

Wish I knew about this problem before. However, I installed the
offending update with no problems (so far).

Thanks for bringing this issue to my attention, as I am using Norton
Ghost for backups, and I remembered I hadn't updated the driver CD in
quite a while.

Someone "dissed" Norton 360, and thought of it as a possible cause. I
have been using Norton 360 for almost a year, and haven't had any
problems created by this app. I don't particularly like it, but I
consider it the lesser of the evils I've considered.

[MowGreen]

My Rickle's worth ...

I always diss N360 and here's just part of the reason from a colleague's
email:

" ... just hopefully finished cleaning a PC running XP SP2 that had a
similarly infected atapi.sys, identified by Avast as Alureon EU but
blissfully totally ignored by the PC owner's fully paid up and current
Norton 360. It was accompanied by a number of other trivial trojans
that I guess it had invited to come join the party. The problem had
apparently started after the owner downloaded and opened a spoof DHL
e-mail and stupidly opened the attachment.
When I first go the machine it was going through logon logoff loops due
to userinit being set to winlogon.exe rather than userinit.exe in the
registry's Winlogon key, possibly a result of poor Norton cleansing?
Having fixed it so that the system would boot it would stay up for about
ten minutes after which a message saying that the Generic Host Process
for Win32 Services had crashed followed by a messages saying that the
system was shutting down due to the DCOM Server Process Launcher having
stopped. Norton also reported attempts to access the system from d45 64
86 75.cn which were stopped by the Norton firewall. Shame Norton hadn't
caught the thing earlier rather than much too late and after the event. "

*Knowledgeable* Users don't have the same issues as the vast majority of
Norton Users do because they *know what they're doing*. Even then, every
so often, a Norton "product" will do something that prevents a system
from searching for, downloading, and/or installing updates.
Symantec products for Business/Enterprise are completely different
entities and are *vastly* more reliable.

MowGreen
================
*-343-* FDNY

[Daave]

I don't understand. Is it possible that a rootkit can affect the BIOS?!
Specifically, is there something about this particular rootkit that is
infecting more than Windows?

MowGreen wrote:

> If you have entered the system's setup and configured it to boot from
> the CD/DVD first and it still will not load the CD, it's a clear
> indication that there is a root kit present.
> What happened is that the update broke the root kit's 'functionality'
> which in turn affected the CD player.

[MowGreen]

The root kit impersonates/replaces the CD's driver.
The CD will still function as though nothing is wrong.
Applying the update breaks the root kit's "functionality", for want of a
more proper term.
Thus, the CD no longer works.

Does that explanation help clear things up, Daave ?

MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

[Harry Johnston [MVP]]

On 2010-02-13 12:14 p.m., Swerbo wrote:

> I can't even boot off my WinXP SP2 CDROM, now WTH do I do?
>
> Wow, this really sucks bad. Anyone?

While not strictly speaking impossible, it is unlikely that either malicious or
faulty software is preventing you from booting to a CD. Most likely either your
CD drive or the CD itself is faulty, or the BIOS is not configured to boot from CD.

Harry.

[Daave]

No, I still don't see the answers to my questions. The update and the
rootkit reside on the hard drive. How is this relevant to someone
attempting to boot off their CD? It is possible to boot off a CD with
*no* hard drive! Pop a bootable CD into the drive. Reboot the PC. As
long as the PC's BIOS is configured to boot off the CD, Windows and the
hard drive are totally irrelevant. More of my reply (which has been
filtered by the Microsoft news server) to your other post may be found
here:

http://groups.google.com/group/microsoft.public.windowsxp.general/msg/5bca2d80a9f6db89?hl=en

Unless the "root kit's functionality" has physically destroyed the CD
drive, it should still work! Granted, not while in Windows, but
certainly *outside* of Windows, no?

[Jim Madsen]

I didn't say Norton 360 was GREAT!!! Last summer my son tried to
download something, and I got a virus -- had IE7 windows popping up
every 5 minutes -- used Java. Norton 360 totally ignored it. I was
able to clean it easily with Spybot S & D. Also did an Adaware Scan and
ran a few apps that were alleged to have the ability to ferret out
rootkits. I always run other scans every few weeks or so, but I only
have Norton 360 enabled for real-time scanning. All I can remember, is
when we used McAfee Antivirus at work. What a disaster.

Going OT, sorry

Jim

[MowGreen]

Well, at the very least you're making me think about this, if I can find
your posts. <w>

What loads the CD driver is there's no OS and the BIOS is *not* set to
configure Plug and Play but is set to let the *OS* configure PnP,
Daave ? The CD, right ?

Now, since this "owned" driver is loaded very early in the boot process
from the infected HD, the owned non-functioning driver loads *prior* to
the one loading from the CD and thus, the CD does not function.

I messed around with a dual booted XP system's BIOS yesterday to see
what would happen as the HD for XP had died and was no longer
functioning. Naturally, I couldn't install the root kit to XP. <w>

I couldn't get the XP CD to load until I configured the *BIOS* to
configure PnP for the CD player. Then I went to install XP on the dead
HD and naturally, it could not since the HD was no longer functioning.

I still insist that 'Angelsomething' should contact MS for assistance.

[Harry Johnston [MVP]]

On 2010-02-17 9:26 a.m., MowGreen wrote:

> Well, at the very least you're making me think about this, if I can find
> your posts. <w>
>
> What loads the CD driver is there's no OS and the BIOS is *not* set to
> configure Plug and Play but is set to let the *OS* configure PnP,
> Daave ? The CD, right ?
>
> Now, since this "owned" driver is loaded very early in the boot process
> from the infected HD, the owned non-functioning driver loads *prior* to
> the one loading from the CD and thus, the CD does not function.

When booting from a CD, the BIOS uses its own driver to load the boot code on
the CD. What happens next depends on that boot code, but it would be very
unusual for it to look on the HDD for a device driver. Usually the boot code
will either use the BIOS functions or a device driver loaded from the CD (or both).

Certainly, the Windows boot CDs use only the device drivers on the CD and should
function properly regardless of the state of the HDD.

> I messed around with a dual booted XP system's BIOS yesterday to see
> what would happen as the HD for XP had died and was no longer
> functioning. Naturally, I couldn't install the root kit to XP. <w>
>
> I couldn't get the XP CD to load until I configured the *BIOS* to
> configure PnP for the CD player.

Was this a SATA CD drive? The XP CD might not be able to cope with that without
extra support (i.e., PATA emulation) from the BIOS. Normally this wouldn't be a
problem.

> Then I went to install XP on the dead
> HD and naturally, it could not since the HD was no longer functioning.
>
> I still insist that 'Angelsomething' should contact MS for assistance.

Agreed.

Harry.

[MowGreen]

Harry Johnston [MVP] wrote:
>> I couldn't get the XP CD to load until I configured the *BIOS* to
>> configure PnP for the CD player.
>
> Was this a SATA CD drive? The XP CD might not be able to cope with that
> without extra support (i.e., PATA emulation) from the BIOS. Normally
> this wouldn't be a problem.

No, it was an ATA drive, Harry.

> When booting from a CD, the BIOS uses its own driver to load the boot code on the CD.
> What happens next depends on that boot code, but it would be very unusual for it to look
> on the HDD for a device driver. Usually the boot code will either use the BIOS functions
> or a device driver loaded from the CD (or both).

If the *BIOS* is set to configure Plug and Play.

If the BIOS is set to allow the *OS* to configure PnP, then the root
kitted driver on the HD will load, as it still is listed in the boot
configuration order, rendering the CD player inoperable.

I wish we could find out what the final outcome for 'Angelsomething'
turns out to be.
Has she posted back to XP General ?

[Daave]

MowGreen wrote:

> I wish we could find out what the final outcome for 'Angelsomething'
> turns out to be.
> Has she posted back to XP General ?

From:

http://groups.google.com/group/microsoft.public.windowsxp.general/msg/3f282fced3eb29a7?hl=en

<quote>
no matter what i did, xp wouldnt boot from disk, i checked bios settings
&
checked multiple disks.. and it still wouldnt boot from disk. but yet
the
minute i put vista in, it booted from disk no problem..
</quote>

It sounds like there was something wrong with her XP disk.

I think she's making stuff up as well; I very much doubt she had tired
"10 xp disks." LOL !

[MowGreen [MVP]]

As far as I can tell from her posts, she didn't configure the boot from
CD properly, which shocks none of us, do it ? <w>

[Harry Johnston [MVP]]

On 2010-02-18 9:56 a.m., MowGreen wrote:

>> When booting from a CD, the BIOS uses its own driver to load the boot
>> code on the CD.
>> What happens next depends on that boot code, but it would be very
>> unusual for it to look
>> on the HDD for a device driver. Usually the boot code will either use
>> the BIOS functions
>> or a device driver loaded from the CD (or both).
>
> If the *BIOS* is set to configure Plug and Play.

On most machines (in my experience) I believe the BIOS will automatically
configure boot devices regardless of the PnP settings. Of course, this might
not be the case on all systems. In fact, I think we can safely assume it isn't,
since your machine is a counterexample. :-)

One machine I've got here makes this explicit, the two settings available are:

NO - lets the BIOS configure all the devices in the system

YES - lets the operating system configure Plug and Play (PnP) devices not
required for boot if your system has a Plug and Play operating system

The other machine I looked at simply didn't have a setting.

> If the BIOS is set to allow the *OS* to configure PnP, then the root
> kitted driver on the HD will load, as it still is listed in the boot
> configuration order, rendering the CD player inoperable.

If the BIOS won't configure PnP for the CD drive, then it won't be able to
attempt to boot from the CD, so the system will boot into the installed instance
of Windows.

There may also be cases in which the CD will start to boot but be unable to
finish because the device drivers on the CD don't support the hardware or the
way in which the BIOS has configured the hardware.

However, I don't think there's any case in which Windows Setup will boot from
the CD using device drivers from the HDD. (Although I suppose in principle a
rootkit which takes control from Windows early enough might realize that the
user had intended boot from the CD and fake it!)

Harry.

[Harry Johnston [MVP]]

On 2010-02-18 11:58 a.m., Daave wrote:

> http://groups.google.com/group/microsoft.public.windowsxp.general/msg/3f282fced3eb29a7?hl=en
>
> <quote>
> no matter what i did, xp wouldnt boot from disk, i checked bios settings
> &
> checked multiple disks.. and it still wouldnt boot from disk. but yet
> the
> minute i put vista in, it booted from disk no problem..
> </quote>
>
> It sounds like there was something wrong with her XP disk.

Possibly, but it could also be that her hardware or BIOS settings weren't
compatible with the native XP drivers but were supported by the native drivers
in Vista.

MowGreen, on that machine that wouldn't boot the Windows XP CD unless you set
the BIOS to configure PnP - any chance you could try out a Vista or Windows 7
boot CD instead?

Harry.

[MowGreen]

I could Harry but first I need to replace the HD as it croaked and I
pulled the tower apart for now. Will get back to it this weekend between
the Winter Olympic RAM and Tower throwing events <g>

On the other hand, the remaining HD has it's original installation of
Windows ME still running which I'm thinking of donating to the
" That's Incredible " Museum, if there is one.