KB977165 update triggering Blue Screen Problem



One of Microsoft’s “Patch Tuesday” security fixes is triggering a widespread “Blue Screen of Death” problem. The cause is not the update itself, but an existing infection. So far, reports suggest that this problem affects Windows XP and Windows Vista.

Once the update is applied and the system rebooted, Windows will bluescreen at boot. When booted to Safe Mode, the system will freeze.

Removing the update from the Windows Recovery Console or using live media will get the system booting again, at least until the update is reapplied.

I have found that the root cause is an infection of %System32%\drivers\atapi.sys, and that replacing this file with a clean version will get the system booting normally.

This is not the first time that an infection hitting atapi.sys has caused updates to trigger bluescreens. If you are running Windows and have not yet applied this update, make sure you scan your computer thoroughly for infections before applying this update. If you are experiencing this problem, get your computer to a professional that can replace the infected atapi.sys and clean any other malware from your computer.

References:

http://isc.sans.org/diary.html?storyid=8209

http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1
DETAILED REPAIR INSTRUCTIONS
Using the Windows XP Recovery Console

1. Boot from your Windows installation CD


Insert your Windows installation CD and boot your computer. If your computer is not set to boot from CD first, you may need to reconfigure your BIOS or press a boot menu key (often F12, F8 or Esc). If you are unsure of how to do this, consult your favorite geek. As soon as the boot starts, you should see a message like “Press any key to boot from CD…” – press a key.

2. Start the Recovery Console


After the CD loads (it may take a minute), you will be presented with a few choices. One of these options is to start a recovery by pressing “R”. Press “R” to launch the Recovery Console.

  • You may be asked to choose a Windows installation. If so, choose the damaged installation (probably “1″).
  • You may be prompted for the Administrator password. If you do not have one, press “Enter”.


3. Identify your CD drive letter


You should now be at the command prompt. Enter the following command:

map

Look for the drive letter for your CD drive. It may look something like this:

D: \Device\CdRom0

In this case, your CD drive is “D:”.

4. Replace ATAPI.SYS


Enter the following, replacing “D:” with your CD drive:
cd system32\drivers
ren atapi.sys atapi.old
expand D:\i386\atapi.sy_


You should see the message “1 file(s) expanded.” – this indicates you have succeeded.

5. Reboot and scan for malware


Reboot your computer. With a little luck, your computer will now boot normally. Because this problem is caused by malware, you should immediately scan your computer with up-to-date antivirus software.