I have seen this on one of my workstations. Rebooted the workstation and everything seems fine.

Two PCs were updated. I found one not responding, part way through booting. Powered off and on, and it booted normally. The other PC had rebooted OK.

we updated 112 PC's updated last night, no problems at all

we updated 112 PC's updated last night, no problems at all

67 machines updated, one BSOD. Rolled back KB977165 (MS10-015) on that one machine, rebooted and all was well.

I had an Eee PC with XP Home brought to me with this same problem. I rolled back KB977165, rebooted and the system worked fine. I reapplied KB977165 and the rest of the updates available at Microsoft Update, and the problem returned. I replaced \WINDOWS\System32\drivers\atapi.sys with a clean version from a XP SP3 distribution folder and rebooted... voila! Problem solved.

For reference, the SHA1SUMs of the atapi.sys files:

Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6

Working:
a719156e8ad67456556a02c34e762944234e7a44

If anyone wants to look at the non-working atapi.sys:
https://patrickwbarnes.com/pub/atapi.sys

I will be looking at this more in-depth.

I uploaded the non-working atapi.sys to VirusTotal. Here's the result:

http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

Apparently, this update problem is the result of an infection.

Patrick, just before your post I downloaded the atapi.sys from your site because nothing at Microsoft's site indicates that this driver would be replaced by MS10-015. My AV screamed. I turned it off and, more or less simultaneously with you, uploaded the file to virustotal, see http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925521

I wouldn't be surprised if the new kernel files, replaced by the MS10-015 patch, change (pointer) tables that are being exploited by certain types of malware (rootkits in particular), which cease to work 'correctly' after the patch.

Based on the malware observation above, my best guess is that either malware, or legitimate software, that modifies (probably undocumented) in-memory kernel data, functions or (pointer-) tables, is causing XP systems to crash after applying MS10-015.

I concur with Bitwiper's conclusion. It appears that, following this update, the references made by the malware-infected atapi.sys are broken, resulting in the crash.

The best advice to those who have not already applied the update is to perform virus scans with up-to-date antivirus software. The problem may not be isolated to the infection identified by the VirusTotal results above.

For those who are now facing this issue, replacing atapi.sys using the Windows Recovery Console or live media, then thoroughly scanning for and cleaning any other infected files should return the system to working order. As with any infection, I would recommend wiping and reloading the system if feasible.

Kevin Hau of Microsoft, has posted a recovery method for XP systems that do not reboot after the installation of KB977165 and the link to the MS Fixit KB article that mitigates the vulnerability that the update addresses in this thread:
http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1/

FWIW, I doubt that malware is involved in this issue but ... ya never know. <w>

Because antivirus software is likely not to be able to detect malware on a running rootkit-infected system (because the rootkit will 'cloak' its existence), this may help people (who've not patched yet) to determine if their PC is infected with the malware identified by Patrick W. Barnes. However, I need some help to make sure.

The length of the original XP SP3 atapi.sys file (which lives in c:\windows\system32\drivers\) is 96,512 bytes. The malware version on Patrich W. Barnes' website has the same length, so this doesnt help. Furthermore, most people don't understand "sha1sums" and do not have sha1sum.exe on their PC.

The binaries are mostly identical; the malware version has 4 bytes changed at the beginning of the file, while, interestingly, it's version information block has been overwritten with the apparent malware code, probably leaving all original functionality intact.

Therefore, a modified atapi.sys by this particular malware can *probably* easily be identified on a running system by right-clicking c:\windows\system32\drivers\atapi.sys (Explorer must be configured to show system files): a *completely missing* Version tab in the file properties dialog box definitely means you've got a problem.

However, a present Version tab doesn't necessarily mean your system is okay. The malware *may* have saved the version info data to a separate file (or the registry) before overwriting the section in atapi.sys.

Therefore, I'm very interested to know if anyone observes missing version info in atapi.sys on an (unpatched, otherwise it would BSOD) XP PC.

Patrick, can you confirm a missing version info tab in atapi.sys' file properties dialog box on the *infected* EEE PC?

As the Eee PC has been cleaned, I cannot verify the missing version tab on it.

Anyone seeing this issue could roll back the update, reboot and check the atapi.sys file properties. I will do so if I get another chance.

Thanks anyway Patrick!

Btw Google: atapi.sys rootkit
results in a lot of info; http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html is a nice writeup of the Tdss malware which was identified in atapi.sys Patrick (and I) uploaded to virustotal.

Note that my question still stands: anyone observing a missing version tab in atapi.sys' file properties?

I have updated my blog post on the subject with repair instructions:

https://patrickwbarnes.com/blog/2010/02/microsoft-update-kb977165-triggering-widespread-bsod/

I will expand those instructions as time permits and as more information becomes known.

For anyone interested I wrote a vbscript that reads a list of machines from an .xls queries the atapi.sys file on remote machine and records the MD5 Checksum.

http://home.comcast.net/~jblizz/Atapi_MD5_Checker.zip