This past February, before I put this blog online, I had an issue with some of my customers’ computers. Some of my customers called me asking for help because their computers wouldn’t load. They said their computers kept rebooting. I know it’s been almost a month now, but I think this issue deserves a post in this blog.
After troubleshooting the issue I traced down the source of the problem to a Microsoft update. More specifically to update KB977165/MS10-015. As soon as I removed this update the computer was able to load windows perfectly fine.
This was odd though. Other computers where the same update was installed didn’t have this issue. This indicated that the problem was caused by something else – not the Microsoft Update. I scanned the computer for viruses and found nothing. I re-installed the update and the computer entered the boot loop once again. After some more troubleshooting I traced the cause of the stop error to the file %System32\drivers\atapi.sys. There was a problem with this file. It had to be infected. I uploaded the file to virustotal.com, and the results came back clean in all but one of the scans. It just said that it was probably infected with a root kit, but it wouldn’t give me more information.
This made sense. Rootkits are designed to hide themselves or other malware from antivirus applications. This is probably why the anti-virus scan I ran didn’t catch anything.
I decided to take a different approach, and I took the hard-drive out of the computer. I connected the hard-drive to another computer and scanned it using an up to date anti-virus (Kaspersky). The scan found several items and cleaned them successfully. One of the infected files was atapi.sys. After this, I installed the update and the computer didn’t reboot again.
So there you have it. The problem was caused by a an infection on the PC.
My suspicions were later confirmed by Microsoft. They apparently took some customers’ computers with them to check them and found the source of the problem. They state on their security response blog that the problem was caused by the Alureon root kit.
They state on their blog:
the presence of Alureon does not allow for a successful boot of the compromised system. The Windows Engineering team continued testing different configurations, as well as retesting several third party applications, leading to our firm conclusion that the blue screen issue is the result of the Alureon rootkit.
So there you have it. They later released a version of the update that does not install if it detects the system is in a state that will cause it to enter this reboot loop.
If you are a victim of this problem, make sure your computer is free from infection. Microsoft recommends to re-install your operating system if you cannot get rid of the infection.
I don’t think this is necessary. If you are in the Phoenix Arizona area and need assistance with this issue, you can contact us and we will gladly help you.