Jump to content

atapi.sys rootkit - can't start computer


Recommended Posts

This evening, I ran my usual quick scan with Malwarebytes. To my astonishment, I was told I had a rootkit at C:\WINDOWS\system32\drivers\atapi.sys. Three registry entries were also involved. I told Malwarebytes to remove the checked items. It did so. Then a Malwarebytes box appeared saying something else was trying to do something, so I clicked on Quarantine. That happened several times, after which I rebooted, or tried to. Unfortunately, my computer could no longer boot up. I tried Start Windows Normally, and then I tried Go Back to Last Known Good Configuration, and then I tried Safe Mode. Nothing worked. I'm not able to boot the computer. I don't know what to do. FWIW, I'm running WinXP Pro SP2 and Malwarebytes Anti-Malware Pro with the most recent definitions.

All was well until this. I had no symptoms that suggested a problem. But right before this happened, I installed Sandboxie 3.40 on the computer. Part of the instructions were to temporarily disable any system protection. I did so. I then re-enabled the security programs immediately afterward and ran Malwarebytes, not because I thought there was a problem but just because I often run a quick scan at least once a day. That's when the rootkit problem was found.

Since I can't boot my computer, I can't run hijack this or anything else. (I'm writing this from an old laptop.) I really don't know what to do. I'd be most grateful for any help. Thanks in advance.

Link to post
Share on other sites

  • Replies 85
  • Created
  • Last Reply

Top Posters In This Topic

This evening, I ran my usual quick scan with Malwarebytes. To my astonishment, I was told I had a rootkit at C:\WINDOWS\system32\drivers\atapi.sys. Three registry entries were also involved. I told Malwarebytes to remove the checked items. It did so. Then a Malwarebytes box appeared saying something else was trying to do something, so I clicked on Quarantine. That happened several times, after which I rebooted, or tried to. Unfortunately, my computer could no longer boot up. I tried Start Windows Normally, and then I tried Go Back to Last Known Good Configuration, and then I tried Safe Mode. Nothing worked. I'm not able to boot the computer. I don't know what to do. FWIW, I'm running WinXP Pro SP2 and Malwarebytes Anti-Malware Pro with the most recent definitions.

All was well until this. I had no symptoms that suggested a problem. But right before this happened, I installed Sandboxie 3.40 on the computer. Part of the instructions were to temporarily disable any system protection. I did so. I then re-enabled the security programs immediately afterward and ran Malwarebytes, not because I thought there was a problem but just because I often run a quick scan at least once a day. That's when the rootkit problem was found.

Since I can't boot my computer, I can't run hijack this or anything else. (I'm writing this from an old laptop.) I really don't know what to do. I'd be most grateful for any help. Thanks in advance.

About half an hour ago Malwarebytes finished scanning and on my computer it also found a rootkit located at C:\WINDOWS\system32\drivers\atapi.sys... as well as three registry entries and a backup file. I was very surprised, but I have yet to actually take action because I think I just read that atapi.sys might actually a required system file. The info could be wrong though, I'm no expert by far. I found a few recent virus posts on other sites about atapi.sys and that makes me think that this atapi.sys thing *might* be a false positive.

I really hope your problem can be fixed. I'm not sure if it's really a required file or if it can be restored. It might be easily fixed with a Windows CD. *Crosses fingers for you* Sorry that this post probably wasn't any help to you, but it may help bring attention to both of our problems with this potential rootkit. :)

Anyway, I'll be looking at this thread to see if I should leave these files alone or not.

Link to post
Share on other sites

This evening, I ran my usual quick scan with Malwarebytes. To my astonishment, I was told I had a rootkit at C:\WINDOWS\system32\drivers\atapi.sys. Three registry entries were also involved. I told Malwarebytes to remove the checked items. It did so. Then a Malwarebytes box appeared saying something else was trying to do something, so I clicked on Quarantine. That happened several times, after which I rebooted, or tried to. Unfortunately, my computer could no longer boot up. I tried Start Windows Normally, and then I tried Go Back to Last Known Good Configuration, and then I tried Safe Mode. Nothing worked. I'm not able to boot the computer. I don't know what to do. FWIW, I'm running WinXP Pro SP2 and Malwarebytes Anti-Malware Pro with the most recent definitions.

The exact same thing just happened to me. I cannot boot my computer. I get a blue screen with error Stop: 0x0000007B. I have no idea how to resolve this. Some help would be nice. Like the original poster, I had no issues before this, and even another virus scan right before the Anti-malware scan found no problems.

Link to post
Share on other sites

Thanks VERY much for your response. I think you've done the right thing by not acting on the rootkit warning. After reading what you've said, I'm beginning to think that it may be a false positive. Even if it's not, by telling Malwarebytes to remove it, I seem to have made it impossible for Windows to boot up. I'm heartsick. I'm not sure that I have a Windows CD, nor how I might go about using it if I do.

I'm grateful to you for responding. Like you, I hope these postings may call attention to the problem and perhaps get one of the experts to help. There's yet another person tonight who also cannot load Windows after removing supposed Malware. I don't know whether he, too, had a warning about atapi.sys. If so, it sounds more and more as if it may be a false positive. Sigh.

Link to post
Share on other sites

I'm grateful to you for responding. Like you, I hope these postings may call attention to the problem and perhaps get one of the experts to help. There's yet another person tonight who also cannot load Windows after removing supposed Malware. I don't know whether he, too, had a warning about atapi.sys. If so, it sounds more and more as if it may be a false positive. Sigh.

[/quote

I wasn't as clear as I should have been. My problem was precisely as yours. it was a warning about rootkits concerning the atapi.sys.

Link to post
Share on other sites

I thought I'd add my five cents too.

I got the same warning about atapi.sys and three registry infected registry keys after my daily scan. Like all of you, I've had no problems with viruses or malware for over a year now so this was rather surprising.

I checked the created / modified files and apparently it's been on my computer since 2004 (year of purchase) so I am a little reluctant to remove it. After hearing problems people are having with their computers after the removal, I'm inclined to say it is a false positive.

I am by no means an expert on the matter. So more information would be helpful before I come to a conclusion.

Link to post
Share on other sites

A couple more of us posted this same thing in the False Positives forum

http://www.malwarebytes.org/forums/index.p...view=getnewpost

I am not having any computer problems myself though because I took no action. I also posted a developer mode scan in the above thread.

I believe it to be a false positive.

Link to post
Share on other sites

Thanks VERY much for your response. I think you've done the right thing by not acting on the rootkit warning. After reading what you've said, I'm beginning to think that it may be a false positive. Even if it's not, by telling Malwarebytes to remove it, I seem to have made it impossible for Windows to boot up. I'm heartsick. I'm not sure that I have a Windows CD, nor how I might go about using it if I do.

I'm grateful to you for responding. Like you, I hope these postings may call attention to the problem and perhaps get one of the experts to help. There's yet another person tonight who also cannot load Windows after removing supposed Malware. I don't know whether he, too, had a warning about atapi.sys. If so, it sounds more and more as if it may be a false positive. Sigh.

You are very welcome. I definitely feel your distress about this; I've had so many computer problems within the last two years between harddrives failures and virus infections... it's impossible to know what websites are even safe to visit anymore! I tend to act on an impulse when I find something on my computer and usually want to quarantine or delete infections right away, especially if I see a rootkit warning (Geez!), and I am so glad I looked up information on these files before doing so.

I'm not very computer smart, but I will try to look up any information on this file and see if I can help you and eseb666 get your computers up and running again. I found a website with information on it. I'll read through it and if I find anything that might be useful, I will definitely post it so you can read it. I definitely value all the pictures, files, etc. on my computer, so I know how you feel. Best of luck.

Link to post
Share on other sites

OK, my solution worked. Here's what I did:

1) I made an Ultimate Boot CD for Windows. You will find downloads and instructions here: http://www.ubcd4win.com/howto.htm

You'll need a Windows CD and the package you download from the UBCD4Win website. If you have a laptop (or a friend's computer), you can do this easily. It was a very smooth process.

2) I started my poor desktop computer and went into BIOS by pressing DEL immediately. I then changed the boot order of the machine so that the DVD/CDROM is the first boot device.

3) I restarted the machine with the UBCD in the drive. This takes some time, but eventually, you will have a Windows OS running entirely from the CD. This will allow you access to your hard drive(s) and other media, like a USB drive.

4) I navigated to the MalwareBytes log files folder, C:\Documents and Settings\*your user name*\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs, and opened the most recent log file using the UBCD text editor. This contained a list of the registry keys deleted.

5) On my laptop, I opened RegEdit by clicking Start>Run and typing regedit. I navigated to the \atapi keys that had been deleted on my desktop. I right clicked on each key and chose "Export," then gave each exported file a descriptive name like "currentcontrolset". Regedit will save these keys and their subvalues as ".reg" files.

6) I put these files on a jumpdrive and plugged it into my desktop. UBCD's OS had no problem reading the drive. From there, in the UBCD OS, I chose Start>Program Files>Registry Editors>Regedit (remote). I was prompted to select from the User names on my system; I chose Administrator. This opened up a Regedit window.

7) I confirmed that the \atapi keys were, in fact, missing. Then, using Regedit's File>Import feature, I imported each of the .reg files on the jumpdrive.

8) I closed the programs and restarted and ..... Bob was my uncle! I mean... It started up normally.

Whew!

I hope this helps people....

Good luck!

Link to post
Share on other sites

I am having the same experience.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\atapi (Rootkit) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> No action taken.

Files Infected:

C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> No action taken.

I ran a scan with SuperAntiSpyware and found nothing.

Waiting for more info before taking any action.

Link to post
Share on other sites

I have the same problem.

There is one twist on this. My computer has an older installation of Windows. A few years ago Windows XP crashed and I wound up reinstalling. The old, unstable version of Windows is still there and I can boot into it. Doing this I can edit the registry without needing to mess around with making the boot CD as above. As I'm running off of a different installation of Windows simply running regedit won't help to fix the registry which had the keys removed. Is there a simple utility I can download which will allow me to fix the registry in a different installation of windows?

Link to post
Share on other sites

I'm having the exact same problem. I suspect that, if you have a Boot CD, like Ultimate Boot CD for Windows (or can make one on another machine), you could probably put the registry entries back. I'm working on this, and I'll report back on it.

Thanks very much for your message. Unfortunately, whatever I did when I told Malwarebytes to remove the supposed malware and then quarantine the additional malware it claimed was trying to start has really totally disabled my computer. I do have both a reinstallation CD and a Drivers and Utilities CD that came with the computer AND an emergency boot disk that I made when I got an external hard drive. Unfortunately, I can't get the Drivers and Utilities disk or the Emergency Boot Disk to work. I'm very upset, especially about the emergency boot disk, since I thought if worst came to worst I could use an image I had made a month ago. Even better would be the ability to create an image NOW. But I can do neither, since I can't select any of the options on the disk. I'm feeling really despondent. I don't know what to do.

Link to post
Share on other sites

Please contact the help desk if you are experiencing this issue, and we will work through it with you.

To open a new ticket, simply send an e-mail to support@malwarebytes.org

Many thanks to the users who quickly brought this to our attention. :)

Also, all users should please update Malwarebytes' Anti-Malware's database to resolve this issue for the future.

Link to post
Share on other sites

I used a different method with the Ultimate Boot CD for Windows than dellengwyn. I selected a restore point and that brought everything back to normal.

Boot the UBCD4WIN CD, at the menu, select Launch "The Ultimate Boot CD for Windows"

once Windows is up, Start > Programs > Registry Tools > Registry Restore Wizard

Specify your Windows ( this should be already selected ) C:\WINDOWS click Next

What do you want to do? Select "Fix the system registry to that of a previous state" click Next

All of your restore points should be listed, I chose the latest on ( Restore Point 223 (11/10/2009 )) click Next

Are you sure? click Yes ( default answer is No )

A list of files that have been renamed is shown.

Click Finish

Start - Turn off computer - select Shutdown

Remove CD. reboot and select "Start Windows normally"

Regards,

Dave

Link to post
Share on other sites

I used a different method with the Ultimate Boot CD for Windows than dellengwyn. I selected a restore point and that brought everything back to normal.

Boot the UBCD4WIN CD, at the menu, select Launch "The Ultimate Boot CD for Windows"

once Windows is up, Start > Programs > Registry Tools > Registry Restore Wizard

Specify your Windows ( this should be already selected ) C:\WINDOWS click Next

What do you want to do? Select "Fix the system registry to that of a previous state" click Next

All of your restore points should be listed, I chose the latest on ( Restore Point 223 (11/10/2009 )) click Next

Are you sure? click Yes ( default answer is No )

A list of files that have been renamed is shown.

Click Finish

Thanks, Dave! That seems to have done the job.

Link to post
Share on other sites

To original poster 'whatmeworry' and others with an unbootable computer:

had the same and fixed it by putting back atapi.sys from another windooz installation.

Restored the registry with a boot into 'last known good configuration'.

I also used an Erunt backup but that should not be necessary.

Also, once booted into winz, in the anti-malware program I used the 'restore' function on the last action because possibly the .sys file was different from the one I put back.

Just in case you couldn't contact the help desk here for some reason.

So, you need a way to boot and a way to copy a valid atapi.sys file into c:\WINDOWS\system32\drivers.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.