atapi.sys rootkit - can't start computer

[LDTate]

This also checks out.

Just a fyi, but I see copies of atapi.sys in

C:\Windows\ServicePackFiles\i386

C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989

It's also on the CD (any version) as \I386\ATAPI.SY_ and can be extracted using the expand command. So if your CD/DVD drive is D: then:

EXPAND -R d:\I386\atapi.sy_ C:\WINDOWS\system32\drivers\atapi.sys

[BlahBlahBlah]

Well, I seem to be having rotten luck. Still waiting to hear back from support about a fix, so I've been trying to get things to work with no luck. UBCD4WIN creates too many errors when I try to build with it, so I can't create one. I did create a BartPE disc as an alternative suggested by the IIS Hacks article, but I think I must be doing something wrong.

I posted a comment on his article which essentially said that the only way I could access the registry editor was by typing regedit.exe in a command window, but I receive nothing about user choices. I tried just importing the 3 files from there, but that didn't work. Also, there was already a copy of atapi.sys where I was supposed to copy the new one to (copied it over anyway, though). If anyone has any ideas I'd love to hear them.

[TeMerc]

Well, I seem to be having rotten luck. Still waiting to hear back from support about a fix,

Everyone has had initial replies. There are none currently sitting awaiting attention.

We're still working on a fix and this takes time.

Consequently, helpdesk is backed up much more than I'm happy with. Gonna be an all nighter.

[cjava]

BlahBlahBlah,

You may have been editing the registry of the LiveCD and not the Local Hive through BartPE. Here is the comment on IIS Hacks in response to yours. The key is to load the hive off your hard drive and then import the keys, but they will have to reflect the new location, so the keys will need to be modified to be imported - otherwise you'll simple import them into the LiveCD's registry.

"With BartPE, if you go into regedit, you

[Viersche]

OK, my solution worked. Here's what I did:

1) I made an Ultimate Boot CD for Windows. You will find downloads and instructions here: http://www.ubcd4win.com/howto.htm

You'll need a Windows CD and the package you download from the UBCD4Win website. If you have a laptop (or a friend's computer), you can do this easily. It was a very smooth process.

2) I started my poor desktop computer and went into BIOS by pressing DEL immediately. I then changed the boot order of the machine so that the DVD/CDROM is the first boot device.

3) I restarted the machine with the UBCD in the drive. This takes some time, but eventually, you will have a Windows OS running entirely from the CD. This will allow you access to your hard drive(s) and other media, like a USB drive.

4) I navigated to the MalwareBytes log files folder, C:\Documents and Settings\*your user name*\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs, and opened the most recent log file using the UBCD text editor. This contained a list of the registry keys deleted.

5) On my laptop, I opened RegEdit by clicking Start>Run and typing regedit. I navigated to the \atapi keys that had been deleted on my desktop. I right clicked on each key and chose "Export," then gave each exported file a descriptive name like "currentcontrolset". Regedit will save these keys and their subvalues as ".reg" files.

6) I put these files on a jumpdrive and plugged it into my desktop. UBCD's OS had no problem reading the drive. From there, in the UBCD OS, I chose Start>Program Files>Registry Editors>Regedit (remote). I was prompted to select from the User names on my system; I chose Administrator. This opened up a Regedit window.

7) I confirmed that the \atapi keys were, in fact, missing. Then, using Regedit's File>Import feature, I imported each of the .reg files on the jumpdrive.

8) I closed the programs and restarted and ..... Bob was my uncle! I mean... It started up normally.

Whew!

I hope this helps people....

Good luck!

I'm actually trying this out. I'm not that good with computer programs so just following advice here.

Have a few questions though:

1.Will restoring the registry keys allow me to boot up my pc without anymore problems? since the atapi system files were also deleted. And i've already tried copying the said atapi files from my laptop first and the computer still won't boot up.

2. Checking on the UB4W regedit, the reg files deleted were control set 001,002,003 and the current control set but on my laptop there's only control sets 001 and 002 as well as the current control set. Is it ok if i dont export the 003 file since i do not have it on my laptop

[cjava]

You only need the ControlSet001 and ControlSet002. CurrentControlSet is loaded when the system loads.

If you do edit the registry that way, you may need to re-import the keys after you first boot up the computer just to make sure they stay.

[cjava]

Here is a flash video regarding editing the registry by loading a non-local hive, no audio, just a reiteration of the above post to go along with the write-up for better clarification.

http://www.iishacks.com/wp-content/uploads...gistry-edit.swf

[Viersche]

Here is a flash video regarding editing the registry by loading a non-local hive, no audio, just a reiteration of the above post to go along with the write-up for better clarification.

http://www.iishacks.com/wp-content/uploads...gistry-edit.swf

Thanks for the response, i imported the control sets 001 and 002 and also the currentcontrolset(didnt see your post before i imported them) and my computer was able to boot up. Been checking up on it and most of the programs and files there work. do i have to restore the atapi files and registry files that mbam deleted? or since the computer is working properly just let it stay as it is?

[BlahBlahBlah]

cjava, thanks for the help man. All seems well now.

Tom/TeMerc:

I know you guys are workin' hard for a fix for everyone; I'm just super impatient, that's all. Thanks, and have a fun night fixing problems.

[cjava]

Thanks for the response, i imported the control sets 001 and 002 and also the currentcontrolset(didnt see your post before i imported them) and my computer was able to boot up. Been checking up on it and most of the programs and files there work. do i have to restore the atapi files and registry files that mbam deleted? or since the computer is working properly just let it stay as it is?

I fixed 3 people's machines, and two of them required me to re-import the keys after. There are some instances when editing a registry form a different machine that the registry keys will not be saved into the last known good config after first bootup. If you can restart your computer once after doing this and it will works, then it works. But if it worked once and you restarted then it didn't work again...that would be your problem.

I felt horrible because these 3 people all had asked for my advice on a good antivirus/malware program and I told them run Avast and Malwarebytes together...

[rchusid]

I fixed 3 people's machines, and two of them required me to re-import the keys after. There are some instances when editing a registry form a different machine that the registry keys will not be saved into the last known good config after first bootup. If you can restart your computer once after doing this and it will works, then it works. But if it worked once and you restarted then it didn't work again...that would be your problem.

I also ran into that. It booted up after editing the registry but later I tried rebooting to make sure all was fixed. On the first reboot it did not work. I repeated the procedure to edit the registry and import the keys again. Since then it has been working fine.

[whatmeworry?]

Hi. Since my posting a hundred years ago (well, three days ago ) started this thread, I thought I should post again just to say that Tom Mercado of the Malwarebytes support staff got back to me quickly, suggested I use the WinXP Pro reinstall disk to do a repair install, provided detailed instructions, and answered all my questions. It took a while, but I'm happy to report that all now seems well (knock on wood, salt over my shoulder).

Ironically, had I not found Malwarebytes Anti-Malware Pro to be so extraordinarily reliable in the past, I probably would have been more skeptical when it reported that I had a rootkit. I guess I've learned that I should always be skeptical. Still, though I can no longer say that Malwarebytes has never given me a false positive, I'm very impressed yet again with the company. They responded very quickly to the error, corrected their database, publicized the problem, and provided genuinely useful and extended help to people like me who needed it. Many thanks to Tom and to others on the Malwarebytes staff and also to several forum members who provided help and moral support.

[blu]

does that mean there is no fix coming?

i dont have an xp reinstall disk

and the only thing i could do is perform a system restore which would put my pc back to where it was 4 years ago.

[AdvancedSetup]

@blu

Please either email or Private Message as was previously requested and someone from the Helpdesk will assist you.

You may have mail blocked from us or we from you but if you send a Private Message to GT500 he will assist you.

Thank you.

[blu]

thnx

sent an another email earlier today.

i will try the pm route.

[TeMerc]

thnx

sent an another email earlier today.

i will try the pm route.

There are currently no tickets unanswered on this issue, please PM me your email details, what email you used and user name so forth.

[glee]

Please contact the help desk if you are experiencing this issue, and we will work through it with you.

To open a new ticket, simply send an e-mail to support@malwarebytes.org

How long before I get a reply to my email requesting help on this???? So far, no reply......

...glen

[GT500]

How long before I get a reply to my email requesting help on this???? So far, no reply......

...glen

My apologies, I just saw the ticket. I'm sending you a link to instructions via the helpdesk.

[mred70]

Couldnt get a boot up disc from anyone so ended up having to restore my system today after falling victim to the false positive! I'll be more careful in future with what gets picked up just to be safe after always just deleting what the programme had found in the past.

[exile360]

That's always a good idea, and setting a System Restore point is another. I had Kaspersky delete explorer.exe once, that was fun . False positives are an unfortunate part of life, I'm just glad that they get corrected so quickly around here.

[Nigel Clubley]

MB have been excellent so far in trying to help me to resolve this issue on my sons laptop (I only had recovery disks and not a windows XP cd) so they have sent me instructions on how to compile and run a recovery console.

However, I'm thinking that I've missed something

Recovery CD created as I was instructed to - on the CD is a folder (I386) and 3 x files (WIN51, WIN51IC, WIN51IC.SP2)

I've got the machine to boot from CD and got as far as the C:\WINDOWS> prompt without issue

Then type in cd system32\config which seems top be fine and changes directory to C:\WINDOWS\system32\confif>

However, when I type in the next command ren system system.mbam I get a message saying 'The system cannot find the file or directory specified'

so i can get no further.

Looking at whats in the directory within this folder I can see the system.mbam file and also system.LOG system.sav and thats it

Anybody help - did anyone else following the instructions hit the same issue ?

[exile360]

Greetings

If the command you stated as ren system system.mbam is accurate and you can see the system.mbam directory, then it sounds like the command already did complete successfully because the ren command is used to rename and the first part of the command system would be the folder you are renaming and the desired name for the folder based on that command would be system.mbam.

[Nigel Clubley]

Greetings

If the command you stated as ren system system.mbam is accurate and you can see the system.mbam directory, then it sounds like the command already did complete successfully because the ren command is used to rename and the first part of the command system would be the folder you are renaming and the desired name for the folder based on that command would be system.mbam.

ok, thanks for that

Next instruction I've been asked to type in is

copy ..\..\repair\system .

but again I get the 'The system cannot find the file specified warning'

[exile360]

I believe the appropriate command would be copy cd ..\..\repair\system because as I understand it, the ..\ is only used when changing directories which is what cd represents change directory. The ..\ means that you are accessing the parent directory of the current folder you are in, for example, if you are in C:\Windows\System32, then typing cd ..\ would take you up to C:\Windows.

[Nigel Clubley]

I believe the appropriate command would be copy cd ..\..\repair\system because as I understand it, the ..\ is only used when changing directories which is what cd represents change directory. The ..\ means that you are accessing the parent directory of the current folder you are in, for example, if you are in C:\Windows\System32, then typing cd ..\ would take you up to C:\Windows.

Thanks. That seems to make sense as I imagine the point is to copy a fresh 'system' file (or files) from the recovery CD onto the laptop

I'll give that a go