Posted by & filed under Security, Windows / Server.

Last night Malwarebyte’s AntiMalware program detected a false positive of the Atapi.sys driver and associated registry keys. As you may know, Atapi.sys is required by the storage system in Windows, and as such deleting it will render the system unbootable.

If you have the reboot on error checked in your system properties, your system will continuously reboot itself without giving an error. If you have a stop on reboot option checked, you will see the STOP error 0x0000007B.

I have included a zip file with the following registry keys and atapi.sys (5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)) taken from a fresh install of Windows XP SP2. Apparently it only affects SP2 installations.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi

Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys

A few ways to fix this:

Use another machine to load Atapi.Sys and Registry Keys

  1. Install the hard drive into another Windows computer and copy the computer’s good Atapi.sys driver (Windows\System32\Drivers) to your hard drive. Or download the XP SP2 one here.
  2. Put the hard drive back into the original computer and select “Last known good configuration” to boot – this will restore the registry keys.
  3. If the “Last known good configuration” doesn’t work, you may try editing the registry hive of your installation via another computer. Put the hard drive into a second machine and load the hive within that machine’s registry editor. If you are uncomfortable doing this, create a LiveCD of Windows (below).

Make a BartPE or LiveCD of Windows

  1. Go to http://www.ubcd4win.com/howto.htm and follow the instructions to make a LiveCD of Windows. You can also use BartPE, but the following instructions may be different (http://www.nu2.nu/pebuilder/).
  2. From a known good machine, export the above 3 registry keys to a USB drive.
  3. From a known good machine, copy the atapi.sys driver from Windows\System32\Drivers to a USB drive. Or download the XP SP2 keys and atapi.sys here (zip).
  4. When the LiveCD loads (this will take a while), attach the USB key to the machine. Copy the atapi.sys to your machine’s Windows\System32\Drivers directory.
  5. In the LiveCD’s Windows environment, go to: Start>Program Files>Registry Editors>Regedit (remote).
  6. You will be prompted to select a user from your machine to edit. Most likely it is “Administrator.”
  7. Go to File and Import in the registry editor.
  8. Import each of the 3 .reg keys you exported from a known good machine.
  9. Restart your computer, taking out the LiveCD.
  10. Everything should work.

Use Windows Repair

I don’t like this option because it does not always work. You may also need to reinstall or fix some programs after this procedure.

  1. Put the Windows XP disc into the machine.
  2. When the machine boots into the Setup environment, it will give you the following options:
    To setup Windows XP now, press ENTER.
    To repair a Windows XP installation using Recovery Console, press R.
  3. Press ENTER, not R.
  4. On the next screen, it will detect a previous installation and ask if you want to repair it. Choose to do so.
  5. Windows will go through the setup by reinstalling all default options and drivers. You will need your Windows XP key.
(5.00 out of 5)

14 Responses to “Malwarebytes Atapi.sys and Registry False Positives”

  1. SomeDude

    Helpful writeup. Sadly, I’ve tried several things, and still no luck. I had to use BartPE for this, so maybe that’s why it isn’t working for me, I don’t know. I couldn’t do Start>Program Files>Registry Editors>Regedit (remote), so I just typed regedit into a command prompt, and didn’t have to select a user. I tried importing from there, but I’m still afflicted, much to my dismay. I should mention that when I went to copy over atapi.sys, my system said it already existed. Any thoughts of what I should do different?

    Reply
  2. Chris

    With BartPE, if you go into regedit, you’ll need to open the hive of the main drive.

    Highlight HKEY_LOCAL_MACHINE and go to File -> Load Hive. Browse to your hard drive in C:\Windows\System32\Config and select the “SYSTEM” hive file (should be 3-8 MB or so). Once you select that, it will ask you for a name for that key…say “a” so as to not confuse. This loads the hive into the registry editor of BartPE…remember the registry you have in BartPE is the registry of the LiveCD…not your computer’s.

    Once you import, you’ll need to modify the registry files I provided to include that branch since the branch is now “a”. Open up the ControlSet001 and ControlSet002 files in Notepad and change the branch location. Between the two files there should be 5 places to modify.

    Where it says: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi]
    you’ll need to put [HKEY_LOCAL_MACHINE\a\ControlSet001\Services\atapi] as you’ve added it as branch “a” above. Save the .reg files as .reg again (notepad may try to default to .txt) and import the keys. Confirm the keys have been entered within your loaded hive in branch “a.” Once you’ve imported the two keys (don’t bother with CurrentControlSet as it is only needed when the system is booted), highlight branch “a” and go to File -> Unload Hive (You have to do this to save the changes!!!)

    Now restart your computer – this should work as long as those two registry keys made it into the correct place. Once the computer has started up and you are in Windows, re-import the keys (my original ones, not the branch “a” you created, as there will be no branch “a” anymore). The reason this needs to be done is that when you start the system and the registry is loaded into the CurrentControlSet, it may not save it when you shutdown after the first time, then your loops while start happening again.

    Reply
  3. Chris

    No problem. Glad I could help. Sorry about the bad spelling and poor video…it was pretty late at night and I was getting tired!

    Reply
  4. Bill

    Option #1 is the only one I think that will work for me as I have Win XP on a Toshiba laptop that came with Win XP preinstalled. So I do not have a Win XP disk or recovery disk. I can take the HDD drive out of the BSOD laptop, but I’m unclear as to how to set it up on my other laptop. I’m going to need a sata cable I assume and then what? Is there such a thing as a sata cable that can connect to a USB port? And would I be able to copy and paste the needed files that way? Thanks for any help.

    Reply
  5. Marc

    Hi,
    Option nr 3 advises to select ENTER not R. Will this not result in a complete re-installation, loosing all personal files and requiring a reinstallation of all non-XP programms afterwards? As a rooki I would select R to simply REPAIR (a previous version?). I did not try any of the options yet, becouse I want to make shure I don’t take the wrong decision here. Can you help me out here?
    Thanks in advance.
    Marc

    Reply
  6. Chris

    Hi Marc,

    When you press ENTER at the first prompt, you are bypassing the manual repair console and going to the Windows XP setup – there you can install a fresh copy of Windows (not recommended) or have Windows automatically repair an old installation (what you want). If the setup does not detect an old installation for repair at the next prompt, then I would recommend you take the machine in to get fixed. Mention the Malwarebytes issue so they can narrow it down.

    Doing the manual repair of Windows by pressing R at the first prompt is far beyond any instructions I can give online. Doing the automatic repair at the next prompt (after pressing ENTER) is similar to doing an in-place upgrade. It will reinstall all your system files and replace your registry. Your files on your computer will still be there, but unfortunately you will need to reinstall many of your programs. Some programs, such as Office, will automatically re-generate new registry keys upon opening after the repair.

    If you are at any point uneasy in doing the steps above, call an IT person and have them fix it for you. As these are tips for more advanced users, I would not want to see you make a mistake.

    Reply
  7. Peter

    I seem to be stuck. I made a LiveCD with BartPE and I’m not sure what to do once I get to the BARTPE splash page. I plug my USB drive but nothing happens. And in the \GO\ menu I can’t seem to figure out how to copy the reg and sys files over.

    Reply
  8. Peter

    I changed the bootup order so now I can see the usb drive and the files but the system32 folder is not listed. the “C:” drive is listed as the usb drive and there is no C: drive for the computer listed.

    Reply
  9. Peter

    Okay I used UBCD4Win and was able to add the .sys and .reg files but it still doesn’t work. I’m still getting the BSOD. I tried to do the System Recovery as well but that won’t work either since it says XP is not installed or it says there is no hard disk drive.

    Reply
  10. Chris

    Peter – Could it be that you have an additional underlying issue with your computer? If the System Recovery on the Windows XP CD indicates there is no hard drive, or that it cannot find an existing copy of Windows XP, you may have a corrupt hard drive, or the hard drive itself could be failing/failed.

    Do you have any way of connecting your hard drive to another computer as a secondary drive and removing all of your important files?

    Reply
  11. Peter

    Luckily I can take off some of the files once I log into the LiveCD Windows environment. I don’t see what could have happened with the hard drive. Everything was fine until I ran Malwarebytes and it deleted the atapi files. I’ve read that I could try a slipstream cd(not sure what it is but it is a suggested solution).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>