Last night Malwarebyte’s AntiMalware program detected a false positive of the Atapi.sys driver and associated registry keys. As you may know, Atapi.sys is required by the storage system in Windows, and as such deleting it will render the system unbootable.
If you have the reboot on error checked in your system properties, your system will continuously reboot itself without giving an error. If you have a stop on reboot option checked, you will see the STOP error 0x0000007B.
I have included a zip file with the following registry keys and atapi.sys (5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)) taken from a fresh install of Windows XP SP2. Apparently it only affects SP2 installations.
Registry Keys Infected:
A few ways to fix this:
Use another machine to load Atapi.Sys and Registry Keys
- Install the hard drive into another Windows computer and copy the computer’s good Atapi.sys driver (Windows\System32\Drivers) to your hard drive. Or download the XP SP2 one here.
- Put the hard drive back into the original computer and select “Last known good configuration” to boot – this will restore the registry keys.
- If the “Last known good configuration” doesn’t work, you may try editing the registry hive of your installation via another computer. Put the hard drive into a second machine and load the hive within that machine’s registry editor. If you are uncomfortable doing this, create a LiveCD of Windows (below).
Make a BartPE or LiveCD of Windows
- Go to http://www.ubcd4win.com/howto.htm and follow the instructions to make a LiveCD of Windows. You can also use BartPE, but the following instructions may be different (http://www.nu2.nu/pebuilder/).
- From a known good machine, export the above 3 registry keys to a USB drive.
- From a known good machine, copy the atapi.sys driver from Windows\System32\Drivers to a USB drive. Or download the XP SP2 keys and atapi.sys here (zip).
- When the LiveCD loads (this will take a while), attach the USB key to the machine. Copy the atapi.sys to your machine’s Windows\System32\Drivers directory.
- In the LiveCD’s Windows environment, go to: Start>Program Files>Registry Editors>Regedit (remote).
- You will be prompted to select a user from your machine to edit. Most likely it is “Administrator.”
- Go to File and Import in the registry editor.
- Import each of the 3 .reg keys you exported from a known good machine.
- Restart your computer, taking out the LiveCD.
- Everything should work.
Use Windows Repair
I don’t like this option because it does not always work. You may also need to reinstall or fix some programs after this procedure.
- Put the Windows XP disc into the machine.
- When the machine boots into the Setup environment, it will give you the following options:
To setup Windows XP now, press ENTER.
To repair a Windows XP installation using Recovery Console, press R.
- Press ENTER, not R.
- On the next screen, it will detect a previous installation and ask if you want to repair it. Choose to do so.
- Windows will go through the setup by reinstalling all default options and drivers. You will need your Windows XP key.