Jump to content

atapi.sys rootkit - can't start computer

whatmeworry?
 Share

Recommended Posts

  • Replies 85
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

  • Staff
TeMerc

TeMerc

Posted
  • Staff
Posted
There are instructions here (there is also a zip file of the registry keys and atapi.sys from Windows XP SP3):

http://www.iishacks.com/index.php/2009/11/...alse-positives/

Users are warned that Malwarebytes cannot be responsible for any instructions provided by a member of the community, rather than by a member of Malwarebytes' support staff. We recommend users please contact our help desk at support@malwarebytes.org to resolve this issue
Link to post
Share on other sites
SwSL

SwSL

Posted
Posted

Same thing happened to me last night. MBAM found this rootkit > quarantined the files > BSOD.

I didn't realize it was a false positive but thought the "rootkit" had eaten my drive. Unfortunately, I tried fixing my install with the recovery option on the Windows CD. Being an Sp1 disk, that really messed up the installation and did not fix the BSOD. I'm reinstalling windows now.

What's the procedure here for the future? This is the ;first time a security program has trashed my installation. I guess the lesson is: next time this comes up, find a way to read the log, search for the issue online and try repairing the specific files as previously noted.

This was a very time expensive mistake. MBAM is supposed to be very good though has not ever come into play on my pc before now. First time it's found anything.

Ouch.

Link to post
Share on other sites
GT500

GT500

Posted
Posted
There are instructions here (there is also a zip file of the registry keys and atapi.sys from Windows XP SP3):

http://www.iishacks.com/index.php/2009/11/...alse-positives/

I would also like users to note that this issue only occurred on installations of Windows XP running Service Pack 2, and the instructions linked above recommend using files from Service Pack 3. While this may work fine, note that it is typically not a good idea to use files from a Service Pack other than the one you have installed. If you follow those instructions, and they work, then please update to Service Pack 3 after doing so.

Link to post
Share on other sites
Misuzu Kamio

Misuzu Kamio

Posted
Posted
Same thing happened to me last night. MBAM found this rootkit > quarantined the files > BSOD.

I didn't realize it was a false positive but thought the "rootkit" had eaten my drive. Unfortunately, I tried fixing my install with the recovery option on the Windows CD. Being an Sp1 disk, that really messed up the installation and did not fix the BSOD. I'm reinstalling windows now.

What's the procedure here for the future? This is the ;first time a security program has trashed my installation. I guess the lesson is: next time this comes up, find a way to read the log, search for the issue online and try repairing the specific files as previously noted.

This was a very time expensive mistake. MBAM is supposed to be very good though has not ever come into play on my pc before now. First time it's found anything.

Ouch.

Despite having another close call like this one, MBAM is still one of my favorite anti-malware programs. In early June of this year, MBAM had actually told me c:\WINDOWS\system32\taskmgr.exe on my computer was a Trojan Downloader so I had quarantined that file. Thankfully, I was taught to wait a month or two before actually deleting files detected as viruses, because I quickly learned that this file was the actual file that brought up the task manager (the screen that comes up when you press Ctrl+Alt+Del). The day after, I restored the file back to it's location and my computer worked fine again. I updated MBAM, scanned the file and learned it was a false positive. That was the day I decided I'd look up files before quarantining them. However, if I had done that in this case, I would have lost my computer like all these poor people in the thread.

I understand that MBAM is a free program and it's not perfect. It has saved my computer many times in the past when the 3 other programs I use couldn't detect any infections. This incident does make me a little nervous and reluctant though... but at least I know that from now on I should ask professionals before even quarantining or at least look up information on the file it's detecting.

I scanned this morning after updating and doing a quick scan and so far the false positives do seem to be corrected. I'll do a full scan later tonight to make sure.

Whatmeworry, please let us all know how it goes. Best of luck to those who are having problems booting up their computers.

Link to post
Share on other sites
quietman7

quietman7

Posted
Posted

Malwarebytes Anti-Malware has an excellent track record and as evident with this issue a quick response to rectify and provide support.

False detections can happen even with major anti-virus vendors.

A prime example I recall was the Flooder.Ake false positive that was seen on December 6th, 2006 and only affected WIN XP/2000 users with AVG anti-virus. The issue was caused by a bug in the scanning engine which give a false detection of winlogon.exe. If the winlogon.exe file was moved to quarantine or deleted and then the computer was restarted, it would get stuck in an infinite loop trying to reboot. The false detection was quickly resolved but many users suffered from damaged systems.

I would like to extend thanks to the entire MBAM team for their dedicated support efforts and diligent research work.

Link to post
Share on other sites
pifreak

pifreak

Posted
Posted
I have the same problem with the Atapi rootkits.

no cd of XP to use.

cant use my pc.

You can use your pc.

Have yourself on a different computer or a friend burn you a copy of bootable linux, then it's possible you can fix the problem or delete the nasty files, right?

Link to post
Share on other sites
roddy32

roddy32

Posted
Posted
Malwarebytes Anti-Malware has an excellent track record and as evident with this issue a quick response to rectify and provide support.

False detections can happen even with major anti-virus vendors.

A prime example I recall was the Flooder.Ake false positive that was seen on December 6th, 2006 and only affected WIN XP/2000 users with AVG anti-virus. The issue was caused by a bug in the scanning engine which give a false detection of winlogon.exe. If the winlogon.exe file was moved to quarantine or deleted and then the computer was restarted, it would get stuck in an infinite loop trying to reboot. The false detection was quickly resolved but many users suffered from damaged systems.

I would like to extend thanks to the entire MBAM team for their dedicated support efforts and diligent research work.

Well said and I would also like to thank the MBAM team. :)

Link to post
Share on other sites
GT500

GT500

Posted
Posted

Please contact the help desk if you are experiencing this issue, and we will work through it with you.

To open a new ticket, simply send an e-mail to support@malwarebytes.org

Also, all users should please update Malwarebytes' Anti-Malware's database to resolve this issue for the future.

Link to post
Share on other sites
cjava

cjava

Posted
Posted
I would also like users to note that this issue only occurred on installations of Windows XP running Service Pack 2, and the instructions linked above recommend using files from Service Pack 3. While this may work fine, note that it is typically not a good idea to use files from a Service Pack other than the one you have installed. If you follow those instructions, and they work, then please update to Service Pack 3 after doing so.

The IIS Hacks one worked for me. It was the SP2 files. Author fixed that.

I only had to replace the atapi.sys and use "last known good configuration" when I booted up pressing F8.

Link to post
Share on other sites
GT500

GT500

Posted
Posted
Same here :), no answer yet. Could someone fix this problem even if you had an encrypted drive? Thanks!

It's going to be hard, if not impossible, to fix without being able to decrypt the drive.

Did you encrypt it with third-party software, or through Windows XP's built in filesystem encryption?

Link to post
Share on other sites
mred70

mred70

Posted
Posted

waiting to hear back from support too..last contact was early this morning..im also one of those with no boot up cd just system restore disc that came with the computer which really is a last resort for me..i only deleted the file because the programme has been so good in the past and helped me get rid of that anti virus pro virus that was going around..i didnt give it a thought when it found the atapi.sys rootkit problem and so went ahead and deleted it..now im in a world of hurt!!!

hopefully something will be sorted for us non computer savvy people soon!

thanks

jason

Link to post
Share on other sites
  • Staff
TeMerc

TeMerc

Posted
  • Staff
Posted

Support has been answering tickets as quickly as they can, looking for users specifically with this issue and getting them answered first ahead of any others that come in.

We appreciate your patience as we also try to take care of the rest of the users who also have issues needing attention.

Link to post
Share on other sites
GT500

GT500

Posted
Posted
It was encrypted with a third-party software, called Pointsec. Thanks for your support.

There seems to be information at this link about creating a BartPE disk with a Pointsec plugin. If that information is correct, then you might be able to use that tutorial to create a UBCD4Win disk and restore your registry from a previous restore point.

If accessing a Pointsec encrypted hard drive offline like that is as easy as it sounds, note that you may want to look into other methods of encryption. :)

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.