Can I Copy Individual Files From the XP Install CD

Status
Not open for further replies.
Originally Posted By: DragRace
You should NOT be running 2 different antivirus programs.
One program is all you need.


I hear ya ... I think I'm going to uninstall McAfee - at least disable it permanently for awhile and just run Microsoft Security Essentials which seems to do a much better job of real time protection and finding malware with scans. That is probably the reason I got malware on my machine in the first place ... I don't think McAfee caught it in real time ... and it was kept up to date with daily updates.

I'm also running Webroot SpySweeper which seem to catch quite a bit ... mostly cookie blocker and it did block my machine from trying to connect to know malicious websites. I believe I can probably run SpySweeper along with MS Security Essentials with no issues. SpySweeper ran fine along with McAfee.
 
FYI for everyone ... this nasty rootkit virus that infects the driver file atapi.sys is becoming a very common malware problem. Not many maleware programs seem to be able to detect it yet. Microsoft Security Essentials does, and "disinfects" the file. This is what happened on my computer, and why I want to replace the disinfected atapi.sys file with a clean copy.

http://remove-malware.com/malware/malware-news/atapi-sys-rootkit-is-everywhere/

http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/
 
Originally Posted By: ToyotaNSaturn
Reloading SP3 is the easiest route for you.

If you want the quicker, but harder route, then d/l SP3, extract it by running the command I noted earlier. Up to you. Either way will provide you what you want....


ToyotaNSaturn - sorry, I didn't catch this right the first time - getting rummy from all this malware fiasco. Had to go back and re-read your earlier post you were refering to (shown below). I think I will go that route and just replace only the atapi.sys file with the one in SP3 without reloading the entire SP3. Could always do a complete SP3 reload later down the road if needed.

Originally Posted By: ToyotaNSaturn
What service pack level are you at? SP3? Download SP3 from Microsoft extract it...the command is "name-of-servicepack.exe /x:c:\sp3" creates a folder called SP3 with all the extracted files in it.

Find the file in question, then copy it where you want.


So I have a question on the file copy procedure to replace the existing atapi.sys file on my HD. I'm assuming I would have to do this via "Recovery Console" (or some other similar "rescue disk") using the COPY DOS command? Or can this simply be done while in Windows? Since this is a system file, what is the best way to do the replacement?
 
You know, since this may very well be a root-kit type of malware, a reinstall of SP3 sounds better to me than trying to graft files individually, who knows what else was touched during the malware was in the background?

Go the safe route, reinstall SP3, reboot, Windows Update, then reboot.
 
Originally Posted By: ToyotaNSaturn
You know, since this may very well be a root-kit type of malware, a reinstall of SP3 sounds better to me than trying to graft files individually, who knows what else was touched during the malware was in the background?

Go the safe route, reinstall SP3, reboot, Windows Update, then reboot.


According to what I'm reading on the 'net about the file atapi.sys getting infected, it certainly sounds like a rootkit virus. I think the top scanners out there are just starting to obtain the right definitions to find and clean it up. From the links above, it certainly sounds like only a few scanners are able to even detect it. MS Security Essentials seems to be on top of this one.

Yes, reloading the entire SP3 is probably a better solution than just replacing the disinfected atapi.sys file with a clean copy at this point. However, after doing some reading on Microsoft's website, the only problem I may have doing a complete SP3 reload on my computer is the fact that my Windows XP is pretty old. After I uninstall the SP3 that is currently on my computer, it may not reload SP3 since I read that in order for SP3 to load, the machine must at least have SP1a on it (?). I guess if that happens, I would have to download SP2 and load that first, then load SP3 (?).

So, assuming I can simply reload SP3 this is the procedure I'd plan to follow. Please look at this plan and let me know if it needs adjusting.

1) Download SP3 .exe file from Microsoft's download site. Locate it on the desktop.
2) Turn off router - no connection to the internet.
3) Disable antivirus and antispyware programs.
4) Go to Start > Control Panel > Add or Remove Programs. Find SP3 and remove it.
5) Execute the SP3 .exe file.
6) Reboot after SP3 reload is complete.
7) Ensure Windows firewall and automatic updates are both turned on.
8) Ensure antivirus and antispyware programs are activated.
9) Turn on router to connect to internet.
10) Go get Windows Updates.
11) Reboot again.

Sound like a good plan?
 
Sounds good. I usually don't uninstall SP's if reinstalling them (just reinstall it over themselves ) again but if others have found that to work, then that sounds like a good plan as well.

Good luck!

cheers3.gif
 
Originally Posted By: ToyotaNSaturn
Sounds good. I usually don't uninstall SP's if reinstalling them (just reinstall it over themselves ) again but if others have found that to work, then that sounds like a good plan as well.

Good luck!

cheers3.gif



I was going to ask if I could just reload SP3 without uninstalling the existing SP3 package first. Sounds like it will work to just reload over the top ... so will try that.

I'm assuming if I execute the SP3 .exe without first uninstalling the existing SP3 that I would get a message from Windows saying it can't execute.

Thanks for the help and tips.
thumbsup2.gif
Will let you all know how it went.
 
Update on what I ended up doing.

Before considering completely reloading SP3, I decided to do a complete search on my HD for the file atapi.sys. Before the search, I went into Explorer: Tools > Folder Options > View tab and set view to show hidden files and folders and to also show protected operating system files.

I found atapi.sys in a folder C:\WINDOWS\ServicePackFiles\i386 that looked to healthy. I believe the files in this i386 folder look to be the extracted SP3 files. So copied this atapi.sys file from i386 folder to C:\WINDOWS\system32\drivers and also C:\WINDOWS\system32\dllcache folders.

Rebooted and everything seemed fine. Re-ran Norton on-line scan and it did not warn about the atapi.sys file as before. I discovered that the disinfected atapi.sys file did not show the "Microsoft Corporation" info, etc ... so that is probably why it came up suspicious. The file size was the same between the disinfected file and the healthy file from i386 folder. Also, when going into the hardware settings Device Manager for the IDE ATA/ATAPI controllers the atapi.sys driver information and file version looks correct.

So at this point I'm going to run like this and see how things go. Did a Full Scan with MS Security Essentials and Malwarebytes' and everything is clean - has been for awhile now. I would think if there are anymore rootkit viruses on my machine that one of these scanners would have found it by now. Don't see any indication that any other files have been disinfected and would require replacement with an original version.
 
I just had this same issue with a customer's PC. I scanned to the high heavens with everything and it cleaned like 200 files. It'd throw up random browser redirects when searching for things, but it let me run everything from combo fix to malwarebytes.

Wouldn't let me go to the windows update site however. I noticed it had SP2 on it, so I always have a copy of SP3 lying around. Tried to install, atapi.sys states it's in use. Weird.... did a Gmer scan, and it showed some suspicious activity on the atapi.sys file. Silly me deleted the file in recovery console, before successfully expanding the replacement file... Good thing this PC still has a floppy drive :) All better as of now. I can get to Windows Update site.
 
It sure seems like the file atapi.sys is a hotspot for rootkit viruses to attack. I was reading some chat board talk that was around late summer 2009 and people were thinking it was a false positive detection by the malware scanners ... but obviously it's real.
 
Status
Not open for further replies.

Similar threads

ZeeOSix
  • Locked
HackTool:Win32/KonBoot
Replies
9
Views
3K
Raunper
N
  • Locked
Upgrade XP/Vista to Windows 10 FREE also
2 3
Replies
43
Views
17K
Cutehumor
ZeeOSix
  • Locked
Strange Computer Problem
Replies
17
Views
6K
ClutchDisc
Jimmy9190
  • Locked
I need help to get rid of root kit please
2
Replies
20
Views
8K
ahoier
Klutch9
  • Locked
Revived an old laptop... what else can I do?
2
Replies
22
Views
5K
sleddriver
Back
Top