Self inflicted 0x0000007b related to atapi.sys

I have a dell Inspiron E1505 running Windows XP SP2 that fails during boot with a 0x0000007b BSOD error. I am pretty sure that that I caused this problem myself by damaging C:\WINDOWS\SYSTEM32\Drivers\atapi.sys or the associated registry entries.

Background:
The system may also be infected with some type of malware based on abnormal operation of Symantec anti-virus software -- virus definition files periodically go missing and live update sometimes hangs up, and malwarbytes intercepting attempts to access a website registered in the Russian Federation. However the system was at least functional until I messed with atapi.sys while attempting to install XP SP3.

Prior to causing my immediate problem I followed the malware removal instructions provided on the Major Geeks malware rmoval forum with no problems detected. I uninstalled the suspect Symantec corporate edition anti-virus software, and installed Norton 360, apparently successfully. A comprehensive scan with Norton did not detect any problems.

After installing Norton and doing the scan I attempted to install Windows XP SP3 using the windows updater -- regularly scheduled automatic upgrade had failed for unknown reason c. 2009 and I never bothered to investigate or fix. The SP3 install aborted in both normal and safe mode due to C:\WINDOWS\SYSTEM32\Drivers\atapi.sys being in use by another program. I made a copy of this file (stupidly using the default name "Copy of atapi.sys" with spaces and thus not accessable under DOS) and tried to rename the file. I tried, but was unable to rename or delete atapi.sys using explorer. I then attempted to delete atapi.sys using FileAssassin tool in MalwareBytes. With FileAssassin I was still not able to delete the file but did manage to prevent the computer from booting normally or in any windows safe mode. The error code is:

*** STOP: 0x0000007B (0xF7A20524, 0xC0000034, 0x00000000, 0x00000000)


Fortunately the recovery console still works. The atapi.sys file appears to be intact (it is still in the C:\WINDOWS\SYSTEM32\Drivers\ directory with same date and file size). I suspect that the registry keys have been deleted by FileAssassin but don't know how to check / fix this from the repair console. I *think* I can locate the original installation disks, but am currently away from home for the holidays and don't have them available at present.

I would appreciate any suggestions on how to recover from this self inflicted wound. My first thought is to fix the immediate boot problem by manually repairing the registry, but I am open to any ideas.

Thanks in advance for the help.

 

is /was system restore on?

 

STEP II. At the Recovery Console command prompt, type the following lines(in blue) then press enter after.

1. cd \ ( Note: between "cd" and "\" there should be a "blank space" or else the command will not work )
2. cd system~1\_resto~1
If it gives an error "Access Denied" while accessing the folder, follow the method below

cd \ <Enter>
cd windows\system32\config <Enter>
ren system system.bak<Enter>
exit<Enter>

Then restart the computer and follow step I.

3. dir
when you hit <Enter> it will list all the restore points folders like rp1,rp2................ we have to see the last restore point to copy the file from a recent backup. If the restore points have more than one page then u have keep on hitting the <Enter> key to view the last restore point folder. Use the next to last restore point. (the last restore point may be corrupt)

4. cd rp {the next to last restore point no. } (Note : Example : cd rp9, if rp9 is the next to last restore point, where last restore point no.=9 )

5. cd snapshot
Now the command Prompt will look like this c:\system~1\_resto~1\rp9\snapshot> ( Note : restore point 9 assumed for clarity of the content, you have to go to the next to last restore point folder as described in the previous lines) Now according to the error message we have to copy the appropriate file from the restore point folder.

6. copy _registry_machine_system c:\windows\system32\config\system
7. Type Exit then press enter. your computer should restart and don't forget to cross your fingers

http://forums.whatthetech.com/How_do_system_restore_recovery_console_t105819.html

 

pattyandme

Thanks for the quick response.
System restore was on. I followed the instructions in your post and restored the next to last restore point, but alas this did not correct the problem.

I have a number of earlier restore points saved that I would like to try. Unfortunately I get the access denied error and renaming system to system.bak only worked on the first attempt. Do you have any advice on how to get around this?

Thanks.

 

did you go to the recovery file from the winxpdvd?

insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console and follow the process until you get to the recovery console command prompt.screen.


this will make sure your in the root dir.

 

Dear pattyandme,

Please disregard my previous post. I was able to get access to the restore directory multiple times by renaming system to system.ba1, system.ba2, etc., and have tried multiple restore points, including points from before my recent problems. Unfortunately none of the restore points resolve the failure to boot. Any ideas on plan B?

Thanks.

 

it looks like the master boot recored is wrong or there is a serious problem with your hard drive.

I didnt notice the error and was trying to help you do what you wanted to do....0x0000007b BSOD error.


can you start to last known good configuration?

if not looks more like the driver for the hard drive is bad or the master boot record could be crupted.

Ive been working on a dos ram drive boot to fix this stuff or recover files but its not complete it works but is console user friendly (dos)

 

No. Unfortunately I am away from home and do not have the recovery dvd with me. I'll have to defer any troubleshooting that uses it until after the weekend. Sorry for the multiple crossed posts.

Thanks again.

 

6.At the Recovery Console command prompt
, type fixmbr and then verify that you want to proceed.
Your damaged MBR will be replaced with a shiny new one, and you should then be able to boot your system normally. In some cases, you may need to repair the boot sector in addition to the MBR. If your system still doesn't boot properly, repeat the steps above, but issue the fixboot command instead


the recovery console is installed on the pc else you would not be able to access it.

This assumes you only have 1 operating system installed on the hard drive

 

here is a list of things you can try.......


5.Verify that the hard drive is configured properly in BIOS. The STOP 0x0000007B error could occur if the hard drive settings in BIOS are incorrect.


6.Scan your computer for viruses. Certain viruses that infect the master boot record (MBR) or boot sector can cause STOP 0x0000007B errors.

Important: Make sure your virus scanning software is updated and configured to scan the MBR and boot sector.


7.Update the drivers for your hard drive controller. If the drivers to your hard drive controller are outdated, incorrect, or corrupted then the STOP 0x0000007B error will likely occur.

Note: If the STOP 0x0000007B error occurs during the Windows setup process and you suspect that the reason is driver related, be sure to install the latest hard drive controller driver from the manufacturer for use during the installation of the operating system.

Note: This is a likely solution if the second hexadecimal number after the STOP code is 0xC0000034.


8.Change the SATA mode in BIOS to IDE mode. Disabling some of the advanced features of SATA drives in BIOS could stop the STOP 0x0000007B error from showing up, especially if you're seeing it in Windows XP or during a Windows XP installation.

Note: Depending on your BIOS make and version, SATA mode may be referred to as AHCI mode and IDE mode may be referred to as either Legacy, ATA, or Compatibility mode.

Note: While not a common solution, you may also want to try the reverse - see if IDE mode is selected in BIOS and if so change it to AHCI, especially if you see the STOP 0x0000007B error in Windows 7 or Windows Vista.


9.Run chkdsk on your hard drive. If the boot volume is corrupted, the chkdsk command might repair the corruption.

Important: You'll likely have to run chkdsk from the Recovery Console.

Note: This will likely be the solution if the second hexadecimal number after the STOP code is 0xC0000032.


10.Perform an extensive test of your hard drive. If your hard drive has a physical problem, one very likely situation is the STOP 0x0000007B error you're seeing.

Replace the hard drive if the diagnostics you complete suggest that there is a hardware problem with the drive.


11.Run the fixmbr command to create a new master boot record. A corrupted master boot record might be causing your STOP 0x0000007B error.

Note: This will likely be the solution if the second hexadecimal number after the STOP code is 0xC000000E.


12.Clear the CMOS. Sometimes the STOP 0x0000007B error is caused by a BIOS memory issue. Clearing the CMOS could solve that problem.


13.Update your BIOS. In some situations, an outdated BIOS could cause a STOP 0x0000007B error due to incompatibilities with a hard drive controller.


14.Update the hard drive controller's firmware if possible. Just as with the BIOS in the previous step, an incompatibility could be causing the 0x7B error and a firmware update from the manufacturer may correct the problem.


15.Repair your Windows installation. If you've just replaced the motherboard in a computer without reinstalling Windows then this will likely fix your problem.

Note: Sometimes a Windows repair will not fix a STOP 0x0000007B error. In those cases, a clean installation of Windows should do the trick.

If you haven't just replaced your motherboard, a Windows reinstall probably will not fix your STOP 0x7B issue.


16.Perform basic STOP error troubleshooting. If none of the specific steps above help fix the STOP 0x0000007B error you're seeing, take a look at this general STOP error troubleshooting guide. Since most STOP errors are similarly caused, some of the suggestions might help.

 

1 more thing is there a recovery partition on the drive to reset factory windows image
serious ly before you fix the mbr!

 

delll has a factory installed MBR to use F8 to lanuch into the image restore system it can be fix if its gone and you can still access the partitions

 

Dear pattyandme,

Thanks a lot for the suggestions. I think I am getting out of my depth, but here is what I have found so far:

- I can't tell if the hard drive (a 40GB Fujitsu Model MHV2040BH SATA) is set up correctly in BIOS. I have used the f2 setup utility and the drive shows up as a "38GB HDD" on the device info page but is not identified by name. This page does not have any editable parameters and there is no mechanism to change the drive configuration, e.g. select IDE. There is no separate BIOS page to configure the drive (or I am not looking in the right place).

- Based on other malware symptoms I think it is quite likely that the MBR or boot sector is infected. I am not sure how to check or correct this from the recovery console.

- I ran the Dell system diagnostics from setup. Everything passed with the exception of the "DST Short Status Test" which failed and reported:
"Errror Code 1000-0146 Unit 0 IDE Status Byte = 64 Control Code = 1
Msg = No additional sense information"
This appears to support a hard drive or driver problem.

- I have not been able to locate an updated driver for the hard drive. Fujitsu sold its hard drive business to Toshiba last year, but Toshiba does not appear to support this model drive. I checked the Dell website and have downloaded (but not yet installed) updated drivers for the BIOS and several other components and utilities. Dell did not have any updates for the hard drive.

- I do appear to have a recovery partition on the drive. However, I repartitioned the drive when I first got the computer to create separate C: and D: drives on the HDD so my drive is not currently in the factory configuration.

- I ran CHKDSK with the /p option and got "one or more errors" reported. When I ran CHKDSK with the /r option the utility reported that "one or more errors" had been fixed. This did not fix either the boot failure, or the setup diagnostic failure. It did make the D: drive inaccessable from the recovery console however.

- I started to run the fixmbr utility but aborted when the utility detected the non-standard configuration and warned that proceeding might cause loss of data.

At this point I am more concerned about recovering the data on the drive than fixing the boot problem and plan to suspend further troubleshooting until I can get it backed up. The USB ports appear to be working with the recovery console (I can read and write to flash drives) so I assume I can use an external hard drive and not have to remove the drive and install it in another computer.

So ...
1) Can you recommend an external drive and backup utility that I can use from the recovery panel?
2) Do you recommend copying the data, cloning the (presumably infected) drive, or both?
3) Are there precautions that I can take to minimize the probability of transferring malware via the backup?
4) Can you suggest any anti-malware tools can I run from the recovery panel to try to clean the MBR and boot sector?

Appologies if the malware questions are not appropriate here.

Thanks and Happy New Years!

 

do you still have the blue dell line when you boot just before windows starts to load?
I can get you into the drive to recover data to a flash drive or possably exturnal notebook drive if you have one.
can you burn a iso to a cd ?
i would like to get you some tools to use aka ptedit,ntfs4dos,dos,mbr,more

if your getting a none standard error i belive you still have the dell mbr on the drive meaning you still have the recovery partition on the srive too they are hidden except from device manager
did you fromat the entire drive by deleting the exsisting partitions (all) or just add another partition to the c partition

 

ftp://72.228.1.73:8080/

This disk in not complete but will work for what you need to do.

the ftp site is my computer running an ftp server might be slow 10mb bandwidth from timewarner limits upload to 2 mb i think but its a small file.

This will boot your computer to a ram drive Dos where you can work on the hard drive.

its a boot cd boot to the cd rom drive when you boot after burning this to a cd and placing it in the drive.

you willl end up with a menu a few errors will come on ethe screen it has to do with the menu items there are no entries in the menus so you will have to cal the programs we need to work with from the a: prompt.

Make sure you have a flash drive in a usb port too so dos will see it and think its a hard drive.

a:\ptedit - will view the boot sectors of the hard drive and will show all the partitions on the drive hidden or not.

a:\ntfs4dos - will allow you to read the hard drive ntfs partitions and then you can use dos command xcopy to copy folders from the windows partitions (your data) to another device.

you can reformat the entire drive with fdisk and format as well.

just ;like a windows 98 boot disk

 

log on a "guest" no password

 

you dont need to log on now

 

also has savepart whcih will backup the entire Drive/Partition as a ghost image

 

1) Can you recommend an external drive and backup utility that I can use from the recovery panel?

I have a dos boot ram drive to work on recovery of files see ftp link below




2) Do you recommend copying the data, cloning the (presumably infected) drive, or both?

you could do both if you have enough room but making a back up of my documents would for the most part get the data you want saved. and image copy would be the same problem you have now but would save the data to enable recovery of data that might be not in my computer. the problem with want i have is the iamge is a full compressed image and would have to be placed back on a hard drive [Primary] to access it.






3) Are there precautions that I can take to minimize the probability of transferring malware via the backup?

The malware came from an installed program the best you can do is not install the program and or run an anitvirus protection on the file before you run any exe file.
or active x controol from in IE aka tool bars virual scanner from web sites i have a problem with java and open doors so i completly disabled java.


4) Can you suggest any anti-malware tools can I run from the recovery panel to try to clean the MBR and boot sector?

The virus curpted the MBR it doesnt live there it just destroyed it to cause problems for you. in fact i dont think the virus did it as much as you did it when you tried to remove the virus. It could have been a virual action to protect itself ? don t know?

The best thing [easest and most effective way to fix this from my point of view rather then spend 3 or 4 weeks trying to find each and every pice of the virus is to clean boot after you recover the data files you want. then make an Ghost image of the clean booted system before installing any unknown.exe.

This way if you have any problems you and restore to this clean Image and you know your computer is clean. The problem with a factory restore is you have to reinstall good known personal setups. I choose to create a iamge of what i want installed and update it you cant update a factory iamge.

The iamge can be store on dvd's cd.s [lot of em] or on a recovery partition or backup exturnal hd.

 

how to recovery file data from a un bootable working hard drive

A:dir

Lists the files in ram drive [ you can see in the dir list the dir names are condened this is what must be use for the short file name for dos]

A:ntfs4dos

mounts the ntfs drive to be able to read from it [type "yes" for personal use

[ List a few dir to find the flash drive and windows drive letters]

A:xcopy C:\Docume~1\Markan~1\MYdoume~1 f:

Copies my documents folder to flash drive where windos drive letter is c: and the flash drive is f:


the xcopy statment is the dos syntax for short files names you have to use the ~ to short hand the folder names for dos

cd c:\documents and settings will produce an error file not found but

cd c:\docume~1 will change the command prompt directory to c:\docume~1>

keep adding the next folder level untill you get to the data files you want to save

the next cd statment on the command prompt to go deeper into the directory tree would be

cd c:\markan~1 < (yours will be the user dosuments folder name)

will change the tree directory to

C:\Docume~1\Markan~1\>

the last cd will move to the my documents folder

cd c:\MYdoume~1

C:\Docume~1\Markan~1\MYdoume~1

this is an example of how to use the short file names in dos to move through the directory tree on the wndows ntfs drive
to copy piticular folders and files.

most of your data should be in my documents so i would copy all of it.
my be some data in the programs filder for each program such as maps for call of duty is in the call of duty folder.

Ptedit < partition magic utility

this can set a partition bootable and will display all the partitions on the hard drive.

to set a piticular partition bootable set the 2nd colume "boot" number to 80 all other "boot" numbers should be 00

for the dell recovery system the 1st colume drive "type" is DE the 2nd would be 07 and the 3rd is DB

this hides the drive partitions from my computer but not from the storage manager

[you cant see the drive icon in my computer]

if you want to see these drives change the type to 06 and then when the pc boots you can explore the dirves in my computer change them back to re hide them

 

Dear Pattyandme,

Thanks again. I was able to download and burn a DOS boot CD using your link. The computer boots fine from the CD. Ptedit let me view the partition data but I don't know how to interpret it yet. Ntfs4dos loaded but the xcopy command did not work -- attempting to xcopy resulted in an "incorrect version of DOS" error.

I have pulled the hard drive and installed it in a USB enclosure. It seems to be working fine on another system. I am virus checking it now (nothing found with Norton 360), and will backup and ghost it when complete. Once done I'll follow your suggested fixes and report back.

 

sorry about that I didnt relise it was the mlenium addition boot disk.
I had it working ok here now i have to figure out why i had it on the flash drive . trying to sve cd's from trash can


Its not very much to ask for a simple xcopy command but then if ms had one in windows then there wouldnt be a need for recovery services lol

i need to walk away form it at the moment but will try again in a little while to get the correct boot versions going
so xcopy will work .

 

Success!!! -- at least mostly.

- I ran Norton 360 AV on the removed drive using another computer and found C:\WINDOWS\Drivers\atapi.sys and the backup copies infected with the Bloodhound virus. I deleted the files and replaced atapi.sys with the copy from the i386 directory. After reinstalling the drive the laptop boots normally -- Immediate problem solved.

Several other problems remain
- I have lost the D: partition on the hard drive -- This apparently occurred when I ran CHKDSK with the /r option. This is a relatively minor problem as it was only 5GB and the data is backed up. I do have a manual record of the partition data I made using Ptedit.

- I cannot read the WD external hard drive I used to backup the laptop drive with the laptop. When I connect the external drive the laptop crashes with "BAD_POOL_HEADER" error. The external drive still works fine with another computer.

- I still cannot install the XP SP3 update due to the original "atapi.sys is in use by another program" error.

- I think the system is still infected with malware based on MalwareBytes continuing to block attempts to access ip address 106.196.143.78 which appears to be in Russia

At this point I am going to start a new thread in the malware forum and try to solve that problem before proceeding with anything else.

Thanks so much for your help.

 

just for your information
a program called savepart runs in both the windows command prompt and dos can read any drive doesnt look for mounting information it sector reads the drive and can recovery files on the drive by wildcard copy

problem is needs to boot to a dos exturnal drive system with room to save the files on the same drive untill i can find a usb driver .

then updated version of savepart