It could happen that some system file is infected and cannot be healed. This could happen when the infection is watching the file (to infect it again immediately after any change). In this case, the file needs to be replaced in offline mode (when the host operating system is not running). There are several methods for restoring a specific system file?
A) Restore system files using the System File check utility:
1. Press the Windows logo key+R.
2. Type sfc /scannow and then click OK. This will check system files and may take a longer period of time.
The Windows installation disc will be necessary unless the installation files are stored on the hard drive. The above-mentioned command has to be run with Administrative (elevated) rights. More information about the SFC utility (Windows 7) can be found in this Microsoft support article.
B) Overwriting with a clean (not infected) file from another computer:
- Copy the file from another computer with the exact same operating system version (including service pack level and language version) to your computer. You can transfer the file by using removable media, such as a USB flash stick.
- Some files and folders are hidden by default operating system configuration.
- We recommend replacing system files in Safe Mode.
- Also, you could search for a clean copy of a system file in C:\Windows\winsxs (Windows 7 and Windows Vista) or in C:\WINDOWS\ServicePackFiles\i386\, C:\WINDOWS\Driver Cache\i386\ and in C:\i386\ (Windows XP), if available.
- Always make sure that the file is not infected too prior to restoring.
C) Restore the file in offline mode:
1. Copy the file to an alternate location (e.g. to C:\Temp\) from another computer as mentioned in the first procedure (Overwriting with a clean (not infected) file from another computer: :).
2. Run the AVG Rescue CD.
3. Launch the File manager - Midnight Commander (from the Utilities section).
4. Overwrite the infected file.
5. The file system will be mounted under /mnt/sda1/ in most cases.
6. Copy the file to its correct location, overwriting the infected one.
7. It will probably be /mnt/sda1/temp/<clean file> copied to /mnt/sda1/Windows/<infected file>.
D) Restore the file using another operating system:
This is very similar to previous procedure. Alternatively, you can use a Live Linux distribution with a graphical user interface (like the Ubuntu) for more user-friendly file manipulation.
1. Insert the Windows installation CD to your optical drive. The CD must contain the very same operating system version (including service pack level and language version).
2. Use the following command to restore the atapi.sys file: