Atapi Virus – Really?

Well, that was fun.  I just spent about 5 hours recovering from an Atapi virus, which I believe was a Rootkit.


You’re in Firefox.
You go to Google and search for anything.
When you click on a search result, you end up on some ad site.

Nice!  Thanks Mr. Virusman.

If you Google “atapi” and “rootkit”, you’ll see plenty of entries about it.

It took a while to actually figure out what was going on as a number of virus scanners still could not locate it and I tried about four of them, all recommended.

The only one that actually realized it exists was GMER.  All it does is report “suspicious activity”.

I was unable to find a real “cleaning” routine, although there are a lot of write ups about it.

The first suggestion I tried was to replace atapi.sys with a clean version from another machine.  I wasn’t able to do this because Windows would not let go of the file.

GMER let me delete it, and at that point my windows became unbootable.

The final fix was to take my Windows Vista disk and run the repair tools to run the System Restore tool.   To avoid confusion, I found a system checkpoint from a month ago and let it do it’s thing.  I don’t install a lot on the machine, so the only items that change are data and system restore should not affect that.

After the rollback was complete, I booted the system and ran GMER one more time to check and it didn’t find anything unusual.  I verified that Firefox was now going to the proper pages and it was.

It’s a pretty drastic repair path, but not as bad a full windows reinstall.

The most interesting part of the story is that Microsoft Security Essentials was running the entire timeframe that this happened and it never saw it coming.  The fact that none of the other virus software I tried could find it, including Hitman 3.5, doesn’t make me doubt MSE, but it does make me wonder just how safe my computer is on the Internet.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s