atapi.sys rootkit

Over the past month or so we've come across some rigs that have boot errors, stop 7 or 8 blue screens often.

Since November, there seems to be a nasty new rootkit that modifies your atapi.sys file. It hijacks your web searches.

Cleaning an infected machine requires completely replacing this file outside of Windows.
http://www.bleepingcomputer.com/forums/topic279883.html
http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/
http://remove-malware.com/malware/malware-news/atapi-sys-rootkit-is-everywhere/

Seems to rid your system, you have to manually replace this file, or...they mention recent versions of combofix will replace this file as part of its regimen.

Makes me wonder now if that computer that I posted about on another forum D) had this.

I ran into about ~12 of these the first week of January. A whole flood of these Atapi.sys infected machines. I basically booted into a PE environment, manually deleted the Atapi.sys and copied a good known one back in place. They look EXACTLY the same, but the fake one doesn't have any version info. A good way to tell if a driver or sys is infected, is if it has any version info or not and if that info looks legit. On a few I also ran into a userinit rootkit, different from the other popular 'UAC" one. Had to replace that one and edit a registry setting. After that it was smooth sailing with the usual malware removal. This is a little nasty one, but one I enjoyed digging out .

I had one of these come in a couple weeks ago, too. It was a real pain