Nasty New Rootkit Patches Atapi.sys

For the past 7 days I’ve been seeing a new rootkit (not sure of the name) that patches the atapi.sys driver.  This rootkit was NOT detected by any of the applications I use in my bootable anti-malware toolkit. Full scans with:

  • Avira
  • SAS
  • MBAM
  • Spyware Doctor
  • GMER

revealed nothing.  I was still getting all searches in any browser redirected to scam sites.  I usually don’t like running Combofix on Vista, but I had no choice.  Sure enough Combofix detected a rootkit and disinfected it!   Again, the rootkit infected the atapi.sys driver which redirected all searches and probably downloaded a few randomly named exe’s to the system32 directory.

combofix-rootkit

, , , ,