Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapi.sys


  • Please log in to reply
7 replies to this topic

#1 afodd1

afodd1

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 15 March 2010 - 08:01 AM

Hi there,
I am running windows vista home premium on a hp pavilion 2517ca laptop, I was running a lot of antivirus/ spyware scans because I thought my computer was running more slowly than it should. Also it seemed to me to be crashing and freezing more often than it used to. Anyway most scans came up with nothing, apart from prevx 3.0, which claimed that atapi.sys in my /windows/ system32 folder was infected. Has anyone else had this report from prevx and is it possible it is a false positive?

BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:53 PM

Posted 15 March 2010 - 09:44 AM

We need to run a GMER scan
  • Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)

    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.

  • When the scan is complete, click Save and save the log onto your desktop.
Post the results of the GMER scan here.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#3 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 15 March 2010 - 12:19 PM

Hi Techextreme and thanks for the swift reply :thumbsup: Like your Beaker avatar.

Ok GMER crashed a couple of times before I unchecked devices like you said to do.

Here is the report:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-15 17:11:55
Windows 6.0.6002 Service Pack 2
Running: tcvwwvnt.exe; Driver: C:\Users\AOD\AppData\Local\Temp\pwloykow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0xA272FD42]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0xA273044E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0xA273059A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0xA2733D28]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0xA2733D5A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0xA27304FE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0xA272FE86]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0xA2730078]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0xA27301AA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0xA2733E2E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0xA2733D98]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0xA2733DCA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0xA2733DFC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0xA272FCF0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0xA27305FA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0xA2733CC8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0xA272FC94]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateProcess [0xA272FBF0]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0xA272FC38]

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00218674e215
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00218674e215@001d2877bd33 0x51 0x22 0x1D 0xB9 ...
Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\00218674e215 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\00218674e215@001d2877bd33 0x51 0x22 0x1D 0xB9 ...

---- EOF - GMER 1.0.15 ----


I saw there were a lot of references to Trusteer Rapport- this is a security software supplied by my bank supposed to guard against phishing of my bank details- I have uninstalled it as a precaution (actually uninstalled it before I ran this scan as I could see these references popping up even on those times the scan did not finish). Here is the software developers website: http://www.trusteer.com/

See anything here I should be worried about?

#4 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:53 PM

Posted 15 March 2010 - 12:30 PM

Your GMER scan looks good. The Trusteer files that are referenced in your scan log all revert back to Trusteer software.

The BTHPORT Parameters in the second half are pointing to your BlueTooth Stack that is installed in your computer.

So, let's do one more thing and see what comes up.

I would like you to submit this file for analysis via VirusTotal.
After clicking the link you will click on the Browse Button and browse to: C:\Windows\system32.
Click on the file named: atapi.sys
Click "Open" and you will then click on Send file. Let me know the results of the VirusTotal Scan.

Post the entire results for your VirusTotal Scan.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#5 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 15 March 2010 - 01:00 PM

Ok, that virustotal scan gave one positive by McAfee:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.15 -
AhnLab-V3 5.0.0.2 2010.03.15 -
AntiVir 8.2.1.180 2010.03.15 -
Antiy-AVL 2.0.3.7 2010.03.15 -
Authentium 5.2.0.5 2010.03.15 -
Avast 4.8.1351.0 2010.03.15 -
Avast5 5.0.332.0 2010.03.15 -
AVG 9.0.0.787 2010.03.15 -
BitDefender 7.2 2010.03.15 -
CAT-QuickHeal 10.00 2010.03.15 -
ClamAV 0.96.0.0-git 2010.03.15 -
Comodo 4274 2010.03.15 -
DrWeb 5.0.1.12222 2010.03.15 -
eSafe 7.0.17.0 2010.03.15 -
eTrust-Vet 35.2.7363 2010.03.15 -
F-Prot 4.5.1.85 2010.03.15 -
F-Secure 9.0.15370.0 2010.03.15 -
Fortinet 4.0.14.0 2010.03.15 -
GData 19 2010.03.15 -
Ikarus T3.1.1.80.0 2010.03.15 -
Jiangmin 13.0.900 2010.03.15 -
K7AntiVirus 7.10.998 2010.03.15 -
Kaspersky 7.0.0.125 2010.03.15 -
McAfee 5921 2010.03.15 -
McAfee+Artemis 5921 2010.03.15 -
McAfee-GW-Edition 6.8.5 2010.03.15 Heuristic.LooksLike.Trojan.Patched.H
Microsoft 1.5502 2010.03.12 -
NOD32 4946 2010.03.15 -
Norman 6.04.08 2010.03.15 -
nProtect 2009.1.8.0 2010.03.15 -
Panda 10.0.2.2 2010.03.15 -
PCTools 7.0.3.5 2010.03.15 -
Prevx 3.0 2010.03.15 -
Rising 22.39.00.04 2010.03.15 -
Sophos 4.51.0 2010.03.15 -
Sunbelt 5898 2010.03.15 -
Symantec 20091.2.0.41 2010.03.15 -
TheHacker 6.5.2.0.233 2010.03.15 -
TrendMicro 9.120.0.1004 2010.03.15 -
VBA32 3.12.12.2 2010.03.14 -
ViRobot 2010.3.15.2228 2010.03.15 -
VirusBuster 5.0.27.0 2010.03.14 -
Additional information
File size: 19944 bytes
MD5...: 1f05b78ab91c9075565a9d8a4b880bc4
SHA1..: 218442cd7afecbc8d102c4e31d9ef3528642191b
SHA256: 737be9f9376dab0ccdfed93ea6d67f0c432367ea63cd772a453485be769af3bd
ssdeep: 384:zzY0Vgd1RrKzBpWk4UwWFSn8G6FuT+quHpBjbOjBMwzt8:zz/Vgd1gzQUSuB
xkMwzt8
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5005
timedatestamp.....: 0x49e01eed (Sat Apr 11 04:39:09 2009)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x19b0 0x1a00 6.30 4ac8c9f82cf23d85316bd85d3d8e4efb
.rdata 0x3000 0xae 0x200 1.49 3d541e69f96e97a837841ad289adeac7
.data 0x4000 0xc 0x200 0.18 7c80b151582aa6280e754b477343e54e
INIT 0x5000 0x364 0x400 4.51 f238fffd3a9917d72f4888f4276b3b06
.rsrc 0x6000 0x3f8 0x400 3.38 5c8a106a7c9416fb469c83dfab844abd
.reloc 0x7000 0x8a 0x200 1.37 064d7db7c16955d4dc6d3f7afb703e06

( 2 imports )
> ataport.SYS: AtaPortNotification, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortMoveMemory, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortUshort, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange
> NTOSKRNL.exe: KeTickCount

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: ATAPI IDE Miniport Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 6.0.6002.18005 (lh_sp2rtm.090410-1830)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


and my apologies full path for atapi.sys was C: /windows/system32/drivers

#6 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:53 PM

Posted 15 March 2010 - 01:06 PM

Ok. That looks good too.

McAfee-GW-Edition 6.8.5 2010.03.15 Heuristic.LooksLike.Trojan.Patched.H I have run into this Identical warning by the Mcafee Gateway edition scan and have had no problems with atapi.sys.

I would say that you have run into a false-positive on your computer and you would be safe to continue using it as always.

I should have also caught the C:\windows\system32\drivers file path.

Happy Computing. :thumbsup:

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#7 afodd1

afodd1
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 15 March 2010 - 03:05 PM

Great thanks again- nice to have my paranoia put to rest

#8 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:53 PM

Posted 16 March 2010 - 06:12 AM

Glad I could help.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users