Scanner found suspicious program. Atapi.sys

Hello everyone.

I made lots of scans to my PC today, with all kinds of programs (Avira, a-squared, superantispyware, gmer, malwarebytes and linux based Avira boot disc scan.) Only a squared found two suspicious programs, but it didnt quarantine them. They are in:

#1 C:\WINDOWS$NtServicePackUninstall$\atapi.sys

#2 C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

Could you tell me if these are clean programs or rootkits etc? Do you guys have them? If you do, then please upload them to virustotal and check if your atapi.sys files get infection mark like mine did.

I will tell you what virustotal showed me:

From file #1, virustotal`s scanners found:
Didnt find anything. :slight_smile:

From file #2, virustotal´s scanners found:
A-squared 2009.11.28 Rootkit.Win32.TDSS.y!A2 :o
McAfee-GW-Edition 6.8.5 2009.11.28 Heuristic.LooksLike.Win32.NewMalware.H :o

Please tell me if atapi.sys is rootkit, and if its not, are my atapi.sys files in correct area ???

Thank you

I believe the file is being reported because those are non-standard locations. I believe they are valid, (backups) but they aren’t the home location of the actual file. (C:\WINDOWS\system32\drivers) In general, a file with a valid system file name that isn’t in the proper directory is suspect.

I’m curious why you are reporting this here instead of reporting the issue to a2?