25 replies to this topic

[Reynaldo Mtz]

As usual I ran a full scan with malwarebytes in my computer and found this saying it's a rootkit... Could it be a false positive? can you advise in order to unquarantine or to erase it forverer from my computer.

http://img94.imagesh...26/93537588.jpg

Attached Files

•  untitled.JPG   73.3K   5 downloads

[roddy32]

I'm getting similiar result.

C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> No action taken.

This file has been on the computer since 2003 without any recent modifications.

Also registry keys that are related.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> No action taken.


I am about 99.9% sure these are false positves.

[roddy32]

Just out of curiousity I just did a scan with TrojanHunter too which found nothing and also scanned the driver file with virus total.

Results from Virus Total are below. 40 our of 41 found the file clean and the other was a heurustic result.

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.11 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.10 -
Antiy-AVL 2.0.3.7 2009.11.10 -
Authentium 5.2.0.5 2009.11.11 -
Avast 4.8.1351.0 2009.11.10 -
AVG 8.5.0.423 2009.11.11 -
BitDefender 7.2 2009.11.11 -
CAT-QuickHeal 10.00 2009.11.10 -
ClamAV 0.94.1 2009.11.10 -
Comodo 2910 2009.11.10 -
DrWeb 5.0.0.12182 2009.11.10 -
eSafe 7.0.17.0 2009.11.10 -
eTrust-Vet 35.1.7113 2009.11.10 -
F-Prot 4.5.1.85 2009.11.10 -
F-Secure 9.0.15370.0 2009.11.09 -
Fortinet 3.120.0.0 2009.11.10 -
GData 19 2009.11.11 -
Ikarus T3.1.1.74.0 2009.11.10 -
Jiangmin 11.0.800 2009.11.10 -
K7AntiVirus 7.10.893 2009.11.10 -
Kaspersky 7.0.0.125 2009.11.11 -
McAfee 5798 2009.11.10 -
McAfee+Artemis 5798 2009.11.10 -
McAfee-GW-Edition 6.8.5 2009.11.10 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.5202 2009.11.10 -
NOD32 4593 2009.11.10 -
Norman 6.03.02 2009.11.10 -
nProtect 2009.1.8.0 2009.11.10 -
Panda 10.0.2.2 2009.11.10 -
PCTools 7.0.3.5 2009.11.10 -
Prevx 3.0 2009.11.11 -
Rising 22.21.01.09 2009.11.10 -
Sophos 4.47.0 2009.11.11 -
Sunbelt 3.2.1858.2 2009.11.11 -
Symantec 1.4.4.12 2009.11.11 -
TheHacker 6.5.0.2.065 2009.11.11 -
TrendMicro 9.0.0.1003 2009.11.10 -
VBA32 3.12.10.11 2009.11.10 -
ViRobot 2009.11.10.2029 2009.11.10 -
VirusBuster 4.6.5.0 2009.11.10 -

[roddy32]

Here is the Developer Mode scan results.


Malwarebytes' Anti-Malware 1.41
Database version: 3143
Windows 5.1.2600 Service Pack 2

11/10/2009 9:02:29 PM
mbam-log-2009-11-10 (21-02-15).txt

Scan type: Quick Scan
Objects scanned: 101274
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070
15253514247405230222423212513012321203422362425241724202417241924212337223623212
4
19232624232322241924202236242024212339241923182324232222362326232123222236231824
2
123182417232622362318242123182417232623382326242119382320]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070
15253514247405230222423212513012321203422362425241724202417241924212337223623212
4
19232624232322241924202236242024212339241923182324232222362326232123222236231824
2
123182417232622362318242123182417232623382326242119382320]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070
15253514247405230222423212513012321203422362425241724202417241924212337223623212
4
19232624232322241924202236242024212339241923182324232222362326232123222236231824
2
123182417232622362318242123182417232623382326242119382320]

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070
15253514247405230222423212513012321203422362425241724202417241924212337223623212
4
19232624232322241924202236242024212339241923182324232222362326232123222236231824
2
123182417232622362318242123182417232623382326242119382320]

[sUBs]

Kindly do not take any action on the file. It appears to be a false positive which is being investigated now.

[roddy32]

Thanks sUBs. I left it alone so I am having no problems. There is another thread about this with quite a few more people posting if you have not seen it yet.

http://www.malwarebytes.org/forums/index.p...view=getnewpost

[sUBs]

It should be fixed now. Please update MBAM and do a fresh scan to confirm

[roddy32]

Updated and rescanned. It's all fixed, no malware found.

Thanks for the quick response on this sUBs.

[whatmeworry?]

sUBs, on Nov 10 2009, 10:56 PM, said:

It should be fixed now. Please update MBAM and do a fresh scan to confirm

Unfortunately, those of us who believed Malwarebytes when we were told we had a rootkit that should be removed are now totally done in. I (and several others ) cannot get Windows to load, I cannot boot from an emergency disk, I can't do ANYTHING! I'm really upset. I hope someone from Malwarebytes can help.
)

[sUBs]

No worries, please refer to this post > http://www.malwarebytes.org/forums/index.p...st&p=156300

Quote

Please contact the help desk if you are experiencing this issue, and we will work through it with you.

To open a new ticket, simply send an e-mail to support@malwarebytes.org

Many thanks to the users who quickly brought this to our attention. wink.gif

All users, please update your database to the most recent version to resolve this issue for the future.

Create a ticket by sending an email to support@malwarebytes.org . We have trained personnel on the other end waiting to help you. A little patience is needed but rest assured that we'll get you through this .

[JohnF]

Hi Folks: I unfortunately managed to choose the same time frame to run a scan on a Dell Optiplex 170L with database 3143, got the same results, and by habit had MBAM fix the file and 3 registry entries then reboot. No matter how I boot, I now get a blue screen with a STOP error 0x0000007B ...

I'm trying to take a look with a bootable registry editor, but it tells me that the NTFS flag is set wrong, can only read not write ... please reboot with Windows in Safe Mode to clear it up - which I can't do.

When I boot with Knoppix, it looks like atapi.sys is still there ... I assume flagged for deletion by Windows?

I have access to another (working) Optiplex 170L. Any thoughts on the blue screen? Any advice on what MBAM has actually done and if there's a "best" way to get the computer back into working order again?

Many thanks!

John

[themow]

And the same thing happened to me I tried the recovery console to repair the mbr...nothing.....chkdsk c: /v /f ....also nothing been goin crazy about to do a reinstall but luckily there are many others with this same problem so i will wait

[sUBs]

Quote

so i will wait

No need to wait. There are people waiting to help you

Quote

to open a new ticket, simply send an e-mail to support@malwarebytes.org

[Reynaldo Mtz]

Hey guys! I guess I erased the file insted of moving to quarantine, any way I'm no experiencing troubles to start my computer, everything seems to be normal since I can do anything.

My question is, do you thing I will have problems in the future because of erasing that file?

Please adivse.rm

[marktreg]

@Reynaldo Mtz,

The only way you could possibly have trouble because of removing that file is if you ever wanted to uninstall a Service Pack.

I can see no reason why you would ever want to do this, so you should be perfectly OK.

[sooQ]

same thing happened to me when i deleted all infections after a Malwarebyte scan. I don't have my original XP disk here, so is it possible for me to get my pc going again, without formatting because there are files i need in my computer and i dont have
a backup of them. If there is an possible solution i would highly appriciate it if someone could make a foolproof walkthrought on how to
fix it.

Thanks

[blu]

still no fix? : (

[marktreg]

@blu

Send an e-mail to support@malwarebytes.org and they will help you to fix it.

They are prioritizing these help requests so you should get a reply pretty quickly.

[blu]

thnx.
i did that yesterday.

[AdvancedSetup]

Please send a Private Message to one of these guys and they'll help you out.
* Arthur
* Tom