Jump to content
Reynaldo Mtz

rootkit

Recommended Posts

I'm getting similiar result.

C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> No action taken.

This file has been on the computer since 2003 without any recent modifications.

Also registry keys that are related.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> No action taken.

I am about 99.9% sure these are false positves.

Share this post


Link to post
Share on other sites

Just out of curiousity I just did a scan with TrojanHunter too which found nothing and also scanned the driver file with virus total.

Results from Virus Total are below. 40 our of 41 found the file clean and the other was a heurustic result.

Antivirus Version Last Update Result

a-squared 4.5.0.41 2009.11.11 -

AhnLab-V3 5.0.0.2 2009.11.06 -

AntiVir 7.9.1.61 2009.11.10 -

Antiy-AVL 2.0.3.7 2009.11.10 -

Authentium 5.2.0.5 2009.11.11 -

Avast 4.8.1351.0 2009.11.10 -

AVG 8.5.0.423 2009.11.11 -

BitDefender 7.2 2009.11.11 -

CAT-QuickHeal 10.00 2009.11.10 -

ClamAV 0.94.1 2009.11.10 -

Comodo 2910 2009.11.10 -

DrWeb 5.0.0.12182 2009.11.10 -

eSafe 7.0.17.0 2009.11.10 -

eTrust-Vet 35.1.7113 2009.11.10 -

F-Prot 4.5.1.85 2009.11.10 -

F-Secure 9.0.15370.0 2009.11.09 -

Fortinet 3.120.0.0 2009.11.10 -

GData 19 2009.11.11 -

Ikarus T3.1.1.74.0 2009.11.10 -

Jiangmin 11.0.800 2009.11.10 -

K7AntiVirus 7.10.893 2009.11.10 -

Kaspersky 7.0.0.125 2009.11.11 -

McAfee 5798 2009.11.10 -

McAfee+Artemis 5798 2009.11.10 -

McAfee-GW-Edition 6.8.5 2009.11.10 Heuristic.BehavesLike.Win32.Rootkit.H

Microsoft 1.5202 2009.11.10 -

NOD32 4593 2009.11.10 -

Norman 6.03.02 2009.11.10 -

nProtect 2009.1.8.0 2009.11.10 -

Panda 10.0.2.2 2009.11.10 -

PCTools 7.0.3.5 2009.11.10 -

Prevx 3.0 2009.11.11 -

Rising 22.21.01.09 2009.11.10 -

Sophos 4.47.0 2009.11.11 -

Sunbelt 3.2.1858.2 2009.11.11 -

Symantec 1.4.4.12 2009.11.11 -

TheHacker 6.5.0.2.065 2009.11.11 -

TrendMicro 9.0.0.1003 2009.11.10 -

VBA32 3.12.10.11 2009.11.10 -

ViRobot 2009.11.10.2029 2009.11.10 -

VirusBuster 4.6.5.0 2009.11.10 -

Share this post


Link to post
Share on other sites

Here is the Developer Mode scan results.

Malwarebytes' Anti-Malware 1.41

Database version: 3143

Windows 5.1.2600 Service Pack 2

11/10/2009 9:02:29 PM

mbam-log-2009-11-10 (21-02-15).txt

Scan type: Quick Scan

Objects scanned: 101274

Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070

15253514247405230222423212513012321203422362425241724202417241924212337223623212

4

19232624232322241924202236242024212339241923182324232222362326232123222236231824

2

123182417232622362318242123182417232623382326242119382320]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070

15253514247405230222423212513012321203422362425241724202417241924212337223623212

4

19232624232322241924202236242024212339241923182324232222362326232123222236231824

2

123182417232622362318242123182417232623382326242119382320]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070

15253514247405230222423212513012321203422362425241724202417241924212337223623212

4

19232624232322241924202236242024212339241923182324232222362326232123222236231824

2

123182417232622362318242123182417232623382326242119382320]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070

15253514247405230222423212513012321203422362425241724202417241924212337223623212

4

19232624232322241924202236242024212339241923182324232222362326232123222236231824

2

123182417232622362318242123182417232623382326242119382320]

Share this post


Link to post
Share on other sites

Kindly do not take any action on the file. It appears to be a false positive which is being investigated now.

Share this post


Link to post
Share on other sites

Updated and rescanned. It's all fixed, no malware found.

Thanks for the quick response on this sUBs. :)

Share this post


Link to post
Share on other sites
It should be fixed now. Please update MBAM and do a fresh scan to confirm

Unfortunately, those of us who believed Malwarebytes when we were told we had a rootkit that should be removed are now totally done in. I (and several others ) cannot get Windows to load, I cannot boot from an emergency disk, I can't do ANYTHING! I'm really upset. I hope someone from Malwarebytes can help.

)

Share this post


Link to post
Share on other sites

No worries, please refer to this post > http://www.malwarebytes.org/forums/index.p...st&p=156300

Please contact the help desk if you are experiencing this issue, and we will work through it with you.

To open a new ticket, simply send an e-mail to support@malwarebytes.org

Many thanks to the users who quickly brought this to our attention. wink.gif

All users, please update your database to the most recent version to resolve this issue for the future.

Create a ticket by sending an email to support@malwarebytes.org . We have trained personnel on the other end waiting to help you. A little patience is needed but rest assured that we'll get you through this .

Share this post


Link to post
Share on other sites

Hi Folks: I unfortunately managed to choose the same time frame to run a scan on a Dell Optiplex 170L with database 3143, got the same results, and by habit had MBAM fix the file and 3 registry entries then reboot. No matter how I boot, I now get a blue screen with a STOP error 0x0000007B ...

I'm trying to take a look with a bootable registry editor, but it tells me that the NTFS flag is set wrong, can only read not write ... please reboot with Windows in Safe Mode to clear it up - which I can't do.

When I boot with Knoppix, it looks like atapi.sys is still there ... I assume flagged for deletion by Windows?

I have access to another (working) Optiplex 170L. Any thoughts on the blue screen? Any advice on what MBAM has actually done and if there's a "best" way to get the computer back into working order again?

Many thanks!

John

Share this post


Link to post
Share on other sites

And the same thing happened to me I tried the recovery console to repair the mbr...nothing.....chkdsk c: /v /f ....also nothing been goin crazy about to do a reinstall but luckily there are many others with this same problem so i will wait

Share this post


Link to post
Share on other sites
so i will wait

No need to wait. There are people waiting to help you

to open a new ticket, simply send an e-mail to support@malwarebytes.org

Share this post


Link to post
Share on other sites

Hey guys! I guess I erased the file insted of moving to quarantine, any way I'm no experiencing troubles to start my computer, everything seems to be normal since I can do anything.

My question is, do you thing I will have problems in the future because of erasing that file?

Please adivse.rm

Share this post


Link to post
Share on other sites

@Reynaldo Mtz,

The only way you could possibly have trouble because of removing that file is if you ever wanted to uninstall a Service Pack.

I can see no reason why you would ever want to do this, so you should be perfectly OK.

Share this post


Link to post
Share on other sites

same thing happened to me when i deleted all infections after a Malwarebyte scan. I don't have my original XP disk here, so is it possible for me to get my pc going again, without formatting because there are files i need in my computer and i dont have

a backup of them. If there is an possible solution i would highly appriciate it if someone could make a foolproof walkthrought on how to

fix it.

Thanks

Share this post


Link to post
Share on other sites

@blu

Send an e-mail to support@malwarebytes.org and they will help you to fix it.

They are prioritizing these help requests so you should get a reply pretty quickly.

Share this post


Link to post
Share on other sites
As usual I ran a full scan with malwarebytes in my computer and found this saying it's a rootkit... Could it be a false positive? can you advise in order to unquarantine or to erase it forverer from my computer.

http://img94.imageshack.us/img94/3626/93537588.jpg

do you have any search redirected links from google search? are you running xp? awhile ago i did have a similar problem with searches being redirected in xp i erased the file and replaced it with a clean atapi.sys and the problem went away. however that isn't true in windows 7 as the new rootkit deeper and malwarebytes can't seem to find anything but my google searches are still being redirected to elsewhere other than the link it was originally intended...

Share this post


Link to post
Share on other sites

You know everyone here states this is a false positive in your case it might have been but in my case and several others also this was not picked up and was a actual issue as it was part of any search engine when you did a search and clicked on it it took you to a different site than you were wanting. so in short this should have never been removed from the search in malwarebytes and most other scanners and anti virus programs. You have a very trusted program and it has helped me a lot but I am disappointed in this particular situation as I had to use another program to clean the issue called Hitman Pro and now the computer is 100% So in short rethink this skip of the atapi.sys scan it would have saved me personally a lot of wasted time.

my 2 cents worth

Share this post


Link to post
Share on other sites

@MrSlotTech: AFAIK we are talking about TDL-3 rootkit when dealing with infected atapi.sys.

Would you rather have MBAM hosing/bricking clean systems here? As that file can be difficult to clean/replace with clean copy.

Share this post


Link to post
Share on other sites
@MrSlotTech: AFAIK we are talking about TDL-3 rootkit when dealing with infected atapi.sys.

Would you rather have MBAM hosing/bricking clean systems here? As that file can be difficult to clean/replace with clean copy.

Maybe notify you that a problem exists so you can take appropriate actions to cure the problem. It (MB) does not have to fix just notify and you make the decision on if and how to fix.

Share this post


Link to post
Share on other sites
Kindly do not take any action on the file. It appears to be a false positive which is being investigated now.

YOU GUYS GOT ME VERY WORRIED. I HAVE BEEN WORKING ON A COMPUTER which has been hit with XP Secuity 2010 a few days ago. Not the first time I have worked on this machine over the course of the last 16 months. But I am not finding the y7v11 files as others reported but I am seeing the AVE.EXE files.

Finally got frustrated and pulled the drives and externally hooked the first one up to a clean machine. Ran Malwarebytes and while it was running AVG -- latest version with update popped up with some Trojan Horse : SHeur3.NSB AND SHeur17.AAZL This was during the Malwarebytes scan. Then all of a sudden MALWAREBYTES came up with (([bootdrive externally mounted]\windows\system 32\drivers\ATAPI.SYS being somehting along the lines of Win32/Patched.CGI ((I believe rootkit)) I removed it as I have never had any problems with Malwarebytes and false positives.

PLEASE RESEARCH THIS. It is still externally installed. I don't remember if I saved the log file when I finished. I Then ran a full blown AVG as it hit a few files in the /restore.... files which Malwarebytes missed but were very similar to the ones malwarebytes found so I told it to place them in the vault. Deleted them when Malwarebytes was done and then started the AVG. I have running at a friends house; and he was ready to go to bed as he has to be at work at 6:30 am. I am pretty sure it DID not modify the registry though. As I was wondering how to correct the registry of the drives before I put them back in the infected computer and boot it up. As I feel they have started a trojan CALL HOME on this varient of the Malware that contains Trojan activity.

If your wondering why I didn't like what was happening when I had Malwarebytes running on the infected machine is because Malware had hit it by my using a backdoor in safe mode, but then three days later the neighbor was hit again. This time alll looked fine until the screen went to screensaver, and yes in hindsight I realized I forgot to turn off restore points, and then when I moved the mouse to turn off screen saver I got a blue screen with a mouse pointer, the hard drives still sounding like they were being scanned by Malwarebytes after 14 hours and bong and bings sounds every few minutes of the fakerean telling me the machine was being attacked. Tried everything and couldn't get a screen back. When I rebooted I got a desktop back but then the fakerean took hold again.

Thanks Bob

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.