Jump to content

rootkit


Reynaldo Mtz

Recommended Posts

I'm getting similiar result.

C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> No action taken.

This file has been on the computer since 2003 without any recent modifications.

Also registry keys that are related.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> No action taken.

I am about 99.9% sure these are false positves.

Link to post
Share on other sites

Just out of curiousity I just did a scan with TrojanHunter too which found nothing and also scanned the driver file with virus total.

Results from Virus Total are below. 40 our of 41 found the file clean and the other was a heurustic result.

Antivirus Version Last Update Result

a-squared 4.5.0.41 2009.11.11 -

AhnLab-V3 5.0.0.2 2009.11.06 -

AntiVir 7.9.1.61 2009.11.10 -

Antiy-AVL 2.0.3.7 2009.11.10 -

Authentium 5.2.0.5 2009.11.11 -

Avast 4.8.1351.0 2009.11.10 -

AVG 8.5.0.423 2009.11.11 -

BitDefender 7.2 2009.11.11 -

CAT-QuickHeal 10.00 2009.11.10 -

ClamAV 0.94.1 2009.11.10 -

Comodo 2910 2009.11.10 -

DrWeb 5.0.0.12182 2009.11.10 -

eSafe 7.0.17.0 2009.11.10 -

eTrust-Vet 35.1.7113 2009.11.10 -

F-Prot 4.5.1.85 2009.11.10 -

F-Secure 9.0.15370.0 2009.11.09 -

Fortinet 3.120.0.0 2009.11.10 -

GData 19 2009.11.11 -

Ikarus T3.1.1.74.0 2009.11.10 -

Jiangmin 11.0.800 2009.11.10 -

K7AntiVirus 7.10.893 2009.11.10 -

Kaspersky 7.0.0.125 2009.11.11 -

McAfee 5798 2009.11.10 -

McAfee+Artemis 5798 2009.11.10 -

McAfee-GW-Edition 6.8.5 2009.11.10 Heuristic.BehavesLike.Win32.Rootkit.H

Microsoft 1.5202 2009.11.10 -

NOD32 4593 2009.11.10 -

Norman 6.03.02 2009.11.10 -

nProtect 2009.1.8.0 2009.11.10 -

Panda 10.0.2.2 2009.11.10 -

PCTools 7.0.3.5 2009.11.10 -

Prevx 3.0 2009.11.11 -

Rising 22.21.01.09 2009.11.10 -

Sophos 4.47.0 2009.11.11 -

Sunbelt 3.2.1858.2 2009.11.11 -

Symantec 1.4.4.12 2009.11.11 -

TheHacker 6.5.0.2.065 2009.11.11 -

TrendMicro 9.0.0.1003 2009.11.10 -

VBA32 3.12.10.11 2009.11.10 -

ViRobot 2009.11.10.2029 2009.11.10 -

VirusBuster 4.6.5.0 2009.11.10 -

Link to post
Share on other sites

Here is the Developer Mode scan results.

Malwarebytes' Anti-Malware 1.41

Database version: 3143

Windows 5.1.2600 Service Pack 2

11/10/2009 9:02:29 PM

mbam-log-2009-11-10 (21-02-15).txt

Scan type: Quick Scan

Objects scanned: 101274

Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070

15253514247405230222423212513012321203422362425241724202417241924212337223623212

4

19232624232322241924202236242024212339241923182324232222362326232123222236231824

2

123182417232622362318242123182417232623382326242119382320]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070

15253514247405230222423212513012321203422362425241724202417241924212337223623212

4

19232624232322241924202236242024212339241923182324232222362326232123222236231824

2

123182417232622362318242123182417232623382326242119382320]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070

15253514247405230222423212513012321203422362425241724202417241924212337223623212

4

19232624232322241924202236242024212339241923182324232222362326232123222236231824

2

123182417232622362318242123182417232623382326242119382320]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070

15253514247405230222423212513012321203422362425241724202417241924212337223623212

4

19232624232322241924202236242024212339241923182324232222362326232123222236231824

2

123182417232622362318242123182417232623382326242119382320]

Link to post
Share on other sites

It should be fixed now. Please update MBAM and do a fresh scan to confirm

Unfortunately, those of us who believed Malwarebytes when we were told we had a rootkit that should be removed are now totally done in. I (and several others ) cannot get Windows to load, I cannot boot from an emergency disk, I can't do ANYTHING! I'm really upset. I hope someone from Malwarebytes can help.

)

Link to post
Share on other sites

No worries, please refer to this post > http://www.malwarebytes.org/forums/index.p...st&p=156300

Please contact the help desk if you are experiencing this issue, and we will work through it with you.

To open a new ticket, simply send an e-mail to support@malwarebytes.org

Many thanks to the users who quickly brought this to our attention. wink.gif

All users, please update your database to the most recent version to resolve this issue for the future.

Create a ticket by sending an email to support@malwarebytes.org . We have trained personnel on the other end waiting to help you. A little patience is needed but rest assured that we'll get you through this .

Link to post
Share on other sites

Hi Folks: I unfortunately managed to choose the same time frame to run a scan on a Dell Optiplex 170L with database 3143, got the same results, and by habit had MBAM fix the file and 3 registry entries then reboot. No matter how I boot, I now get a blue screen with a STOP error 0x0000007B ...

I'm trying to take a look with a bootable registry editor, but it tells me that the NTFS flag is set wrong, can only read not write ... please reboot with Windows in Safe Mode to clear it up - which I can't do.

When I boot with Knoppix, it looks like atapi.sys is still there ... I assume flagged for deletion by Windows?

I have access to another (working) Optiplex 170L. Any thoughts on the blue screen? Any advice on what MBAM has actually done and if there's a "best" way to get the computer back into working order again?

Many thanks!

John

Link to post
Share on other sites

same thing happened to me when i deleted all infections after a Malwarebyte scan. I don't have my original XP disk here, so is it possible for me to get my pc going again, without formatting because there are files i need in my computer and i dont have

a backup of them. If there is an possible solution i would highly appriciate it if someone could make a foolproof walkthrought on how to

fix it.

Thanks

Link to post
Share on other sites

As usual I ran a full scan with malwarebytes in my computer and found this saying it's a rootkit... Could it be a false positive? can you advise in order to unquarantine or to erase it forverer from my computer.

http://img94.imageshack.us/img94/3626/93537588.jpg

do you have any search redirected links from google search? are you running xp? awhile ago i did have a similar problem with searches being redirected in xp i erased the file and replaced it with a clean atapi.sys and the problem went away. however that isn't true in windows 7 as the new rootkit deeper and malwarebytes can't seem to find anything but my google searches are still being redirected to elsewhere other than the link it was originally intended...

Link to post
Share on other sites

  • 2 months later...

You know everyone here states this is a false positive in your case it might have been but in my case and several others also this was not picked up and was a actual issue as it was part of any search engine when you did a search and clicked on it it took you to a different site than you were wanting. so in short this should have never been removed from the search in malwarebytes and most other scanners and anti virus programs. You have a very trusted program and it has helped me a lot but I am disappointed in this particular situation as I had to use another program to clean the issue called Hitman Pro and now the computer is 100% So in short rethink this skip of the atapi.sys scan it would have saved me personally a lot of wasted time.

my 2 cents worth

Link to post
Share on other sites

@MrSlotTech: AFAIK we are talking about TDL-3 rootkit when dealing with infected atapi.sys.

Would you rather have MBAM hosing/bricking clean systems here? As that file can be difficult to clean/replace with clean copy.

Link to post
Share on other sites

@MrSlotTech: AFAIK we are talking about TDL-3 rootkit when dealing with infected atapi.sys.

Would you rather have MBAM hosing/bricking clean systems here? As that file can be difficult to clean/replace with clean copy.

Maybe notify you that a problem exists so you can take appropriate actions to cure the problem. It (MB) does not have to fix just notify and you make the decision on if and how to fix.

Link to post
Share on other sites

  • 1 month later...
Kindly do not take any action on the file. It appears to be a false positive which is being investigated now.

YOU GUYS GOT ME VERY WORRIED. I HAVE BEEN WORKING ON A COMPUTER which has been hit with XP Secuity 2010 a few days ago. Not the first time I have worked on this machine over the course of the last 16 months. But I am not finding the y7v11 files as others reported but I am seeing the AVE.EXE files.

Finally got frustrated and pulled the drives and externally hooked the first one up to a clean machine. Ran Malwarebytes and while it was running AVG -- latest version with update popped up with some Trojan Horse : SHeur3.NSB AND SHeur17.AAZL This was during the Malwarebytes scan. Then all of a sudden MALWAREBYTES came up with (([bootdrive externally mounted]\windows\system 32\drivers\ATAPI.SYS being somehting along the lines of Win32/Patched.CGI ((I believe rootkit)) I removed it as I have never had any problems with Malwarebytes and false positives.

PLEASE RESEARCH THIS. It is still externally installed. I don't remember if I saved the log file when I finished. I Then ran a full blown AVG as it hit a few files in the /restore.... files which Malwarebytes missed but were very similar to the ones malwarebytes found so I told it to place them in the vault. Deleted them when Malwarebytes was done and then started the AVG. I have running at a friends house; and he was ready to go to bed as he has to be at work at 6:30 am. I am pretty sure it DID not modify the registry though. As I was wondering how to correct the registry of the drives before I put them back in the infected computer and boot it up. As I feel they have started a trojan CALL HOME on this varient of the Malware that contains Trojan activity.

If your wondering why I didn't like what was happening when I had Malwarebytes running on the infected machine is because Malware had hit it by my using a backdoor in safe mode, but then three days later the neighbor was hit again. This time alll looked fine until the screen went to screensaver, and yes in hindsight I realized I forgot to turn off restore points, and then when I moved the mouse to turn off screen saver I got a blue screen with a mouse pointer, the hard drives still sounding like they were being scanned by Malwarebytes after 14 hours and bong and bings sounds every few minutes of the fakerean telling me the machine was being attacked. Tried everything and couldn't get a screen back. When I rebooted I got a desktop back but then the fakerean took hold again.

Thanks Bob

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.