Reynaldo Mtz Posted November 11, 2009 ID:156211 Share Posted November 11, 2009 As usual I ran a full scan with malwarebytes in my computer and found this saying it's a rootkit... Could it be a false positive? can you advise in order to unquarantine or to erase it forverer from my computer.http://img94.imageshack.us/img94/3626/93537588.jpg Link to post Share on other sites More sharing options...
roddy32 Posted November 11, 2009 ID:156233 Share Posted November 11, 2009 I'm getting similiar result. C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> No action taken.This file has been on the computer since 2003 without any recent modifications.Also registry keys that are related.Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> No action taken.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> No action taken.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> No action taken.I am about 99.9% sure these are false positves. Link to post Share on other sites More sharing options...
roddy32 Posted November 11, 2009 ID:156237 Share Posted November 11, 2009 Just out of curiousity I just did a scan with TrojanHunter too which found nothing and also scanned the driver file with virus total.Results from Virus Total are below. 40 our of 41 found the file clean and the other was a heurustic result.Antivirus Version Last Update Resulta-squared 4.5.0.41 2009.11.11 -AhnLab-V3 5.0.0.2 2009.11.06 -AntiVir 7.9.1.61 2009.11.10 -Antiy-AVL 2.0.3.7 2009.11.10 -Authentium 5.2.0.5 2009.11.11 -Avast 4.8.1351.0 2009.11.10 -AVG 8.5.0.423 2009.11.11 -BitDefender 7.2 2009.11.11 -CAT-QuickHeal 10.00 2009.11.10 -ClamAV 0.94.1 2009.11.10 -Comodo 2910 2009.11.10 -DrWeb 5.0.0.12182 2009.11.10 -eSafe 7.0.17.0 2009.11.10 -eTrust-Vet 35.1.7113 2009.11.10 -F-Prot 4.5.1.85 2009.11.10 -F-Secure 9.0.15370.0 2009.11.09 -Fortinet 3.120.0.0 2009.11.10 -GData 19 2009.11.11 -Ikarus T3.1.1.74.0 2009.11.10 -Jiangmin 11.0.800 2009.11.10 -K7AntiVirus 7.10.893 2009.11.10 -Kaspersky 7.0.0.125 2009.11.11 -McAfee 5798 2009.11.10 -McAfee+Artemis 5798 2009.11.10 -McAfee-GW-Edition 6.8.5 2009.11.10 Heuristic.BehavesLike.Win32.Rootkit.HMicrosoft 1.5202 2009.11.10 -NOD32 4593 2009.11.10 -Norman 6.03.02 2009.11.10 -nProtect 2009.1.8.0 2009.11.10 -Panda 10.0.2.2 2009.11.10 -PCTools 7.0.3.5 2009.11.10 -Prevx 3.0 2009.11.11 -Rising 22.21.01.09 2009.11.10 -Sophos 4.47.0 2009.11.11 -Sunbelt 3.2.1858.2 2009.11.11 -Symantec 1.4.4.12 2009.11.11 -TheHacker 6.5.0.2.065 2009.11.11 -TrendMicro 9.0.0.1003 2009.11.10 -VBA32 3.12.10.11 2009.11.10 -ViRobot 2009.11.10.2029 2009.11.10 -VirusBuster 4.6.5.0 2009.11.10 - Link to post Share on other sites More sharing options...
roddy32 Posted November 11, 2009 ID:156257 Share Posted November 11, 2009 Here is the Developer Mode scan results.Malwarebytes' Anti-Malware 1.41Database version: 3143Windows 5.1.2600 Service Pack 211/10/2009 9:02:29 PMmbam-log-2009-11-10 (21-02-15).txtScan type: Quick ScanObjects scanned: 101274Time elapsed: 6 minute(s), 9 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070152535142474052302224232125130123212034223624252417242024172419242123372236232124192326242323222419242022362420242123392419231823242322223623262321232222362318242123182417232622362318242123182417232623382326242119382320]HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070152535142474052302224232125130123212034223624252417242024172419242123372236232124192326242323222419242022362420242123392419231823242322223623262321232222362318242123182417232622362318242123182417232623382326242119382320]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070152535142474052302224232125130123212034223624252417242024172419242123372236232124192326242323222419242022362420242123392419231823242322223623262321232222362318242123182417232622362318242123182417232623382326242119382320]Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> No action taken. [4948455830518080857674850107070155385152424847302413016685668174158490840107070152535142474052302224232125130123212034223624252417242024172419242123372236232124192326242323222419242022362420242123392419231823242322223623262321232222362318242123182417232622362318242123182417232623382326242119382320] Link to post Share on other sites More sharing options...
sUBs Posted November 11, 2009 ID:156278 Share Posted November 11, 2009 Kindly do not take any action on the file. It appears to be a false positive which is being investigated now. Link to post Share on other sites More sharing options...
roddy32 Posted November 11, 2009 ID:156280 Share Posted November 11, 2009 Thanks sUBs. I left it alone so I am having no problems. There is another thread about this with quite a few more people posting if you have not seen it yet. http://www.malwarebytes.org/forums/index.p...view=getnewpost Link to post Share on other sites More sharing options...
sUBs Posted November 11, 2009 ID:156281 Share Posted November 11, 2009 It should be fixed now. Please update MBAM and do a fresh scan to confirm Link to post Share on other sites More sharing options...
roddy32 Posted November 11, 2009 ID:156289 Share Posted November 11, 2009 Updated and rescanned. It's all fixed, no malware found. Thanks for the quick response on this sUBs. Link to post Share on other sites More sharing options...
whatmeworry? Posted November 11, 2009 ID:156302 Share Posted November 11, 2009 It should be fixed now. Please update MBAM and do a fresh scan to confirmUnfortunately, those of us who believed Malwarebytes when we were told we had a rootkit that should be removed are now totally done in. I (and several others ) cannot get Windows to load, I cannot boot from an emergency disk, I can't do ANYTHING! I'm really upset. I hope someone from Malwarebytes can help.) Link to post Share on other sites More sharing options...
sUBs Posted November 11, 2009 ID:156303 Share Posted November 11, 2009 No worries, please refer to this post > http://www.malwarebytes.org/forums/index.p...st&p=156300Please contact the help desk if you are experiencing this issue, and we will work through it with you.To open a new ticket, simply send an e-mail to support@malwarebytes.orgMany thanks to the users who quickly brought this to our attention. wink.gifAll users, please update your database to the most recent version to resolve this issue for the future.Create a ticket by sending an email to support@malwarebytes.org . We have trained personnel on the other end waiting to help you. A little patience is needed but rest assured that we'll get you through this . Link to post Share on other sites More sharing options...
JohnF Posted November 11, 2009 ID:156304 Share Posted November 11, 2009 Hi Folks: I unfortunately managed to choose the same time frame to run a scan on a Dell Optiplex 170L with database 3143, got the same results, and by habit had MBAM fix the file and 3 registry entries then reboot. No matter how I boot, I now get a blue screen with a STOP error 0x0000007B ... I'm trying to take a look with a bootable registry editor, but it tells me that the NTFS flag is set wrong, can only read not write ... please reboot with Windows in Safe Mode to clear it up - which I can't do.When I boot with Knoppix, it looks like atapi.sys is still there ... I assume flagged for deletion by Windows? I have access to another (working) Optiplex 170L. Any thoughts on the blue screen? Any advice on what MBAM has actually done and if there's a "best" way to get the computer back into working order again?Many thanks!John Link to post Share on other sites More sharing options...
themow Posted November 11, 2009 ID:156590 Share Posted November 11, 2009 And the same thing happened to me I tried the recovery console to repair the mbr...nothing.....chkdsk c: /v /f ....also nothing been goin crazy about to do a reinstall but luckily there are many others with this same problem so i will wait Link to post Share on other sites More sharing options...
sUBs Posted November 11, 2009 ID:156595 Share Posted November 11, 2009 so i will waitNo need to wait. There are people waiting to help youto open a new ticket, simply send an e-mail to support@malwarebytes.org Link to post Share on other sites More sharing options...
Reynaldo Mtz Posted November 11, 2009 Author ID:156666 Share Posted November 11, 2009 Hey guys! I guess I erased the file insted of moving to quarantine, any way I'm no experiencing troubles to start my computer, everything seems to be normal since I can do anything.My question is, do you thing I will have problems in the future because of erasing that file?Please adivse.rm Link to post Share on other sites More sharing options...
marktreg Posted November 11, 2009 ID:156671 Share Posted November 11, 2009 @Reynaldo Mtz,The only way you could possibly have trouble because of removing that file is if you ever wanted to uninstall a Service Pack. I can see no reason why you would ever want to do this, so you should be perfectly OK. Link to post Share on other sites More sharing options...
sooQ Posted November 12, 2009 ID:157170 Share Posted November 12, 2009 same thing happened to me when i deleted all infections after a Malwarebyte scan. I don't have my original XP disk here, so is it possible for me to get my pc going again, without formatting because there are files i need in my computer and i dont havea backup of them. If there is an possible solution i would highly appriciate it if someone could make a foolproof walkthrought on how tofix it.Thanks Link to post Share on other sites More sharing options...
blu Posted November 13, 2009 ID:157271 Share Posted November 13, 2009 still no fix? : ( Link to post Share on other sites More sharing options...
marktreg Posted November 13, 2009 ID:157278 Share Posted November 13, 2009 @bluSend an e-mail to support@malwarebytes.org and they will help you to fix it.They are prioritizing these help requests so you should get a reply pretty quickly. Link to post Share on other sites More sharing options...
blu Posted November 13, 2009 ID:157283 Share Posted November 13, 2009 thnx.i did that yesterday. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 13, 2009 Root Admin ID:157290 Share Posted November 13, 2009 Please send a Private Message to one of these guys and they'll help you out.* Arthur* Tom Link to post Share on other sites More sharing options...
morissen3k8 Posted November 15, 2009 ID:158245 Share Posted November 15, 2009 As usual I ran a full scan with malwarebytes in my computer and found this saying it's a rootkit... Could it be a false positive? can you advise in order to unquarantine or to erase it forverer from my computer.http://img94.imageshack.us/img94/3626/93537588.jpgdo you have any search redirected links from google search? are you running xp? awhile ago i did have a similar problem with searches being redirected in xp i erased the file and replaced it with a clean atapi.sys and the problem went away. however that isn't true in windows 7 as the new rootkit deeper and malwarebytes can't seem to find anything but my google searches are still being redirected to elsewhere other than the link it was originally intended... Link to post Share on other sites More sharing options...
MrSlottech Posted February 15, 2010 ID:200112 Share Posted February 15, 2010 You know everyone here states this is a false positive in your case it might have been but in my case and several others also this was not picked up and was a actual issue as it was part of any search engine when you did a search and clicked on it it took you to a different site than you were wanting. so in short this should have never been removed from the search in malwarebytes and most other scanners and anti virus programs. You have a very trusted program and it has helped me a lot but I am disappointed in this particular situation as I had to use another program to clean the issue called Hitman Pro and now the computer is 100% So in short rethink this skip of the atapi.sys scan it would have saved me personally a lot of wasted time.my 2 cents worth Link to post Share on other sites More sharing options...
lordpake Posted February 15, 2010 ID:200122 Share Posted February 15, 2010 @MrSlotTech: AFAIK we are talking about TDL-3 rootkit when dealing with infected atapi.sys.Would you rather have MBAM hosing/bricking clean systems here? As that file can be difficult to clean/replace with clean copy. Link to post Share on other sites More sharing options...
MrSlottech Posted February 15, 2010 ID:200130 Share Posted February 15, 2010 @MrSlotTech: AFAIK we are talking about TDL-3 rootkit when dealing with infected atapi.sys.Would you rather have MBAM hosing/bricking clean systems here? As that file can be difficult to clean/replace with clean copy.Maybe notify you that a problem exists so you can take appropriate actions to cure the problem. It (MB) does not have to fix just notify and you make the decision on if and how to fix. Link to post Share on other sites More sharing options...
BobVillaWV Posted March 31, 2010 ID:224616 Share Posted March 31, 2010 Kindly do not take any action on the file. It appears to be a false positive which is being investigated now.YOU GUYS GOT ME VERY WORRIED. I HAVE BEEN WORKING ON A COMPUTER which has been hit with XP Secuity 2010 a few days ago. Not the first time I have worked on this machine over the course of the last 16 months. But I am not finding the y7v11 files as others reported but I am seeing the AVE.EXE files. Finally got frustrated and pulled the drives and externally hooked the first one up to a clean machine. Ran Malwarebytes and while it was running AVG -- latest version with update popped up with some Trojan Horse : SHeur3.NSB AND SHeur17.AAZL This was during the Malwarebytes scan. Then all of a sudden MALWAREBYTES came up with (([bootdrive externally mounted]\windows\system 32\drivers\ATAPI.SYS being somehting along the lines of Win32/Patched.CGI ((I believe rootkit)) I removed it as I have never had any problems with Malwarebytes and false positives. PLEASE RESEARCH THIS. It is still externally installed. I don't remember if I saved the log file when I finished. I Then ran a full blown AVG as it hit a few files in the /restore.... files which Malwarebytes missed but were very similar to the ones malwarebytes found so I told it to place them in the vault. Deleted them when Malwarebytes was done and then started the AVG. I have running at a friends house; and he was ready to go to bed as he has to be at work at 6:30 am. I am pretty sure it DID not modify the registry though. As I was wondering how to correct the registry of the drives before I put them back in the infected computer and boot it up. As I feel they have started a trojan CALL HOME on this varient of the Malware that contains Trojan activity.If your wondering why I didn't like what was happening when I had Malwarebytes running on the infected machine is because Malware had hit it by my using a backdoor in safe mode, but then three days later the neighbor was hit again. This time alll looked fine until the screen went to screensaver, and yes in hindsight I realized I forgot to turn off restore points, and then when I moved the mouse to turn off screen saver I got a blue screen with a mouse pointer, the hard drives still sounding like they were being scanned by Malwarebytes after 14 hours and bong and bings sounds every few minutes of the fakerean telling me the machine was being attacked. Tried everything and couldn't get a screen back. When I rebooted I got a desktop back but then the fakerean took hold again.Thanks Bob Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now