 |
 | Possible False positives Trojan.Rootkit-2660 |  |
|
Tigersmind
|
|
I have included the report below. I was wondering if anyone else got this one. I searched the forums,
but didnt find a Rootkit 2660. Nothing has changed on my PC since I mostly play WoW nowadays. Last time I had a trojan found it went after the atapi and sp2 files I think. Very odd as it was a false positive as well. Scan Started Sat Apr 03 12:49:43 2010 ------------------------------------------------------------------------------- C:\pagefile.sys: Permission denied C:\WINDOWS\system32\config\default: Permission denied C:\WINDOWS\system32\config\SAM: Permission denied C:\WINDOWS\system32\config\SECURITY: Permission denied C:\WINDOWS\system32\config\software: Permission denied C:\WINDOWS\system32\config\system: Permission denied C:\cmdcons\atapi.sy_: Trojan.Rootkit-2660 FOUND C:\WINDOWS\$NtServicePackUninstall$\atapi.sys: Trojan.Rootkit-2660 FOUND C:\WINDOWS\Driver Cache\i386\sp2.cab: Trojan.Rootkit-2660 FOUND C:\WINDOWS\I386\ATAPI.SY_: Trojan.Rootkit-2660 FOUND C:\WINDOWS\I386\SP2.CAB: Trojan.Rootkit-2660 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 753703 Engine version: 0.95.3 Scanned directories: 3548 Scanned files: 40200 Infected files: 5 Data scanned: 14612.07 MB Data read: 19205.94 MB (ratio 0.76:1) Time: 3862.015 sec (64 m 22 s) -------------------------------------- Completed -------------------------------------- |
|||||||||||
|
|||||||||||||
 |
| Trojan Rootkit - 2660 FOUND message | |
|
dgubrud
|
|
Previous scans have been coming up clean, but this morning we received a "Trojan Rootkit - 2660 FOUND" message.
Our version of WinClam is slightly outdated. Anybody else seeing this? - Dave |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
Many viruses now come with a rootkit, so it is possible. A rootkit file usually has a .sys for the extension, and they are often found in the WBEM or ATAPI directories. I would upload the file to VirusTotal or Jotti to see what multiple AVs say about it. If only a few, besides Clam, say it is infected, it is probably a false positive. It is probably a real infection if you get five or more AVs (besides Clam) finding an infection.
You can upload to Jotti at https://virusscan.jotti.org/en-gb on the web or VirusTotal at https://www.virustotal.com/ on the web. Upload false positives to Clam AV at https://www.clamav.net/lang/en/sendvirus/ on the web. Be sure to click on false positive before sending. Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
Koen
|
|
I've had the same as Tigermind:
Scan Started Sun Apr 04 10:27:17 2010 ------------------------------------------------------------------------------- C:\hiberfil.sys: Permission denied C:\pagefile.sys: Permission denied C:\Windows\system32\CatRoot2\tmp.edb: Permission denied C:\Windows\system32\config\default: Permission denied C:\Windows\system32\config\SAM: Permission denied C:\Windows\system32\config\SECURITY: Permission denied C:\Windows\system32\config\software: Permission denied C:\Windows\system32\config\system: Permission denied C:\Windows\$NtServicePackUninstall$\atapi.sys: Trojan.Rootkit-2660 FOUND C:\Windows\i386\ATAPI.SY_: Trojan.Rootkit-2660 FOUND C:\Windows\i386\SP2.CAB: Trojan.Rootkit-2660 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 753703 Engine version: 0.95.3 Scanned directories: 6789 Scanned files: 78293 Infected files: 3 Data scanned: 28463.63 MB Data read: 41407.51 MB (ratio 0.69:1) Time: 8504.188 sec (141 m 44 s) -------------------------------------- Completed --------------------------------- I've send the SP2.CAB file (date 2-3-2006) ! to Virustotal.com 2 of the 41 virusscanners came up with a (false) positive : eSafe recognised a Win32.TrojanHorse in it, and Clamwin the rootkit mentioned. I rebooted the machine and did a scan with f-secure boot cd : no virusses found. Did a Google search on "Trojan.Rootkit-2660" ; Only 4 references : all Clamwin results. Looks unfortunately to all the good work here, 'bit like a false positive to me. |
|||||||||||
|
|||||||||||||
|
| |
|
EdC
|
|
I also have the same results from my 1st scan with the clam AV.
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\MiniMessage\3: Permission denied C:\hiberfil.sys: Permission denied C:\pagefile.sys: Permission denied C:\WINDOWS\$NtServicePackUninstall$\atapi.sys: Trojan.Rootkit-2660 FOUND C:\WINDOWS\Driver Cache\i386\sp2.cab: Trojan.Rootkit-2660 FOUND C:\WINDOWS\ServicePackFiles\i386\sp2.cab: Trojan.Rootkit-2660 FOUND C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\atapi.sys: Trojan.Rootkit-2660 FOUND C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\sp2.cab: Trojan.Rootkit-2660 FOUND C:\WINDOWS\system32\config\default: Permission denied C:\WINDOWS\system32\config\SAM: Permission denied C:\WINDOWS\system32\config\SECURITY: Permission denied C:\WINDOWS\system32\config\software: Permission denied C:\WINDOWS\system32\config\system: Permission denied |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
I took a look at the sig. It has caught maybe 100 viruses submitted to Clam so far, so the sig it good; however, it uses some code to install itself that is similar to some Microsoft install code. That is a common problem with false positives--there is nothing to stop a virus writer from using the same code as some "good" software! You see this most often with install code, but it can be any code they want to steal from good software.
Most likely Clam will "whitelist" any false positive files submitted with this signature, so be sure to submit those false positives! Regards, |
|||||||||||
|
|||||||||||||
|
| Another "false positive" report? | |
|
guy.fielding
|
|
I have had same issue. I run Norton 360 Vs2.5.05 with auto-protect on & current updates (5/4/10). Norton reports no problem. I also run scans using WinClam (thank you). Updated to WinClam 0.95.3 yesterday and ran scan which reported 8 infections of Trojan Rootkit 2660.
C:\i386\atapi.sys: Trojan.Rootkit-2660 FOUND C:\i386\SP2.CAB: Trojan.Rootkit-2660 FOUND C:\Program Files\Common Files\aol\1205757700\ee\services\softwareUpdate\ver2_14_11_12\aolsetup.exe: Trojan.Agent-148159 FOUND C:\Program Files\Common Files\aol\Backup\ACS\Current\Suite\comps\ocpinst.exe: Trojan.Agent-148159 FOUND C:\WINDOWS\$NtServicePackUninstall$\atapi.sys: Trojan.Rootkit-2660 FOUND C:\WINDOWS\Driver Cache\i386\sp2.cab: Trojan.Rootkit-2660 FOUND C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys: Trojan.Rootkit-2660 FOUND C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\atapi.sys: Trojan.Rootkit-2660 FOUND I have then run AVG Anti-Rootkit tool 1.1.0.42 using in-depth search, and Sophos Anti-Rootkit 1.5.0 Neither reported problems. Hope this helps |
|||||||||||
|
|||||||||||||
|
| |
|
mikee99
|
|
Hi all, this is directed to GuitarBob,
I have the same rootkit detection everyone else mentions (see scan record below), and I submitted it to two of the verification sites mentioned, with ClamAV remaining the only AV interpreting these system files as infections. I submitted two of the above (Clam restricts submissions to only two) to Clam as false positives. Clam's response was to inform me that Clam had already identified the first file as a virus and to be careful, and Clam bounced the second file as too large for them (it was an sp2 cab file, and since I just loaded the sp2 OS it seemed reasonable that an sp2 cab file would be on the system - also seemed less likely that a trojan would instantiate itself within a compressed file set). I am not sure how to interpret Clam's response, but right now I do not feel like Clam is receptive to help providing possible false positives. Engine version: 0.95.3 Scanned directories: 0 Scanned files: 550 Infected files: 0 Data scanned: 251.21 MB Data read: 0.00 MB (ratio 0.00:1) Time: 96.500 sec (1 m 36 s) Scan Started Mon Apr 05 20:36:34 2010 ------------------------------------------------------------------------------- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys: Trojan.Rootkit-2660 FOUND C:\WINDOWS\Driver Cache\i386\sp2.cab: Trojan.Rootkit-2660 FOUND C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys: Trojan.Rootkit-2660 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 753898 Engine version: 0.95.3 Scanned directories: 4227 Scanned files: 40706 Infected files: 3 Data scanned: 12681.70 MB Data read: 11911.51 MB (ratio 1.06:1) Time: 3854.750 sec (64 m 14 s) Scan Started Mon Apr 05 21:44:43 2010 |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
When you fill out the Clam submission form, be very careful. You have to get it right. It sounds like you did not change the type of malware to False Positive, but left it at Virus in the type block. Also, do not put any other AV names anywhere but in the Comments section--just to make sure.
I'm sorry, but please try a resubmit again, and be careful. Send a PM to Alch if this does't work--my mbox is full! Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
fakylas
|
|
Today I had the same problem with 11 pc on my network.
avast! Standard Shield 4.8.1368 don't report as a virus. Possible is a possitive false. Could be an update from MS on atapi.sys file ? |
|||||||||||
|
|||||||||||||
|
 | Possible False positives Trojan.Rootkit-2660 | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.