alch

wha tis now considered as a possible a false positive? Has any of this been classed as a possible/probable true positive?

atapi.sys with the following hash:
MD5...: 9f3a2f5aa6875c72bf062c712cfa2674
SHA1..: a719156e8ad67456556a02c34e762944234e7a44
is a true false positive

So yeah, the quarantines got deleted already and now I'm in a bit of a panic to replace the files that have been deleted. In a word, how?

Edit : https://support.microsoft.com/kb/310747 I just tried this method, and it won't work for me because it wants an SP3 disc and I have a copy of SP2 around and that's it. The computer was sent to me by friends in another state, and they didn't send me a CD to go with.

you can try this one:
https://files.clamwin.com/atapi.zip

You can use a bootable CD and then copy the file over (or mount the disc in a working XP/Vista machine).

Okay, saved the file, but of course my brain is kinda a mess right now and I'm tired along with being stressed(middle of the night), so I'll have to trouble you for some extra instructions. Should I just manually put the file in the folders, or...?

This is what the report gave me too. So it looks like sp3.cab is also gone, and probably the reason systems won't restart.

C:\pagefile.sys: Permission denied
C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\Driver Cache\i386\sp3.cab: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\sp3.cab.infected'
C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied
C:\WINDOWS\system32\config\default: Permission denied
C:\WINDOWS\system32\config\SAM: Permission denied
C:\WINDOWS\system32\config\SECURITY: Permission denied
C:\WINDOWS\system32\config\software: Permission denied
C:\WINDOWS\system32\config\system: Permission denied
C:\WINDOWS\system32\dllcache\atapi.sys: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\system32\dllcache\atapi.sys: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\atapi.sys.infected'
C:\WINDOWS\system32\drivers\atapi.sys: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\system32\drivers\atapi.sys: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\atapi.sys.infected.000'
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\atapi.sys.infected.001'
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys: moved to 'C:\Documents and Settings\All Users\.clamwin\quarantine\atapi.sys.infected.002'

Hi!

Are sp3.cab and driver.cab a true false positives as well?

C:\WINDOWS\Driver Cache\i386\driver.cab: Trojan.Rootkit-1837 FOUND
C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\ServicePackFiles\i386\sp3.cab: Trojan.Rootkit-1835 FOUND

And if they are..how can I restore them from quarantine...?
Just rename and put them into the original place?

Looks pretty clear these are false positives. What is the procedure for Clamwin remedy of this error?

cab files merely contain the atapi.sys inside, so yes

if the file is smaller than 2MB then you can use the online submission form:
https://cgi.clamav.net/sendvirus.cgi

For larger files or an urgent FP like atapi.sys please PM me and I will get you the FTP upload details.

Thanks,
Alch

Guitar Bob - By PM'ed request, I actually uploaded the file to ClamWin before going to VirusTotal and Jotti. Just thought I'd share their results.

--


alch - Thanks for clearing up the matter... it's a load off my mind.

I let ClamWin report only, and chose to check into this before attempting removal because of the nature of the files involved.

Glad I did.

Peter B.

-----

I don't detect it in the atapi file on Vista or XP with ClamWin version 0.95, and it's not recognized in either Jotti or VirusTotal now, so I guess it has been fixed. VirusTotal uses Clam version 0.94.1--I don't know about Jotti. Interestingly, the eScan scanner also recognized a rootkit.

I have seen one or two cases where there was a difference in recognition between version .95 and prior versions. Always use the latest version of ClamWin if you can. In fact, I believe Clam has "buried" the older versions now.

Regards,

Got ahold of an SP3 disc, ran sfc /scannow, atapi.sys is now reappearing in the /dllcache folder. Going to have it run one more scan on startup, and I popped into Windows Update for the heck of it too. Hopefully the restart goes well. If so, you'll hear back from me.

What an adventure! I will never perma-delete anything again BEFORE checking. My computer repair guy is going to be able to get some nice(r) presents for his kids this Xmas, lol! He's gotta be a happy guy.

The fact that these files were identified as a rootkit made me more eager to make sure they were gone, gone, gone as quickly as I could. If I would have just seen they they were Trojans or viruses then it wouldn't have been such a big deal. My mistake! As someone else said earlier in this topic: Live and learn!

The good news is that my OS didn't have to be reinstalled. (I did call the tech last night, however, and made a shameful plea for him to spare my illegally downloaded Mp3 files BEFORE I found that out! lol The guy is a minister of a church, too, and here I am defending my downloading practices by saying: "These are rare recordings that are nearly impossible to find!" and so on, and then he said, "Well, now I almost feel bad telling you that I just replaced your atapi file and it works great!")

I still think that Clamwin is the best free AV out there--one just has to be more responsible and careful, and less trusting. xoxo

FYI - I do think that ClamWin has resolved the issue with the latest virus definition updates. We use ClamWin as a daily part of our manufacturing process where I work; it is not detecting the false-positive any longer. Thanks for the quick response ClamWin!

Are there any safeguards in place to prevent this issue from occuring again in the future? It seems like the "anti-virus" was used as a "virus" with this one!
.

The Clam sigmakers who prepare the signatures for Clam and ClamWin verify that samples submitted to them actually contain virus code, and their signatures are checked against a "farm" of "good" applications before the signatures are released. However, false positives can and will happen from time-to-time. Virus programs sometimes contain some of the same code that "good" programs have. Clam also does not have copies of every possible "good" program on the false positive "farm." The final false positive "check" is the user, who has the responsibility to inform Clam if he/she believes a false positive has occurred. Utlimately, an antivirus program is no better than its users, who support the program, use it day-in and day-out, and provide feedback to the developers.

Thank you for using ClamWin! Please support it in every way you can.

Regards,