This morning I was going over last night’s ClamWin scan results on my Windows XP box and found a few instances of Trojan.Rootkit-1835 infecting the following files:
- C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Rootkit-1835 FOUND
- C:\WINDOWS\system32\dllcache\atapi.sys: Trojan.Rootkit-1835 FOUND
- C:\WINDOWS\system32\drivers\atapi.sys: Trojan.Rootkit-1835 FOUND
- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND
This was interesting because lately I’ve been cleaning up computers that end up missing atapi.sys and need it replaced in order to boot without a BSOD. But upon looking into it and finding a note in a recent ClamAV database update I am confident that this was a false positive.
It appears that this happened back in 2005 as well but was taken care of and now it’s happened again. I went as far as to grab an SP3 XP Pro install disc and scan it with ClamWin and it found the same false positive Trojan.Rootkit-1835.
Luckily the false postive has been removed from the ClamAV database as of
15 Dec 2009 04-20 -0500 according to this
daily.csv submission note:
ClamAV database updated (15 Dec 2009 04-20 -0500): daily.cvd
Submission notes: Trojan.Rootkit-1835 dropped due to false positive
So just update your ClamWin Database and no more false positives. You may want to run the System File Checker before you reboot just in case ClamWin deleted your
atapi.sys, otherwise you’ll probably get a Blue Screen Of Death.
Just run the following commands and insert the install CD when it asks for it: