Trojan.Rootkit-1835 ClamAV False Positive

This morning I was going over last night’s ClamWin scan results on my Windows XP box and found a few instances of Trojan.Rootkit-1835 infecting the following files:

  • C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Rootkit-1835 FOUND
  • C:\WINDOWS\system32\dllcache\atapi.sys: Trojan.Rootkit-1835 FOUND
  • C:\WINDOWS\system32\drivers\atapi.sys: Trojan.Rootkit-1835 FOUND
  • C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND

This was interesting because lately I’ve been cleaning up computers that end up missing atapi.sys and need it replaced in order to boot without a BSOD. But upon looking into it and finding a note in a recent ClamAV database update I am confident that this was a false positive.

It appears that this happened back in 2005 as well but was taken care of and now it’s happened again. I went as far as to grab an SP3 XP Pro install disc and scan it with ClamWin and it found the same false positive¬†Trojan.Rootkit-1835.

Luckily the false postive has been removed from the ClamAV database as of 15 Dec 2009 04-20 -0500 according to this daily.csv submission note:

ClamAV database updated (15 Dec 2009 04-20 -0500): daily.cvd
Version: 10173
...
Submission notes: Trojan.Rootkit-1835 dropped due to false positive

So just update your ClamWin Database and no more false positives. You may want to run the System File Checker before you reboot just in case ClamWin deleted your atapi.sys, otherwise you’ll probably get a Blue Screen Of Death.

Just run the following commands and insert the install CD when it asks for it:

[source]sfc /purgecache
sfc /scannow[/source]

Sources:

http://lists.clamav.net/lurker/attach/1@20091215.092101.11505bd1.attach

http://forums.clamwin.com/viewtopic.php?p=11247

Leave a Reply

Your email address will not be published. Required fields are marked *