• C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Rootkit-1835 FOUND
• C:\WINDOWS\system32\dllcache\atapi.sys: Trojan.Rootkit-1835 FOUND
• C:\WINDOWS\system32\drivers\atapi.sys: Trojan.Rootkit-1835 FOUND
• C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND

This was interesting because lately I’ve been cleaning up computers that end up missing atapi.sys and need it replaced in order to boot without a BSOD. But upon looking into it and finding a note in a recent ClamAV database update I am confident that this was a false positive.

It appears that this happened back in 2005 as well but was taken care of and now it’s happened again. I went as far as to grab an SP3 XP Pro install disc and scan it with ClamWin and it found the same false positive Trojan.Rootkit-1835.

Luckily the false postive has been removed from the ClamAV database as of 15 Dec 2009 04-20 -0500 according to this daily.csv submission note:

ClamAV database updated (15 Dec 2009 04-20 -0500): daily.cvd
Version: 10173
...
Submission notes: Trojan.Rootkit-1835 dropped due to false positive

So just update your ClamWin Database and no more false positives. You may want to run the System File Checker before you reboot just in case ClamWin deleted your atapi.sys, otherwise you’ll probably get a Blue Screen Of Death.

Just run the following commands and insert the install CD when it asks for it:

sfc /purgecache
sfc /scannow

Sources:

http://lists.clamav.net/lurker/attach/1@20091215.092101.11505bd1.attach

http://forums.clamwin.com/viewtopic.php?p=11247

http://www.google.com/reader/m/ or from a mobile browser just: http://www.google.com/reader/

Banner images, replacement icons, formatting improvements, and more to come.

Check out the original at: http://themasterplan.in/tma