Thanks Engel,

I've run CCleaner & Ewido but the infection is still reported by WD. Ewido
does not detect the infection at all.

Teddles

"Engel" wrote:

> Hello Teddles,
> See whether this solution does the trick:
> First remove all temporarily junk with CCleaner
> http://www.ccleaner.com
> Then try Ewido for removal: (On-line)
> http://www.ewido.net/en/download/
>
> http://safety.live.com/site/en-US/default.htm
> Еиςеl
> --
>
>
> "Teddles" wrote:
>
> > WD has detected a backdoor keylogger trojan on my pc (running XP Home).
> > The events description is:
> >
> > Windows Defender scan has detected potential malware.
> > Scan ID: {457E54DF-8E3E-489B-9985-FD46A70881A9}
> > Scan Type: AntiSpyware
> > Scan Parameters: Quick Scan
> > User: FAMILYPC\<deleted>
> > Threat Name: Rivarts.A
> > Threat Id: 17245
> > Threat Severity: 5
> > Threat Category: 6
> > Path Found: regkey:HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv
> > Detection Type: Signatures
> >
> > WD reports successful removal of the threat, but it always returns on the
> > next bootup. The trojan is not detected when booted in safe mode.
> >
> > Any assistance would be much appreciated!
> >
> >
> > Teddles
> >

Bill,

In conjunction with WD I use the following:
- ewido
- spybot s&d
- adaware
Full scan mode on these apps fails to detect the supposed culprit. I was
thinking that it was a false positive as well, however I have concerns
because of the following:
- first WD alert followed a cardinal sin commited by a family member:
clicking on an unverified link on an email.
- the windows registry entry described by WD exists and is successfully
removed by WD (or myself manually), but is re-created on system reboot.

The Panda Software website documents the trojan, but I've been unable to
locate any of the files/dlls or database created by the trojan.

To reiterate from my earlier post, the windows registry entry does not occur
if booted in safe mode.

I'm still concerned that a trojan is present - am I being paranoid?, do you
think I can safely assume that WD is reporting a false positve?

Thanks
Teddles

"Bill Sanderson" wrote:

> Teddles--what other antispyware apps are you running? I think it is likely
> that this is a false positive.
>
> This is a full scan, rather than a quick scan, correct?
>
>
> "Teddles" wrote:
>
> > Thanks Engel,
> >
> > I've run CCleaner & Ewido but the infection is still reported by WD. Ewido
> > does not detect the infection at all.
> >
> > Teddles
> >
> > "Engel" wrote:
> >
> > > Hello Teddles,
> > > See whether this solution does the trick:
> > > First remove all temporarily junk with CCleaner
> > > http://www.ccleaner.com
> > > Then try Ewido for removal: (On-line)
> > > http://www.ewido.net/en/download/
> > >
> > > http://safety.live.com/site/en-US/default.htm
> > > Еиςеl
> > > --
> > >
> > >
> > > "Teddles" wrote:
> > >
> > > > WD has detected a backdoor keylogger trojan on my pc (running XP Home).
> > > > The events description is:
> > > >
> > > > Windows Defender scan has detected potential malware.
> > > > Scan ID: {457E54DF-8E3E-489B-9985-FD46A70881A9}
> > > > Scan Type: AntiSpyware
> > > > Scan Parameters: Quick Scan
> > > > User: FAMILYPC\<deleted>
> > > > Threat Name: Rivarts.A
> > > > Threat Id: 17245
> > > > Threat Severity: 5
> > > > Threat Category: 6
> > > > Path Found: regkey:HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv
> > > > Detection Type: Signatures
> > > >
> > > > WD reports successful removal of the threat, but it always returns on the
> > > > next bootup. The trojan is not detected when booted in safe mode.
> > > >
> > > > Any assistance would be much appreciated!
> > > >
> > > >
> > > > Teddles
> > > >

i have the same problem.
after every bootup, mchInjDrv in back in the registry.
only microsoft antispy and MS Defender are detecting the trojan at a fullscan.
the trojan is not detected in XP save mode and any other antyspyware.
also zsys.sys, mchInjDrv.sys and pcamon*.* are not present on my PC.
so I also think it is a false positive

http://www.geekstogo.com/forum/index...c=101943&st=15

regard
Jan

"lyle_60" wrote:

> I think I mislead you bill...the only detection that I was getting was from
> windows defender, no others detected, but having read more of the forums...I
> am leaning more to a false positive
>
> "Bill Sanderson" wrote:
>
> > It's not unlikely that Microsoft Antispyware will have this same false
> > positive. I suspect this relates to Spyware Doctor.
> >
> > This is being found on a full scan, correct?
> >
> > FWIW, I'd recommend sticking with quickscans unless something is actully
> > found.
> >
> > "lyle_60" wrote:
> >
> > > I have the same situation as Teddles, and I am also coming to the idea that
> > > it may be a false positive, I run spyware doctor, spybot s&d, and I tried
> > > that evido. Not one of those apps detect this backdoor, and I cannot even
> > > find the specified path in my registry. I've been concerned about wd since I
> > > installed it....and I am wondering if I shouldn't go back to beta 1.
> > > "Bill Sanderson" wrote:
> > >
> > > > Teddles--what other antispyware apps are you running? I think it is likely
> > > > that this is a false positive.
> > > >
> > > > This is a full scan, rather than a quick scan, correct?
> > > >
> > > >
> > > > "Teddles" wrote:
> > > >
> > > > > Thanks Engel,
> > > > >
> > > > > I've run CCleaner & Ewido but the infection is still reported by WD. Ewido
> > > > > does not detect the infection at all.
> > > > >
> > > > > Teddles
> > > > >
> > > > > "Engel" wrote:
> > > > >
> > > > > > Hello Teddles,
> > > > > > See whether this solution does the trick:
> > > > > > First remove all temporarily junk with CCleaner
> > > > > > http://www.ccleaner.com
> > > > > > Then try Ewido for removal: (On-line)
> > > > > > http://www.ewido.net/en/download/
> > > > > >
> > > > > > http://safety.live.com/site/en-US/default.htm
> > > > > > Еиςеl
> > > > > > --
> > > > > >
> > > > > >
> > > > > > "Teddles" wrote:
> > > > > >
> > > > > > > WD has detected a backdoor keylogger trojan on my pc (running XP Home).
> > > > > > > The events description is:
> > > > > > >
> > > > > > > Windows Defender scan has detected potential malware.
> > > > > > > Scan ID: {457E54DF-8E3E-489B-9985-FD46A70881A9}
> > > > > > > Scan Type: AntiSpyware
> > > > > > > Scan Parameters: Quick Scan
> > > > > > > User: FAMILYPC\<deleted>
> > > > > > > Threat Name: Rivarts.A
> > > > > > > Threat Id: 17245
> > > > > > > Threat Severity: 5
> > > > > > > Threat Category: 6
> > > > > > > Path Found: regkey:HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv
> > > > > > > Detection Type: Signatures
> > > > > > >
> > > > > > > WD reports successful removal of the threat, but it always returns on the
> > > > > > > next bootup. The trojan is not detected when booted in safe mode.
> > > > > > >
> > > > > > > Any assistance would be much appreciated!
> > > > > > >
> > > > > > >
> > > > > > > Teddles
> > > > > > >

Hi Teddles,

This is a AndyM (E-Mail Removed)
or Ron Kinner (E-Mail Removed)
case beacuse I cannot find any good advice within any forum without using
HijackThis and to be carefully guided.
Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
http://computercops.biz/HijackThis.html

Save it to C:\hjt (new folder) then Open it and select Scan and Save Log.
Note where you saved the log then send it to him as an attachment. Put
Hijack in the subject so he'll know it's not spªm.

Alternatively you can post it on the Dell Forum ªt:

http://forums.us.dell.com/supportfor...d.id=si_hijack

(if it wraps you can go tº:

http://tinyurl.com/ckuzq instead.)

Put Ron in the subject so he will see it. You do not need to have a Dell to
post but you will need to register.

Ron Kinner
Microsoft MVP 2004 & 2005
(E-Mail Removed)

Any luck here?
http://safety.live.com/site/en-US/default.htm

Good luck
Еиçеl


"Teddles" wrote:

> Thanks Engel,
>
> I've run CCleaner & Ewido but the infection is still reported by WD. Ewido
> does not detect the infection at all.
>
> Teddles
>
> "Engel" wrote:
>
> > Hello Teddles,
> > See whether this solution does the trick:
> > First remove all temporarily junk with CCleaner
> > http://www.ccleaner.com
> > Then try Ewido for removal: (On-line)
> > http://www.ewido.net/en/download/
> >
> > http://safety.live.com/site/en-US/default.htm
> > Еиςеl
> > --
> >
> >
> > "Teddles" wrote:
> >
> > > WD has detected a backdoor keylogger trojan on my pc (running XP Home).
> > > The events description is:
> > >
> > > Windows Defender scan has detected potential malware.
> > > Scan ID: {457E54DF-8E3E-489B-9985-FD46A70881A9}
> > > Scan Type: AntiSpyware
> > > Scan Parameters: Quick Scan
> > > User: FAMILYPC\<deleted>
> > > Threat Name: Rivarts.A
> > > Threat Id: 17245
> > > Threat Severity: 5
> > > Threat Category: 6
> > > Path Found: regkey:HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv
> > > Detection Type: Signatures
> > >
> > > WD reports successful removal of the threat, but it always returns on the
> > > next bootup. The trojan is not detected when booted in safe mode.
> > >
> > > Any assistance would be much appreciated!
> > >
> > >
> > > Teddles
> > >

I have the same situation as Teddles, and I am also coming to the idea that
it may be a false positive, I run spyware doctor, spybot s&d, and I tried
that evido. Not one of those apps detect this backdoor, and I cannot even
find the specified path in my registry. I've been concerned about wd since I
installed it....and I am wondering if I shouldn't go back to beta 1.
"Bill Sanderson" wrote:

> Teddles--what other antispyware apps are you running? I think it is likely
> that this is a false positive.
>
> This is a full scan, rather than a quick scan, correct?
>
>
> "Teddles" wrote:
>
> > Thanks Engel,
> >
> > I've run CCleaner & Ewido but the infection is still reported by WD. Ewido
> > does not detect the infection at all.
> >
> > Teddles
> >
> > "Engel" wrote:
> >
> > > Hello Teddles,
> > > See whether this solution does the trick:
> > > First remove all temporarily junk with CCleaner
> > > http://www.ccleaner.com
> > > Then try Ewido for removal: (On-line)
> > > http://www.ewido.net/en/download/
> > >
> > > http://safety.live.com/site/en-US/default.htm
> > > Еиςеl
> > > --
> > >
> > >
> > > "Teddles" wrote:
> > >
> > > > WD has detected a backdoor keylogger trojan on my pc (running XP Home).
> > > > The events description is:
> > > >
> > > > Windows Defender scan has detected potential malware.
> > > > Scan ID: {457E54DF-8E3E-489B-9985-FD46A70881A9}
> > > > Scan Type: AntiSpyware
> > > > Scan Parameters: Quick Scan
> > > > User: FAMILYPC\<deleted>
> > > > Threat Name: Rivarts.A
> > > > Threat Id: 17245
> > > > Threat Severity: 5
> > > > Threat Category: 6
> > > > Path Found: regkey:HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv
> > > > Detection Type: Signatures
> > > >
> > > > WD reports successful removal of the threat, but it always returns on the
> > > > next bootup. The trojan is not detected when booted in safe mode.
> > > >
> > > > Any assistance would be much appreciated!
> > > >
> > > >
> > > > Teddles
> > > >