Rivarts.A Backdoor - False positive or not?

[Guest]

Alright I've been doing some reading on the net and it seems as if Windows
Defender detection of Rivarts.A may be a false positive. Its been detected on
my system and I can't get rid of it.. I scan, delete it, reboot and its back,
I reboot XP into Safe Mode, scan, delete, comes back.. Last night I even
re-formatted the hard drive, completely reinstalled XP, updated the OS with
all the security updates, Service Pack 2, more security updates, installed
Windows Defender and Rivarts.A was detected again! I just don't see how this
is possible after a format. I should say that so far no other spyware
detection programs have found Rivarts.A on my computer. Any help? Thanks.

 

[Guest]

One thing I forgot to mention.. I didn't re-format because Rivarts.A was
detected on my computer.. I was trying to get to Yahoo and was re-directed to
a website (www.pc-aid.org) which said that my computer was infected with
something and that it was being used to attack other computers.. I got alot
of suggestions on how to fix this but nothing worked and decided to format..
So far, everything is fine now but Rivarts.A is still being detected. I don't
know if the 2 are related?

 

[Guest]

Hello Jason,

Have a look at this posts. It may be relevant to your problem.

Subject: Rivarts.A Alert
3/24/2006 11:34 AM PST
By: jjarmel
In: .general discussion NG

Subject: Can't eradicate trojan
3/24/2006 10:13 PM PST
By: Teddles
In: .signatures NG

Еиςеl

 

[Mike Treit [Msft]]

Currently signatures on registry keys and values that are known to be
created by malicious software are reported as a detection for that threat,
even if no other files or other traces of the threat are found.

There are plans to change this behavior in the future, which should resolve
the issue.

Thanks

-Mike

 

[plun]

Hi Jason

Something is totally wrong if you redirects to pc-aid.org

They are "serving" rouge apps like microantivirus adn Spy fighter.

http://www.spywarewarrior.com/rogue_anti-spyware.htm

What antivirus protection are you using ?

 

[Guest]

Thank you Mike.

Currently signatures on registry keys and values that are known to be
created by malicious software are reported as a detection for that threat,
even if no other files or other traces of the threat are found.

There are plans to change this behavior in the future, which should resolve
the issue.

Thanks

-Mike

 

[Guest]

Thanks for the posts everyone. I don't know how I missed these other posts..
I'm running a copy of Spyware Doctor that I bought and I'm pretty sure this
is the cause of the Rivarts.A detection. I'm also using Norton Antivirus 2003
(updated) and was using eTrust ezAntivirus before the format. As for the
www.pc-aid.org thing. I'm not sure what was going on with this. Since I
re-formatted, the problem hasn't come back but I had a hell of a time getting
rid of it and in the end, it required a format..

 

[Guest]

I had exactly the same problem with Rivarts.A. On 3/22/06 at about 9:50 am
Microsoft Antispyware Beta1 said I had Rivarts. A and called it a severe
threat. I removed it but on the next day's start-up it was back. I did some
quick research and was horrified to find out that it was a backdoor trojan
keylogger. I then ran my Spyware Doctor (I've been a subscriber for two
years) and it came up clean. So did every other spyware product scan I tried.
I was confused, but decided to err on the side of caution and go look for it.

I followed Symantec's instructions for manual removal and came up with these
two things:

(1) C:\Windows\Temp\mc21tmp
(2) HKLM|System\CurrentControlSET\Services\mchinjdrv

These both fit Symantec's description of Rivarts.A (and something called
Graybird). But I couldn't find the root file causing it to reinstall after
reboot. Symantec said it should be a file called System32\Zsys.exe. I looked
everywhere, but in vain.

Then I read that it might be a false positive caused by Spyware Doctor.
Rather than backing up every one of my files and reformatting my hard drive I
uninstalled Spyware Doctor. The problem is now gone.

The question now is: was it a false positive all along or is there a problem
with Spyware Doctor being compromised?

One last item. I ran a scan with Spybot and it said that I had another bad
file in my registry that automatically shut down my Windows firewall.
Symantec said this was another possible activity of Rivarts.

HKLM\Software\Microsoft\Security Center\FirewallDisableNotify!=dword:0

I manually removed it and now my firewall does not turn itself off at reboot.

I don't know if I overreacted by uninstalling Spyware Doctor or not. I sent
them an email and asked if they knew anything about this, but they never
responded. That's a first. Spyware Doctor has always been very prompt about
adddressing my concerns. Theor silence makes me wonder.

 

[Jonah]

Alright I've been doing some reading on the net and it seems as if Windows
Defender detection of Rivarts.A may be a false positive. Its been detected on
my system and I can't get rid of it.. I scan, delete it, reboot and its back,
I reboot XP into Safe Mode, scan, delete, comes back.. Last night I even
re-formatted the hard drive, completely reinstalled XP, updated the OS with
all the security updates, Service Pack 2, more security updates, installed
Windows Defender and Rivarts.A was detected again! I just don't see how this
is possible after a format. I should say that so far no other spyware
detection programs have found Rivarts.A on my computer. Any help? Thanks.

You reformat and then put in security apps including Spyware Doctor?
- which is one of the apps that adds the registry entries which
trigger this false positive.

Take out all your security apps then run Defender - it will be
negative thus proving its a false positive. In fact Defender is
triggering on innoculation added by other antispyware apps to prevent
Rivarts.A Defender is a BETA app that means its reports should not be
treated like holy writ.

Spybot S&D, Trojan Hunter, Spyware Doctor and others have all been
found to trigger Defender probably many others also. It will all be
sorted out fairly soon - M$ are aware and fixing it.

Jonah

 

[plun]

Hi

Well the it´s "double trouble", Rivarts.A seems to be
false positive but read all other messages.

Your PC was hijacked to pc-aid.org before format.
And keep Spywarewarriors rouge list.

Symantecs kb:
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.rivarts.html

maybe also Graybird
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.m.html

regards
plun

 

[plun]

Hi

Really "thin ice" for a real mess with false positives...

regards
plun

 

[Bill Sanderson MVP]

Bob - I don't believe Spyware Doctor is at fault in this, although I do
believe they are the source of the entries that are being identified as
Rivarts.A.

I believe we are seeing an over-zealous detection here--a detection based on
the registry keys, but without the executable being present. See Mike
Treit's message, as well.

So--I wouldn't disparage Spyware Doctor at all--I believe they put the
entries out there for a valid purpose--with the intent of preventing their
use by the actual named threat.

 

[Guest]

I'm getting exactly this as well only Microsoft Antispyware is detecting
RIVARTS.A, neither Notron Internet Security or Spyware Doctor are picking it
up

Has it been confirmed as a false positive yet?

Dave

 

[Bill Sanderson MVP]

Read all the messages in this thread--particularly those from Jonah, and
from Mike Treit. I think this is as close as we are going to come to a
clear statement.

--

 

[Mike Treit [Msft]]

By Microsoft Antispyware Beta 1 standards, this is not a false positive.
Beta 1 has always reported the presence of various registry keys and/or
values as meaning that you have that threat on your system, even if no files
are detected. Currently, Beta 2 (i.e., Windows Defender) has the same logic
as Beta 1.

That said, we are planning to be more stringent about what we consider a
concrete detection of a threat, which is why this behavior will change in
the near future for Windows Defender.

Thanks

-Mike

 

[Bill Sanderson MVP]

Thanks, Mike!

 

[plun]

Hi strange

Maybe we have some few threats with single lines within registry...?

Also with a check within Symantec kb it is so....

http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.rivarts.html

Compare it with Spyfalcons recognition but no RTP block...

Where do you put RTP blocks ? registry or files ?

regards
plun

Category:
Potentially Unwanted Software

Description:
This program has potentially unwanted behavior.

Advice:
Review the alert details to see why the software was detected. If you
do not like how the software operates or if you do not recognize and
trust the publisher, consider blocking or removing the software.

Resources:
clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279}

typelibversion:
HKLM\SOFTWARE\CLASSES\TYPELIB\{244B730E-D899-4E38-9428-03D1143242E0}\1.0

regkey:
HKLM\Software\SpyFalcon

regkey:
HKLM\SOFTWARE\CLASSES\TYPELIB\{244B730E-D899-4E38-9428-03D1143242E0}\1.0

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{B7C685F0-1804-4382-A8EF-17D33DF97069}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{5B861FB8-903C-4996-B1D3-E9A86ED4BBCF}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{B7C685F0-1804-4382-A8EF-17D33DF97069}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{37B9988B-1997-41F4-A832-DAE42CC3F7C2}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{3261F690-1CA4-4839-928B-F4F898B74EB7}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{255CDDA3-576B-44C9-B944-46EAC18D5D6F}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{23D80835-4A3A-4572-9F5F-3F24A7A28AE5}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{200BD3A6-A02B-4BAC-A364-A9D8017E3C4E}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{1694E5C6-9E1F-4C3B-B79A-828C2FC40003}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{163469FD-6009-48E2-AD8C-47BB2E0D88BE}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{8C803228-BD61-4744-8B79-949E3F512DDC}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{0FBBBC44-296D-4A2F-AF45-BE1EE387F569}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{001501E7-C970-4CB1-9740-E055BF3DDFD6}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{8C803228-BD61-4744-8B79-949E3F512DDC}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{850300D6-D53B-4720-9372-6D31B85537E1}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{850300D6-D53B-4720-9372-6D31B85537E1}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{701E8C3A-7910-4CCD-A9F8-7B9A5F5B3947}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{6876543E-DA55-4F90-9CD2-5ED380D9516C}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{701E8C3A-7910-4CCD-A9F8-7B9A5F5B3947}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{6876543E-DA55-4F90-9CD2-5ED380D9516C}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{5B861FB8-903C-4996-B1D3-E9A86ED4BBCF}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{37B9988B-1997-41F4-A832-DAE42CC3F7C2}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{3261F690-1CA4-4839-928B-F4F898B74EB7}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{255CDDA3-576B-44C9-B944-46EAC18D5D6F}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{23D80835-4A3A-4572-9F5F-3F24A7A28AE5}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{20C59F9F-33CB-4B1B-AFB6-B710DB845709}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{1694E5C6-9E1F-4C3B-B79A-828C2FC40003}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{163469FD-6009-48E2-AD8C-47BB2E0D88BE}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{0FBBBC44-296D-4A2F-AF45-BE1EE387F569}

regkey:
HKLM\SOFTWARE\CLASSES\INTERFACE\{20C59F9F-33CB-4B1B-AFB6-B710DB845709}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{001501E7-C970-4CB1-9740-E055BF3DDFD6}

interface:
HKLM\SOFTWARE\CLASSES\INTERFACE\{200BD3A6-A02B-4BAC-A364-A9D8017E3C4E}

typelib:
HKLM\SOFTWARE\CLASSES\TYPELIB\{244B730E-D899-4E38-9428-03D1143242E0}

file:
C:\Program\spyfalcon\SpyFalcon.url

file:
C:\Program\spyfalcon\blacklist.txt

file:
C:\Program\spyfalcon\ignored.lst

file:
C:\Program\spyfalcon\Lang\English.ini

file:
C:\Program\SpyFalcon\SpyFalcon.exe

file:
C:\Program\spyfalcon\sf.ini

file:
C:\Program\spyfalcon\msvcp71.dll

file:
C:\Program\spyfalcon\msvcr71.dll

file:
C:\Program\spyfalcon\syg.db

folder:
C:\Program\spyfalcon\Quarantine\

folder:
C:\Program\spyfalcon\Logs\

folder:
C:\Program\spyfalcon\Lang\

folder:
C:\Program\spyfalcon\

 

[Guest]

One more interesting aspect.
On the Beta, if you select "ignore", and then "are you sure", it STILL wants
you to close windows.

Highly odd to request that when you've chosen to do nothing......

 

[Mike Treit [Msft]]

RTP monitoring applies to a wide variety of both registry and file
locations.

-Mike

 

[Guest]

ok ppl it's spyware doctor triggering this. turn off spyware doctor and run
defender again it does not show up, turn on spyware doctor and defender
triggers the rivarts.a again i just did it 3 times and turning off spyware
doctor every time doesnt trigger this little annoyance in windows defender