Rivarts.A Backdoor

[Guest]

Microsoft Anti-Spyware is currently picking up Rivarts.A Backdoor on my PC.
Is this a false positive as I also have Spyware Doctor, Spybot - Search &
Destroy, Ad-Aware SE and NAV 2006 on my PC and they do not detect anything.

 

[Bill Sanderson MVP]

I believe this is a false positive--on registry entries probably put in
place by Spyware Doctor, in your case. It'd be good to get some
confirmation from the Spyware Doctor folks about this, but that's my reading
of it so far.--the registry entries without the executable are an
innoculation technique used by several antispyware apps to prevent the
threat.

 

[Guest]

I have the exact same problem, Rivarts.A shows up in the Microsoft
AntiSpyware scan showing 9 entries in the registry - it is deleted, then when
I reboot, it shows up again. SpyWare Doctor, Norton, and your Malicious
removal tool show nothing, and I update all of my spyware sw daily and run
full scans each day.

I have posed this question to the SpyWare Doctor folks, to see if they have
any info on Rivarts, I told them the problem and hopefully it is a false
positive. I will post here when I hear back from them.

HET

 

[Guest]

I also have this problem but Windows Defender only finds one registry entry
which it deletes. This has only happened in the last three days. I couldn't
find any of the other registry files (zsys?.*) but the malicious software
still runs every time I reboot. I have NAV2005 but will now upgrade; also
Spyware Blaster, Spybot S&D and the (now discredited) PivX PreEmpt. I update
daily and run scans daily but only Defender finds this problem. Running
HiJack This! before and after removal of the registry key shows no
difference. Let's hope it is a false positive

 

[Guest]

Microsoft Anti-Spyware is currently picking up Rivarts.A Backdoor on my PC.
Is this a false positive as I also have Spyware Doctor, Spybot - Search &
Destroy, Ad-Aware SE and NAV 2006 on my PC and they do not detect anything.

i am also getting the multiple detections with microsoft anti beta. i remove
them and then reboot and they reappear. i have spybot, pest patrol, adaware,
spyware blaster, webroot spysweeper, and more i cant remember them all... no
other program is detecting it.
kf.

 

[Bill Sanderson MVP]

Thanks--I have on confirmation in another group that shutting down Spyware
Doctor, and not running it, then cleaning with Windows Defender or Microsoft
Antispyware, then re-scanning--gets a clean scan.

Let me be clear--Spyware Doctor is not at fault here--these registry entries
have a protective purpose--this is definitely a false positive--but shutting
down Spyware Doctor is one way to relieve it.

--

 

[Bill Sanderson MVP]

You might consider running sysinternals regmon to see if you can tell what
is putting this key into place.

--

 

[Bill Sanderson MVP]

Are you running Spyware Doctor?

--

i am also getting the multiple detections with microsoft anti beta. i
remove
them and then reboot and they reappear. i have spybot, pest patrol,
adaware,
spyware blaster, webroot spysweeper, and more i cant remember them all...
no
other program is detecting it.
kf.

 

[Guest]

I too am picking up Rivarts.A Backdoor on Micro. Antispyware. And no I don't
have Spyware Doctor! I too have a bunch of spyware & antiviris software that
don't pickup this infection. Take it out and at another time it will
re-appear, not always after a reboot! This started after updating Mico.
Antispyware March 23 / 09:16am. Hope somebody out there knows what to do
about this (if anything at all!)

 

[Mike Treit [Msft]]

Currently signatures on registry keys and values that are known to be
created by malicious software are reported as a detection for that threat,
even if no other files or other traces of the threat are found.

There are plans to change this behavior in the future, which should resolve
the issue.

Thanks

-Mike

 

[Guest]

Hi,I found some strings in the registry.
HKEY/CURRENT USER/SOFTWARE/SEARCH ASSISTANT/ACMru/5603
Not being a hacker what to do?I deleted some suspect strings,do so at your
own risk.Easy check is go into the registry & searck for 5603.Good hunting.

 

[Guest]

So,should we continue to remove all traces of RIVARTS.A Backdoor until this
change?
Elmwood Boy.......

Currently signatures on registry keys and values that are known to be
created by malicious software are reported as a detection for that threat,
even if no other files or other traces of the threat are found.

There are plans to change this behavior in the future, which should resolve
the issue.

Thanks

-Mike

 

[Guest]

i have the same problem.... and spyware doctor apparently is not sure this is
a False positive..
i received the following reply to my query:
" ...thank you for contacting PC Tools.

The problem that you are experiencing appears to be caused by a new variant
of a known malware threat. Our Malware Research Center is currently aware of
"rivarts.A (backdoor)" issue and they are working on resolving the problem
shortly.

Please make sure to keep Smart Updating as the problem will be fixed shortly
with a newly created signature that will be downloaded via the Smart Update.

If you require further assistance, please reply to this email.

Kind Regards

Fitri Kanata
Customer Support Representative
PC Tools Customer Support Services
"
now, it could be that they haven't a clue and this just hedges their bets
before saying it is a false positive from msa-b1 ... or ... they are doing
something with spyware doctor that harvests information and this is part of
their software... seems unlikely, but time will tell

 

[Bill Sanderson MVP]

FWIW, if what is happening is that Windows Defender is removing entries
placed by Spyware Doctor as an innoculation--it won't do any harm to keep
removing them. I've had one response stating that simply not running
Spyware Doctor is not enough--that it actually needs to be uninstalled. I
don't know enough about the application to know why that would be, but it is
possible.

Again--I believe that these entries are harmless--but, given that, it is
also harmless to remove them.

--

 

[Mike Treit [Msft]]

If a single registry key is all that is being reported in the list of
detected resources, whether you remove it or not really won't matter, since
the basic problem that most users are reporting is that the key is being put
back. So it can't hurt to keep removing it, but it's not really helping
anything either.

-Mike

 

[Guest]

I can´t delete Rivarts.A form my registry. Its appears every time that rebot
winXP

 

[Guest]

Mike- There is 9 entries to the reg.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum 0
Root\LEGACY_MCHINJDRV\0000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum Count 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum
NextInstance 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Type 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv ErrorControl 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Start 4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv ImagePath
\??\C:\DOCUME~1\GUY\LOCALS~1\Temp\mc27C.tmp

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv DeleteFlag 1
And myself I think something on the net triggers them to reload..
Thanks for trying...
Elmwood Boy

 

[Guest]

I cerntainly am glad I am not the only one with this problem. My program
says it quarentines it, but will not let me continue or to remove it. It is
as though the entire program is hung up once the Rivarts.A Backdoor is
detected. I will be very glad when this is resolved. Also, auto updates
have not occurred the past few days.

 

[Bill Sanderson MVP]

Which program are you speaking of? Can you say what definition version you
are on?

 

[Guest]

Sorry I was unclear. I am referring to Microsoft AntiSpyware Beta 1,
version 1.0.701, definitions 5817 downloaded 3/24/2006. It tells me the
Rivarts.A Backdoor is quarentined, but the continue button is greyed out and
does not work.

Otherwise, what everyone else says is true for me.

I'm just glad I am not the only one with this problem. Thanks.