Rivarts.A Backdoor

[Guest]

I just down loaded the beta version of Windows Defender and ran a full system
scan - it picked up no infections - does this prove 100% that the Rivarts.A
Backdoor incfection was false positve??

 

[Guest]

Like others, I removed Rivart.A with Windows Defender and it keeps coming
back. So, based on discussions here, I blocked Spyware Doctor from running
at startup with msconfig.exe, then removed the spy with Defender and the
problem went away. I have not turned Spyware Doc back on yet to see if it
comes back again.

 

[Bill Sanderson MVP]

Tmon - there was a definition update yesterday. I haven't had confirmation
from others that this detection has gone away, even with the registry
entries still in place, but that is possible.

If you can confirm that the previously detected registry entries are still
in place, I think that would clinch it for me.

 

[Guest]

First, a big thank you to everyone who posted on this problem, particularly
Bill S. I'm a long way from where it all happens (I'm UK based) and I'm not
that good with computers anyway, so it's really great to feel that I'm not
alone with a problem that could potentially have cleaned out my bank account.
Tonight I downloaded the latest WD definitons - 1.14.1358.2 built on 28.3.06
at 10:06 - and ran a scan: clean!! I checked the one registry key that WD
had found in the past and it's still there. This key was
HKLM\SYSTEM\CurrentControlSet\Services\mchnInjDrv. This foilder still has
various itemsa in it bujt they don't appear to my unskilled eyes to be exe
files. Hope this helps.

 

[Bill Sanderson MVP]

Thanks for that post--it is helpful.

It looks like the last update changed the detection logic in the way Mike
Treit said that it would be changed.

(and now I'm wondering if the original change (that created the detection)
was an accident!)
--

 

[Mike Treit [Msft]]

No, the original change that created the detection was not an accident. The
signature on the key is still there, but now it will only be reported if
some files associated with that threat are also present. The new behavior is
the result of a general change that was made to all signatures, not
something specific for this particular one.

Thanks

-Mike

 

[Bill Sanderson MVP]

I'm very pleased at the change. This kind of detection will require a lot
of care in getting the definitions right--but it'll be worth it in the end.

 

[Guest]

Hi, I received a reply from the folks at Spyware Doctor, here it is:

"Dear Harry,

Thanks for contacting PC Tools Support!

The Rivarts.A detection in most cases is picking up the following registry
entry as Rivarts.A.

HKLM\SYSTEM\Currentcontrolset\Services\mchInjDrv

This appears to be a false positive detection.

MchInjDrv is a third-party driver used by many security applications to
provide process protection. However, this driver can also be used for
malicious purposes by those intent on writing Spyware. There are some
AntiSpyware programs that do not understand that this is a legitimate driver
that can be used maliciously but in most cases is used legitimately.

Spyware Doctor in fact uses mchInjDrv as do many other legitimate security
programs.

Please reply to this message if you require further assistance.


Kind Regards,

David Musumeci
Customer Support Representative
PC Tools Customer Support Services
______________________________
PC Tools - www.pctools.com"

 

[Bill Sanderson MVP]

There are subtleties here-- but basically I agree with them--this is not a
proper identification of the real threat--and that's fixed now.

 

[Guest]

I just downloaded the latest usoft antispyware b-1 definition updates, and it
still picks up the rivarts.A (backdoor) set of files and calls it a trojan...
to be specific, i am running: Microsoft AntiSpyware Version: 1.0.701 ,
version expires on: 7/31/2006, Spyware Definition Version: 5825 (3/29/2006
8:50:47 PM)"
so although there is apparently a fix for the Defender program people are
referencing, it hasn't yet crossed over to usoft's antispyware program.... or
i am missing something that Mike Treit or Bill Sanders have been saying
regarding a 'fix'
thanks for all your help and sharing

 

[Guest]

I'm also having this problem. I have:

Microsoft AntiSpyware Version: 1.0.701
This version expires on: 7/31/2006
Spyware Definition Version: 5817 (3/23/2006 7:09:08 PM)

I went to the Symantec page and to Panda Software's page
(http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=92688)
about Rivarts.A. They said that there is a zsys.exe file that is in the
registry. Mine does not have it, nor the zsys.dll files that are supposed to
be in the System folders.

So it appears I don't have the Rivarts trojan. HOWEVER, after the Microsoft
beta detects it and either removes it or quarantines it, I no longer have
internet connection. URLS appear to be found, but stick at about 37% and
display no page. I have to logoff and back in to connect to the internet.

 

[Mike Treit [Msft]]

The change that was made only applies to Beta 2.

However, in addition to the general change made to the Beta 2 behavior with
regards to registry key detections, we may also remove this particular
detection entirely. If we do, that will affect Beta 1 as well.

Thanks

-Mike

 

[Bill Sanderson MVP]

I have one, and perhaps two reports from beta1 users that this Rivarts.A
finding went away with the 5825 definition update.

So--I'm puzzled by this users post. I think my inclination is to look more
closely about whether 5825 has, in fact, been successfully applied in his
case. Now I need to remember how to do that with beta1!

 

[Bill Sanderson MVP]

I've had at least one, and I think two reports that this finding was
resolved by the 5825 definition update in beta1.

I wonder if you could check a detail for me on your system:

Please go, in Microsoft Antispyware, to Help, About, and press the
(?diagnostics?) button--going from ancient memory here!--that should give a
long list of stuff. One of the lines in that list will end in a pair of
numbers separated by a slash--something like 168/168.

Can you check for that line and see whether the two numbers (whatever they
are) are equal?

If they are not equal, please go back to File, Check for updates, and re-try
the update operation. After each update check, recheck the diagnostics--and
look for identical numbers. Once those two numbers are equal, can you retry
the scan?

I may be off-base on this, but my suspicion is that in your case the update
is not fully in place.

--

 

[Bill Sanderson MVP]

I'm confused about that definition version--can you go to File, Check for
Updates and see what happens? Please repeat this operation until no further
update is offered. I believe you will end up on 5825.

Once you are on 5825, can you retry the scan?

This finding, I believe, involves a detection of registry entries that are
placed by another antispyware product on your system as an "innoculation"
against Rivarts.A. So--the removal should do no great harm--the
innoculation will be replaced by the other program.

I don't understand your loss of Internet connectivity, however--that hasn't
been a part of this issue on other systems that have reported. Is any other
threat reported besides the Rivarts.A?

 

[Mike Treit [Msft]]

Actually, it turns out that signature was removed for Beta 1 already. I was
mistaken that it was still in the signature set for Beta 1.

Thanks

-Mike

 

[Guest]

I have just followed this advice and updated to 5825. After days of
frustration and many spyware scans which detected Rivarts.A backdoor I have
now re-booted and run a clean scan. Thanks!

 

[Bill Sanderson MVP]

Glad I wasn't just "seeing things!"

 

[Guest]

Well Done.

they weren't the same.
reupdated...5825
dianostics list now says "Definitions Increment Version: 178/178"
ran scan
no rivarts.A

now, since it sometimes comes back after 4-5 hrs and only 3-4 have past, i
need to try again tommorrow...
but, if not there, then agree 5825 update will have solved it.


1 ? : will beta1 update to beta 2 automatically at some point or just both
morph into the final product come 3q06?

many thanks to you and all re this issuen and good discussion.

 

[Guest]

I want to thank Bill S, Mike of Msoft and all the other who posted threads to
this forum. I have found it extremely useful. Spent days deleting
machinjdrv from my system, then longer looking for the file which caused the
folder to come back after each reboot. I have removed spyware doc to start
up progs and will restart my pc. I'll then run Microsoft Beta 1 which is the
5865 version with 178/178 in diagnostics. Hopefully this will work. If not,
I will be back again, this time asking for help. Many, many thanks to all
concerned. Deesoulbabe, Cheshire, UK