Can't eradicate trojan

[Guest]

WD has detected a backdoor keylogger trojan on my pc (running XP Home).
The events description is:

Windows Defender scan has detected potential malware.
Scan ID: {457E54DF-8E3E-489B-9985-FD46A70881A9}
Scan Type: AntiSpyware
Scan Parameters: Quick Scan
User: FAMILYPC\<deleted>
Threat Name: Rivarts.A
Threat Id: 17245
Threat Severity: 5
Threat Category: 6
Path Found: regkey:HKLM\SYSTEM\CurrentControlSet\Services\mchInjDrv
Detection Type: Signatures

WD reports successful removal of the threat, but it always returns on the
next bootup. The trojan is not detected when booted in safe mode.

Any assistance would be much appreciated!


Teddles

 

[Guest]

Hello Teddles,
See whether this solution does the trick:
First remove all temporarily junk with CCleaner
http://www.ccleaner.com
Then try Ewido for removal: (On-line)
http://www.ewido.net/en/download/

http://safety.live.com/site/en-US/default.htm
Еиςеl

 

[Guest]

I have same prob microsoft antispyware keeps finding this rivarts.a every
time even after deleting . It also shows these reg entries that it delets but
come back every time

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum 0
Root\LEGACY_MCHINJDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum Count 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum
NextInstance 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Type 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv ErrorControl 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Start 4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv ImagePath
\??\C:\WINDOWS\TEMP\mc2A.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv DeleteFlag 1
PLEASE HELP

 

[Guest]

I think I mislead you bill...the only detection that I was getting was from
windows defender, no others detected, but having read more of the forums...I
am leaning more to a false positive

 

[Guest]

It's not unlikely that Microsoft Antispyware will have this same false
positive. I suspect this relates to Spyware Doctor.

This is being found on a full scan, correct?

FWIW, I'd recommend sticking with quickscans unless something is actully
found.

 

[Guest]

2- days ago I also started receiving the warning of "rivarts.A (backdoor)"
trojan found by microsoft antispyware beta-1 [msa-b1]... yet i run
spywaredoctore full scan, spwsweeper, adware plus [lavasoft], and spybott and
find nothing=zero [anti-virus scan is mcafee and found nothing]. i have
downloaded xoftspy and run and also found nothing.
the 6 files are removed but come back after a reboot according to msa-b1.
i assume it's a false positive, but would like some assurance from microsoft
yet have heard nothing from them. i did post a query to spyware doctor and
spysweeper technical sites since hard to believe neither picked them up and i
have purchase copy of both.

how do we get a response from microsoft?....do they monitor this site?
files found are:
all started with KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MchInjDrv
one was only this, the 5 others were:
\Enum 0 Root\LEGACYMCHINJDRV\...
\Enum Count 1
\Enum NextInstance 1
Type 1
ErrorControl0
Start 4
ImagePath \??\C:\WINDOWS\TEMP\...
DeleteFlag 1

 

[Bill Sanderson MVP]

What other antispyware apps are you running--or have you run in the past?

--

 

[Bill Sanderson MVP]

I believe this is a false positive.

What other antispyware apps are you running that might be recreating these
entries?

--

 

[Bill Sanderson MVP]

I suspect that the entries you are seeing were placed there by Spyware
Doctor, as a protection against the threat. This appears to be a false
positive in Windows Defender.

--

2- days ago I also started receiving the warning of "rivarts.A (backdoor)"
trojan found by microsoft antispyware beta-1 [msa-b1]... yet i run
spywaredoctore full scan, spwsweeper, adware plus [lavasoft], and spybott
and
find nothing=zero [anti-virus scan is mcafee and found nothing]. i have
downloaded xoftspy and run and also found nothing.
the 6 files are removed but come back after a reboot according to msa-b1.
i assume it's a false positive, but would like some assurance from
microsoft
yet have heard nothing from them. i did post a query to spyware doctor
and
spysweeper technical sites since hard to believe neither picked them up
and i
have purchase copy of both.

how do we get a response from microsoft?....do they monitor this site?
files found are:
all started with
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MchInjDrv
one was only this, the 5 others were:
\Enum 0 Root\LEGACYMCHINJDRV\...
\Enum Count 1
\Enum NextInstance 1
Type 1
ErrorControl0
Start 4
ImagePath \??\C:\WINDOWS\TEMP\...
DeleteFlag 1

I have same prob microsoft antispyware keeps finding this rivarts.a every
time even after deleting . It also shows these reg entries that it delets
but
come back every time

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum 0
Root\LEGACY_MCHINJDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum Count
1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum
NextInstance 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Type 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
ErrorControl 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Start 4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv ImagePath
\??\C:\WINDOWS\TEMP\mc2A.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv DeleteFlag
1
PLEASE HELP

 

[Guest]

im usinging spyware dr and adaware , bill are u sure this is a false positive?

 

[Guest]

Ok for everyone with this rivarts problem , which i also have well now had
past tence , i removed spyware doctor which some said was creating this in wd
and microsoft anit spyware then I did a deep scan and it was gone didnt come
back on bootup. thanks to all who offered help and advice including Bill
Sanderson thanks.

 

[Bill Sanderson MVP]

I'm about 90% sure. Spyware Doctor seems to be one app that creates these
entries.

Here's something to try. Turn off Spyware Doctor--make sure it cannot run.
Have Windows Defender "clean" these entries, and then restart--see if they
come back. i.e. do another scan and see if they have appeared.

Some users report that the entries are coming back, which has the surface
appearance of a continuing infection--but it also may mean that Spyware
Doctor is recreating them on startup.

--

 

[Bill Sanderson MVP]

Nicolas--can you confirm one detail? In your case--are you using Microsoft
Antispyware beta1?

--

 

[Guest]

yes bill i put microsoft antispyware back and took wd off they both found
it. but i also got it when i had wd thats why i took it off.

 

[Bill Sanderson MVP]

Thanks--I think this is clearly tied to the last definition update for both
products, and not to some individual quirk in one or the other.

--

 

[Guest]

will microsoft put out a patch for this

Thanks--I think this is clearly tied to the last definition update for both
products, and not to some individual quirk in one or the other.

 

[Guest]

Bill,

I found the problem in my case.
TuneUp Utillities 2006.
after I removed this app. and cleaned the registry the problem was solved.

Jan

 

[Guest]

bill in another group you told them to shut down spyware doctor that dont
work , they have to remove it. just for your info and thanks again hope
microsoft puts out patch

 

[Mike Treit [Msft]]

Currently signatures on registry keys and values that are known to be
created by malicious software are reported as a detection for that threat,
even if no other files or other traces of the threat are found.

There are plans to change this behavior in the future, which should resolve
the issue.

Thanks

-Mike

 

[Bill Sanderson MVP]

Thanks--see Mike Treit's messages of today in .general and .announcements.

Unless you've actually found an executable associated with this threat, I
wouldn't fault that program, although I'm having some trouble imagining why
an app with that name would be adding registry entries....

--