Rivarts.A Backdoor

Microsoft antivirus found this during it's usual 3 am scan. How does this find it's way into my computer? Thinking I had it immune to this crap after the
Spyware.Apropos.C episode. Which I disposed of thanks to this forum.

 

Microsoft Defender Beta 2 also found Rivarts.A on my computer. Prior to runing Defender I ran a full scan with Ewido with no mention of Rivarts.A What is happening with Ewido?

 

Could also be a FP that Microsoft is giving?

Thanks,

Chris

 

I had the same "problem"........ but with Trojan Hunter ...

Have a look here:

Microsoft Discussion Groups

Hope this helps.

 

I think someone still has some questions Thanx Marianna

 

There is also a thread going on at DSLR......

Windows Defender FP ??

http://www.dslreports.com/forum/remark,15757725

Keep smiling

 

so it is a nasty one after all .. I swear I had it once and none of my programs were detecting it .. strange ..

 

SpybotS&D once found it....... Command Service: mchInjDrv in HKLM:CurrentControlSet...

have a look here:

http://forums.spybot.info/showthread.php?t=774

 

Thanx Marianna, I'm looking for any relation concerning mchInjDrv.sys
and non-malicious programs atm .. I cannot find anything

 

do you have....... a program called DVD Cloner ? It is mentioned here:

Kasperski forum

 

No, Never used it actualy, .. I started with a complete setup one week ago .. I don't have it anymore now apparently so that's good news .. but still because it is a sys file .. so you see, formatting can be good once in a while

 

I got the Rivarts.A alert during last night's regular scan with MSAS.
I'm hoping that this is a false positive.
The only change I made to the system yesterday that I remember was swap out a bad motherboard and re-Activate Windows.


Rivarts.A Backdoor more information...
Status: Quarantined
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum 0 Root\LEGACY_MCHINJDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum Count 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum NextInstance 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Type 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv ErrorControl 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Start 4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv ImagePath \??\C:\WINDOWS\TEMP\mc22.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv DeleteFlag 1

 

I uninstalled Spyware Doctor and the registry keys in question are gone even after reboot.

 

I too found Rivarts.A on my system from a MS AS Beta scan. I was surprised because it is literally the first alleged malware it has detected since I installed it shortly after it became available.

If you follow some of the forum threads below, some of them suggest that the 9 Registry keys mchInjDrv (mad code hook Injection Driver) may have come from Trojan Hunter. Probably not in my case. I actually downloaded the trial version AFTER I found Rivarts.A because it was identified as a trojan. I should note that I had tried TH once a while ago, but I doubt there was any files left on my system. TH did not find anything, including Rivarts.A.

None of my other scans found Rivarts.A either: ewido, a-squared, Spy Sweeper, NIS 2006, Spyware Doctor, Spybot, Ad-Aware SE. That was peculiar.

Somebody asked what Trojan Hunter Guard is. I believe it's a .exe that is found within the TH folder. If you run Process Explorer I would expect it would show up there. I can't test that because I removed TH just to see what would happen. Same as before: the mchInjDrv reinstalls on reboot. Removing TH was a bit tricky, by the way. I used Add/Remove Programs from the Control Panel, but it couldn't remove it completely. The message said remove the rest manually. I tried to delete the TH folder in Programs Files, but I couldn't - Access denied, Trojan Guard running. Luckily I was able to delete the rest of it from the system tray.

I also read on a forum that mchInjDrv is a legitimate application that the developer sells to other companies, so it may be malware if a company producing malware incorporates it into their product, but it is not supposedly malware in and of itself. Like any tool, it depends on how it is used.

I have had Spyware Doctor myself for a while, so it may be that these traces were there all along unnoticed until MS AS detected them as likely false positives. I run the free unregistered version of SD and their tech support won't respond any more, but maybe someone who has the paid version can get an answer from them about whether or not they use mchInjDrv.

In the meantime, until this gets resolved, I am just going to remove mchInjDrv every time on reboot. I don't want a potential keystroke logger running.

Can someone tell me if I can simply and safely use regedit to delete the mchInjDrv folder from the Registry rather than run a quick MS AS scan and have it remove it? It takes about 3-4 minutes for MS AS to do its thing.

 

what agitates me is that it isnt picked up by windows defender real time protection i have had four instances of it dating back 4 days approx, ive only turned on my pc half an hour ago its locked up twice and windows defender has picked up the rivarts.a yet again ive e-mailed microsoft to see what they have to say but no reply as yet

 

If you get a reply from Microsoft at all, it will only be to say that Defender (like its predecessor MS AS) is in Beta, and MS does not provide support for Beta releases as a policy matter.

I tried to get some very basic support for MS AS early on, and they just directed me to a MS forum on it. I'm guessing they even ignored my product suggestions.

I think it's a bit disgraceful for a company the size of Microsoft with its resources not to support its Betas at all, but everyone who downloads anybody's Betas should know that there will be some bugs of some kind in the application, some minor, others perhaps seriously aggravating or even catastrophic. As always, caveat emptor (buyer beware). That's why setting a Restore Point before a download is a good idea, just in case.

 

MS AS found Rivarts.A too on another computer that I sometimes clean.
It could be from IM or from malware because I removed a screensaver from this pc with a tennisplayer before that contained badware.
Giant seemed better than MS AS so I am not shure its malware or a Fp.

 

Check out these replies by Mike Treit of Microsoft on 3/27/06 on the MS Discussion Groups forum thread 'Rivarts.A Backdoor - False positive or not?' about the detection rules that MS uses: http://www.microsoft.com/communitie...&pt=&catlist=&dglist=&ptlist=&exp=&sloc=en-us , excerpted below.

"Currently signatures on registry keys and values that are known to be
created by malicious software are reported as a detection for that threat,
even if no other files or other traces of the threat are found.
There are plans to change this behavior in the future, which should resolve
the issue."

"By Microsoft Antispyware Beta 1 standards, this is not a false positive.
Beta 1 has always reported the presence of various registry keys and/or
values as meaning that you have that threat on your system, even if no files
are detected. Currently, Beta 2 (i.e., Windows Defender) has the same logic
as Beta 1.
That said, we are planning to be more stringent about what we consider a
concrete detection of a threat, which is why this behavior will change in
the near future for Windows Defender."

To quote a later post on that thread: "Mike Treit has stated that the logic
Windows Defender uses in these cases (registry entries found, but not
executable code) will soon be changed, which will eliminate this alarm."

Various legitimate AS programs including Trojan Hunter and Spyware Doctor may install mchInjDrv, but are not malware themselves.

At this point I am fairly convinced that on my system the detection of mchInjDrv is a false positive. If we had a complete list of 'good' programs that installed it, AS or otherwise, then by removing all of them from your system you could know for sure if mchInjDrv was indeed associated with an instance of malware. The best we can hope for at the moment is the brief list discussed in these threads.

Note also that Spybot decided to remove mchInjDrv from its detection: forums.spybot.info/showthread.php?t=730 .

 

When it is in the registry it`s not a false positive.
The pc user should be notified and the keys must be removed.
You don`t want it on your system, not for any part.

 

Hi dcdc, I have detected Rivarts.A on my system with MS AS. Rivarts.A is a rootkit based trojan and it is self replicating. When MS AS deletes Rivarts.A it is only deleting a copy which the trojan has made, a few hours later it will be back. Panda Software has an article on it. After your AS deletes it, you have to delete the directory that Rivarts.A has created which is a .exe file. I went into my registery but could not find the directory string. I can't reproduce all of the directory string here as I don't have the right keyboard. After that, you have to delete your systems retore points, then reactivate monitoring again. Go to the Panda site to read on it. I am still stuck with this thing!

 

Panda claims its online scanner removes Rivarts.A

http://www.pandasoftware.com/products/activescan

 

Here is a link to Panda's virus encyclopedia on Rivarts.A: http://www.pandasoftware.com/com/vi...iew.aspx?idvirus=92688&sitepanda=particulares.

This morning I did a free scan from Panda's site with their two scanners, spyXposer and ActiveScan. Neither one found any malware including Rivarts.A on my system, and I do have mchInjDrv keys in my Registry. So apparently Panda does not use these keys as the only criteria to detect Rivarts.A. Panda may indeed remove Rivarts.A, but apparently in their detection rules the presence of mchInjDrv is insufficient to warrant a reported detection.

Spybot decided to delist mchInjDrv last year. See post 7 on this thread: http://forums.spybot.info/showthread.php?t=774. Note also this quote from post 1 on the thread:
"TrojanHunter, spysweeper, a2 all add this registry entry, probably more security apps also.
mchInjDrv (Mad code hook injection driver)
malware can use it, but if you use any of the above security apps, then it's a false positive."

You can probably add Spyware Doctor to the list of security applications that use it.

Again, Rivarts.A may use mchInjDrv, but that does not mean that the converse is true, i.e. if mchInjDrv on your computer, you are necessarily infected with Rivarts.A. In other words just because you have some symptoms doesn't mean you necessarily have the disease.

 

From Symantec Support:

http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.rivarts.html

 

If nothing helps I will try this too.
SWD is on the other Pc.
Did removing Spyware Doctor help for more people?

 

Hi PCJohn,

I guess my question is why would you want to uninstall Spyware Doctor if it were clear that SD was the source of the keys, or are you unconvinced that it is in your case? If the keys after uninstall did not return following reboot, would you then reinstall SD or not? If not, why not?

I don't think anyone believes SD is harboring malware or that it is anything less than completely reputable. When MS decides to get around to it, they will change their detection rules and the FP hit will go away.

A similar situation happened a while ago when Symantec mislabeled Spyware Doctor as harboring Graybird Backdoor. That was one of the better known false positives that eventually got cleared up.