Rivarts.A

banjo · 27-03-2006, 11:48

Hi,
Windows defender keeps detecting and deleting "Rivarts.A" a key logger.

Everytime I reboot this malware is detected again and I have to delete it, I have tried surches on google and yahoo and even with their information I cannot stop this virus from re-instaling itself.

I have a firewall and anti virus software including Spyware Doctor, any ideas, thanks.

Tightscot · 27-03-2006, 11:56

have you tried running 'msconfig' and checking through the startup items?

also if running Win XP with system restore turned on, then you'll need to turn it off - thus deleting the restore points (which may contain the virus) then rebooting and turning System restore back on...

banjo · 27-03-2006, 12:02

Quote:

Originally Posted by Tightscot

have you tried running 'msconfig' and checking through the startup items?

Yes, but what I have learned about this virus is that it "shields" itself from detection and can be delivered by another programme so I do not know what to look for ? Thank you for your reply

Tightscot · 27-03-2006, 12:03

what anti virus software do you use? and is it up to date?

**Stuart C** · 27-03-2006, 12:08

First, you need to disable System Restore. Follow the instructions at http://www.pchell.com/virus/systemrestore.shtml

Then, to remove it. Your virus scanner (or Windows Defender) should be able to remove it. Check the removal instructios at http://www.pandasoftware.com/virus_i...&idvirus=92688

Now, re-enable System Restore. The Disabling/re-enabling of System Restore is important as System Restore will sometimes back up viruses, then stop the virus scanner deleting the virus from the backup, so the virus gets restored next time System Restore is run.

banjo · 27-03-2006, 12:10

Quote:

Originally Posted by Tightscot

what anti virus software do you use? and is it up to date?

AVG free, Spyware Doctor, and a firewall and yes all is up to date, I have looked at the spyware definitions on AVG and Spyware Doctor and neither of them mentions Rivarts.A ?

**Stuart C** · 27-03-2006, 12:16

Also, in terms of Anti Spyware, I would recommend Spybot , as well as AdAware and Spyware Blaster

banjo · 27-03-2006, 12:19

Quote:

Originally Posted by Stuart C

First, you need to disable System Restore. Follow the instructions at http://www.pchell.com/virus/systemrestore.shtml

Then, to remove it. Your virus scanner (or Windows Defender) should be able to remove it. Check the removal instructions at http://www.pandasoftware.com/virus_i...&idvirus=92688

Now, re-enable System Restore. The Disabling/re-enabling of System Restore is important as System Restore will sometimes back up viruses, then stop the virus scanner deleting the virus from the backup, so the virus gets restored next time System Restore is run.

I have been to this site and tried their suggestions but it still re-installs itself after each re-boot !

**Stuart C** · 27-03-2006, 12:25

Did you do the following?

Quote:

How to remove Rivarts.A?

If Panda Antivirus or Panda ActiveScan detects Rivarts.A during the scan, it will automatically offer you the option of deleting it. Do this by following the program's instructions.
Finally, restore the original configuration of your computer by following the instructions below:
Delete the entry that Rivarts.A has created in the Windows Registry:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Zsys = %sysdir%\ zsys.exe
where %sysdir% is the Windows system directory.
Restart the computer.
In order to make sure that Rivarts.A is completely eliminated from your computer, carry out a full scan of your computer using Panda Antivirus or Panda ActiveScan.

Tightscot · 27-03-2006, 12:26

What about going into msconfig, and turning off everything in the 'startup' section. Then reboot , turning each item back on, one at a time and checking to see if it reinstalls itself. that way you can find what startup entry is causing the reinstall.

Might take a while but may be the best way forward....

banjo · 27-03-2006, 12:58

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Zsys = %sysdir%\ zsys.exe
where %sysdir% is the Windows system directory

Stuart, do I have to only delete %sysdir% as I cannot find this exact string, I have just down loaded and ran Ad-aware it found 15 problems but on re-boot the nasty was back, how come only Windows defender is the only spy ware programmer to detect it ? I have the other utilities you mentioned but they cannot deal with this problem either !

---------- Post added at 12:58 ---------- Previous post was at 12:56 ----------

Quote:

Originally Posted by Tightscot

What about going into msconfig, and turning off everything in the 'startup' section. Then reboot , turning each item back on, one at a time and checking to see if it reinstalls itself. that way you can find what startup entry is causing the reinstall.

Might take a while but may be the best way forward....

Thank you for that if all else fails I will have to go down that route !

**Stuart C** · 27-03-2006, 13:16

Don't delete %sysdir% (either in the registry or on your drive). It is the folder that contains most of Windows System files, so even assuming Windows will allow you to delete it, you will disable Windows if you delete the whole folder.

The string should be "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run\Zsys = %sysdir%\sys.exe"

Tightscot · 27-03-2006, 13:17

just to confirm you have done the following?

turn off system restore.

reboot system. and clear down all temp internet files etc

remove the virus.

reboot the system. - check virus has gone. if it has then:

tun system restore back on.

If it hasn't then see my last post!

**Stuart C** · 27-03-2006, 13:20

Exactly what I was trying to say..

banjo · 27-03-2006, 13:21

Stuart C, I cannot find this "Zsys = %sysdir%\ zsys.exe" in the registry, I have looked and searched for this with no joy ?