Found with MS ASpyware, tried to remove in Safe Mode, with system restore off. sais removed but comes back.

Tried: Trojan hunter/Ewido/BitDefender online scan/Avast running/Panda causes virus alert on ActiveX download

So cant clear it.

Try this free active X On-line Spyware Scan
it may remove it for you. Worth a try
I notified Panda on the virus alert from Avast (which I also got when trying to use Panda, and I even sent them a screenshot of the virus warning)and they blew me off saying I wasn't a paid customer so they wouldn't help me...sounds like a false positive alert to get you to buy their product which after how they treated me they can stick it!

Haha....funny thing is, doing a google search, panda looks like the only one with removal...go figure.

Hopefully Jabuck will ask you for a HJT log and then you'll get that thing fixed....looks pretty nasty to me.

Hopefully my advice will help you...Please post back with your results....thanks

Download and run Hijack this and run , then Paste your log on the Analyzer Page
Or if you wish, post your log here and I will see what I can do to help. Jabuck is the expert in this field.

This Trojan is downloaded to the affected computer by another Trojan detected as Downloader.FHO.
Here is some more info on it

" Please Post back to let us know if we helped "

Y I thought the same re Panda/Avast, thanks for all offers help, here is HJT

will try the X online scan

thanks

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\AC\Desktop\Security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.addictinggames.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36862ABA-D90F-4383-B8CD-5616B800694C}: NameServer = 194.106.56.6 194.106.33.42
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

I don't see anything in the HT log

Please download
http://www.atribune.org/content/view/19/2/ by Atribune. Run it in safe mode
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Download this 2 week free trial from spysweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=spyll

Click Download Now to download the program.

Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:

Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.

Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.

Click the Summary tab and click Finish.

Paste the contents of the session log you copied into your next reply.

Please download BlackLight by F-Secure from this link http://www.f-secure.com/blacklight/

The log should be on your desktop or root directory (C:\). This is the format for the log file name:
fsbl-<date-and-time>.log

If you have any trouble finding it do a search for fsbl*.log.

Well your log looks clean to me,

" Please Post back to let us know if we helped "

Try these manual removal instructions. Some Rivarts files and registry keys do not appear in HijackThis logs.

Jabuck followed instructions and doesnt seem to have cleared. I have pasted in the 2 logs below. Thanks

DSE I will try manual.

Worringly I thought I would give the automatic removal a go on the link, it showed 30 infections....

Will try manual removal and see where it takes me, and post back. Any further advice greatly appreciated.

03/25/06 07:43:50 [Info]: BlackLight Engine 1.0.33 initialized
03/25/06 07:43:50 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/25/06 07:43:50 [Note]: 7019 4
03/25/06 07:43:50 [Note]: 7005 0
03/25/06 07:43:56 [Note]: 7006 0
03/25/06 07:43:56 [Note]: 7011 1772
03/25/06 07:43:57 [Note]: FSRAW library version 1.7.1015
03/25/06 07:49:00 [Note]: 7007 0

Start of Session, 25 March 2006 |
07:28: Spy Sweeper started
07:28: Sweep initiated using definitions version 641
07:28: Starting Memory Sweep
07:31: Memory Sweep Complete, Elapsed Time: 00:03:05
07:31: Starting Registry Sweep
07:31: Registry Sweep Complete, Elapsed Time:00:00:07
07:31: Starting Cookie Sweep
07:31: Cookie Sweep Complete, Elapsed Time: 00:00:00
07:31: Starting File Sweep
07:39: File Sweep Complete, Elapsed Time: 00:07:20
07:39: Full Sweep has completed. Elapsed time 00:10:35
07:39: Traces Found: 0
********
06:35: | Start of Session, 25 March 2006 |
06:35: Spy Sweeper started
06:35: Sweep initiated using definitions version 641
06:35: Starting Memory Sweep
06:37: Memory Sweep Complete, Elapsed Time: 00:02:46
06:37: Starting Registry Sweep
06:37: Registry Sweep Complete, Elapsed Time:00:00:07
06:37: Starting Cookie Sweep
06:37: Cookie Sweep Complete, Elapsed Time: 00:00:00
06:38: Starting File Sweep
06:47: File Sweep Complete, Elapsed Time: 00:09:24
06:47: Full Sweep has completed. Elapsed time 00:12:20
06:47: Traces Found: 0
********
06:33: | Start of Session, 25 March 2006 |
06:33: Spy Sweeper started
06:33: Your spyware definitions have been updated.
06:35: | End of Session, 25 March 2006 |

Have been also posting in and looking in Malware Forum. Appears that running some anti malware guards can cause a false positive in MS Anti Spyware. Have looked into this and could be the case? Have tried loads of scanners/AV/Trojan and none are showing anything.

If this is the case I have boobed as I started following the manual removal guide suggested above. Deleted wscntfy.exe (as this associated with the Rivarts.a Have since found it is a legitimate SP2 file.

PC seems ok apart from MS Spyware scan wont now intialise....

Would be really grateful if Jabuck, you could give me your view on the possibility of this false positive.

Here is link to the post I refer to:

http://forum.malwareremoval.com/viewtopic.php?t=8255

thanks

It could very well be a fp, I never was a MSAS fan. I use spywareblaster. Either way Rivarts.A is a subtle foe and can cause you a lot of grief.

I would first try to run the Panda scan again or Kaspersky it is underlined in orange on this page.

You may be able to temporaraliy turn off real time protection for any of these programs you have and get the scanners to run by following the directions at this link Turn off real time protection

The pcpitstop scanner at this link is Panda so try running it http://www.pcpitstop.com/antivirus/default.asp and post the results. If the scanner is like Panda to save the scan results click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it. Otherwise you will have to look for it

Also run the Kaspersky scan and post the results.

1. Read the Requirements and Privacy statement, then select "Accept"

2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.

4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"

5. When the download is complete it will say ready, click "Next"

6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"

7. Select a target to scan: Click on "My Computer"

8. When the scan is complete choose to save the results as "Save as Text"

Thanks Jabuck.

Last night I checked my other networked PC (Lan). A week or so ago I had installed Trojan Hunter. Also MS ASpyware has been on it for a while, hadnt scanned since putting on Hunter. Got the same results for Rivarts. This morning uninstalled Hunter, did a CCleaner Reg clean. Ran MS ASpyware.....came up clear of Rivarts. so looking very much like a false positive.

I have run the Kaperski and Pitstop scans. Did them yesterday and both clear. The Panda one despite installing Active X and stopping Avast would not run. Figure it might be something with security settings (will turn of MSAS real time protection and also Hunter) although all the other online scans I tried seemed to work ok with no positives.

Will try that now and post back.

With Panda Turned off all real time protection I have. Activex etc started to download but then came up with an error. Referred generically to possible causes(connection/permissions).

After clear Kaperski yesterday along with the FP on the Lan connected PC am I safe in assuming a MSAS "conflict" with Trojan Hunter?

Or should I try further to get Panda scan working?

I had nearly identical scan results that you did with MSAS. On a hunch I found that Symantec calls this PWSteal.Rivarts not Rivarts.A So I uninstall my AV program and installed the Norton's AV trial ware, which I really didn't want to do, but I wanted to get rid of this thing bad enough that I didn't care it was NAV. I had to run the scan in safe mode because the program froze in normal mode. It found a file called Adware.Linkmaker which I deleted. I ran MSAS again and finally no Rivarts.A! Oh, removing Trojan Hunter did not work. Try this and good luck!