mchinjdrv.sys

krcmd1 · May 30, 2007, 7:33pm

on launching, CAV warns about this file. However, this file is not in c:\windows\system32\drivers as advised. Is it being created by malware?

thank you?

mike6688 · May 30, 2007, 8:51pm

Hi,

The name of the file looks very suspicious. CAVS has probably quarantined the file which is why you cannot find it. Can you check CAVS quarantine and tell us the name of what CAVS detects this as.

It may be the following:

Mike

kail · May 30, 2007, 9:16pm

Actually, I think mchinjdrv.sys is a legitimate code injector, its a hidden driver deployed & used by Comodo Firewall Pro.

Edit: I think mchinjdrv stands for Mad Code Hook Injection Driver. Seriously.

2nd Edit: Its also deployed by some other security apps… eg. some of ASquare’s stuff.

mike6688 · May 31, 2007, 6:50pm

Kail,

Looks like you are right. Guess I should have read a bit more into it:

I’m running CAVS, A-squared anti-malware and CFP 2.4 myself, but CAVS does not alert to anything here.

krcmd1,

Is cavs alerting you to an infection, or is it an HIPS alert that appears for the program?

Mike

gibran · May 31, 2007, 8:32pm

Hallo,

I have CPF but no mchinjdrv.sys. Is this a dinamically generated driver?

kail · May 31, 2007, 11:47pm

Yep, confused me when I first ran into this as well. To be honest, I don’t where or how it is… I took Egemen at his word that CFP used it (not even sure if it still does) & that it was legitimate. I also understood his reluctance to discuss it in a public forum. If the BB’s search wasn’t so “unwell” I’d find his post.

Rotty · June 1, 2007, 12:54am

You could always upload it to: http://virusscan.jotti.org/ to verify that it is legitimate.

kail · June 1, 2007, 1:09am

You’ll need to find it first. ;D

Rotty · June 1, 2007, 2:09am

That .sys file must be in file form somewhere on the hard drive at some stage.

gibran · June 1, 2007, 12:48pm

Ok, I searched for more infos about madCodeHook…

There is a free non-commercial edition available. However, it contains no static libs. So when using the non-commercial edition you always need to distribute the "madCHook.dll" with your software.

Previous madCodeHook versions provided a static lib to non-commercial developers too (until Tue Aug 30, 2005).

The non-commercial madCodeHook edition has been dropped due to repeated misuse by malware (since Tue May 29, 2007).

Uall wrote the Madshow hook detector and its latest version is on a different url.

system · August 2, 2007, 6:52am

Hi,

on my system this mchinjdrv.sys is come with a try installation of eTrust PestPatrol Version 8.0.0.6 (http://www.pestpatrol.com/) and now is missed !?! ???

Rednose · August 4, 2007, 10:42am

If you can’t find the file it is maybe hidden. How to show hidden files :

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Greetz, Red.

system · August 14, 2007, 12:23am

Thanks for your link, but I already know about system hidden files …

The problem is that this file (or service or driver) miss also with “show system files” on …

I have noticed that also Cyberhawk installs this hidden file and that in their forum says that this is a kernel driver able to detect rootkits:

purrcy · October 5, 2007, 7:01pm

Here is how mchinjdrv.sys appears in the system:

??\C:\Windows\Syatem32\Drivers\mchinjdrv.sys

… for whatever that’s worth! If you delete it, it just reappears the next time it’s called for, by whatever it is that called for it.

controler · December 30, 2007, 6:46pm

On my system the file is hidden also, however UnHAckme sees it and can not remove it.
I had Comodo Firewall on for a while and not sure if it was from that but think it was from installing Threatfire

Bruce

Ragwing · December 30, 2007, 8:34pm

I also have this one. Scanned it on VirusTotal.com, and here’s the results:

File mchInjDrv.sys recieved 2007.12.26 16:26:42 (CET)
Result: 2/32 (6.25%)
Detected by: ClamAV, TheHacker

File infomration

Name:mchInjDrv.sys
MD5: 9971aa2d16cb558358d6f6f3b5055cba

Seems like it’s clean.

Cheers,
Ragwing