on launching, CAV warns about this file. However, this file is not in c:\windows\system32\drivers as advised. Is it being created by malware?

thank you?


The name of the file looks very suspicious. CAVS has probably quarantined the file which is why you cannot find it. Can you check CAVS quarantine and tell us the name of what CAVS detects this as.

It may be the following:


Actually, I think mchinjdrv.sys is a legitimate code injector, its a hidden driver deployed & used by Comodo Firewall Pro.

Edit: I think mchinjdrv stands for Mad Code Hook Injection Driver. Seriously.

2nd Edit: Its also deployed by some other security apps… eg. some of ASquare’s stuff.


Looks like you are right. Guess I should have read a bit more into it:

I’m running CAVS, A-squared anti-malware and CFP 2.4 myself, but CAVS does not alert to anything here.


Is cavs alerting you to an infection, or is it an HIPS alert that appears for the program?



I have CPF but no mchinjdrv.sys. Is this a dinamically generated driver?

Yep, confused me when I first ran into this as well. To be honest, I don’t where or how it is… I took Egemen at his word that CFP used it (not even sure if it still does) & that it was legitimate. I also understood his reluctance to discuss it in a public forum. If the BB’s search wasn’t so “unwell” I’d find his post.

You could always upload it to: to verify that it is legitimate.

You’ll need to find it first. ;D

That .sys file must be in file form somewhere on the hard drive at some stage.

Ok, I searched for more infos about madCodeHook

There is a free non-commercial edition available. However, it contains no static libs. So when using the non-commercial edition you always need to distribute the "madCHook.dll" with your software.

Previous madCodeHook versions provided a static lib to non-commercial developers too (until Tue Aug 30, 2005).

The non-commercial madCodeHook edition has been dropped due to repeated misuse by malware (since Tue May 29, 2007).

Uall wrote the Madshow hook detector and its latest version is on a different url.


on my system this mchinjdrv.sys is come with a try installation of eTrust PestPatrol Version ( and now is missed !?! ???

If you can’t find the file it is maybe hidden. How to show hidden files :,,4155-1916458,00.html

Greetz, Red.

Thanks for your link, but I already know about system hidden files …

The problem is that this file (or service or driver) miss also with “show system files” on …

I have noticed that also Cyberhawk installs this hidden file and that in their forum says that this is a kernel driver able to detect rootkits:

Here is how mchinjdrv.sys appears in the system:


… for whatever that’s worth! If you delete it, it just reappears the next time it’s called for, by whatever it is that called for it.

On my system the file is hidden also, however UnHAckme sees it and can not remove it.
I had Comodo Firewall on for a while and not sure if it was from that but think it was from installing Threatfire


I also have this one. Scanned it on, and here’s the results:

File mchInjDrv.sys recieved 2007.12.26 16:26:42 (CET)
Result: 2/32 (6.25%)
Detected by: ClamAV, TheHacker

File infomration

MD5: 9971aa2d16cb558358d6f6f3b5055cba

Seems like it’s clean.