mchMixCache$1228 - Am I infected?

I was in the process of updating to the latest version of Comodo Internet Security when I got a pop up alert from Comodo asking whether or not to Block or Allow mchMixCache$1228, I clicked on allow assuming it was a temp file used during the Comodo install/update process but it did not show any info on it. Comodo’s Defense+ log says “mchMixCache$1228 is trying to perform a privileged operation” “No advice is available”.
It created a custom rule under HIPS rules labeled “Sessions\1\BaseNamedObjects\mchMixCache$1228”. And that is all the info I can find locally about it. I googled it and most all the references to it seem to list it as a mutex associated with a virus/trojan. And that is what has me concerned.
Any one have any insight on this or experienced this themselves? Any help would be greatly appreciated. Thanks in advance.

Windows 7 Ultimate 64 bit

Comodo Internet Security



Anyone??? Any ideas on what’s going on? I have ran several standalone scanners and came up clean. But have yet to do a scan with a live cd like Kaspersky or Bitdefender, downloading them from a known clean machine now. Will post back with the results.

Exactly the same here. Little new information to add. It seems to be a fleeting process. Google no help.
The number after $ is a random hex number. It gets more frequent the longer the PC has been running. Only started after latest Comoo update.

Could you elaborate on this a bit? Do you still have a process or thread running called mchMixCache$… or a file with that name somewhere. I scanned my system and couldn’t find any trace of anything with that name other than the alert I got and in the Comodo log.

Could you elaborate on this a bit? Do you still have a process or thread running called mchMixCache$... or a file with that name somewhere. I scanned my system and couldn't find any trace of anything with that name other than the alert I got and in the Comodo log.

No, sorry no useful clues, the process/thread pops in, triggers Comodo and vanishes. So I don’t know what spawns/executes it. It is too quick for me to see.

I am clean according to AVG and Clam.

After another update to my system seems OK so far…

That’s what version my alert occurred on. I too did at least a half dozen different scans and came up clean. Call me paranoid but I’m still not convinced. Would really like to know what that alert was all about. There are ways for malware to hide itself from antivirus scanners. Perhaps it is government malware that the antivirus companies have secretly white listed. Yeah I’m paranoid.


Well I got some problems with this mutex after updating the Firewall too, now I have the following sympthoms:

  • After some random time the audio driver stops working;
  • Some random glitches with windows’s user interface like lacking labels or buttons;
  • When I try to restart the computer it says that cmd.exe couldn’t execute something before restarting the computer;
  • After restarting everything works fine again until the audio drive stops working;

If you go to configuration → Security Configuration → HIPS, you can find the mutex log there, like in this pic (Portuguese version)

Waiting for an official reply from Comodo staff :P0l, I am sure that this is the last thing that I did on my computer was updating the firewall on December 12.

I’m having the exact same problem. Just finished a Windows 7 Ultimate 64bit repair this morning. Then Comodo asked to update, I said yes, as it was updating (at about 91%) these alerts kept popping up via HIPS and everything is now sandboxed.

Please fix, COMODO staff, I also recently cleaned out my computer for malware.

I’ve been doing some investigating and am on to something here. The path (sessions\1\BaseNamedObjects\mchMixCache…) that Comodo shows in the log isn’t a file or registry path. It’s a path to a windows object manager resource which can be viewed using WinObj which can be downloaded as part of Microsofts SysInternals Suite:

Or just the WinObj program here:

I highly recommend just downloading the whole Sysinternals Suite as there are a lot of small but very useful tools included in it. I already had the suite put hadn’t used all the tools and didn’t realize this WinObj was among them. Anyways below is a screen shot of what I see when I navigate to the sessions\1\BaseNamedObjects\ path in WinObj. I I found a bunch of entries beginning with mch and ending with $ and a string of numbers and letters but no MixCache The Comodo alert I got was for mchMixCache$1228 and I found an entry in WinObj, highlighted in the screenshot, labeled as mchLLEW2$1228 which I assume is a renamed version of what I got the alert for. When I right click it I get a ‘properties’ option and under the security tab in properties there are three entries under ‘Group or user names’. My account name is listed, then System, then (unknown account)S-1-5-5-0-311282. I searched the registry for the SID associated with the unknown account and came up empty. And so far have found no file or directory with that SID in it’s ACL. And that is where I am at, still don’t know what this is related to or if it is legit or not. Maybe someone can use what I have provided to help me dig deeper in to this.

I did two things and not sure which caused this change but now the mchLLEW2$1228 entry in WinObj is gone. There are still a number of mchLLEW2$… entries and I checked the security tab on them and the SID on the Unknown Account has changed from S-1-5-5-0-311282 to S-1-5-5-0-243925. I have been getting pop ups from Window Blinds to update and I finally downloaded and installed the update. And out of curiosity checked the WinObj entries and that is when I noticed the changes. But I had also ran the Comodo Virtual Kiosk and after closing it I deleted some of the temp files out of the c:\VTRoot folder that the virtual kiosk uses and I rebooted the machine. After the machine rebooted I checked the entries in WinObj again and the mchLLEW2$1228 was still gone but the Unknown Account SID on the other similar entries had changed yet again. And I also noticed that the Comodo tray icon had miniaturized. I had failed to mention that after the Comodo update the Comodo tray icon would be invisible after starting Windows until I click on the blank area where it’s supposed to be. Weird. Anyways still not sure what caused the changes. Maybe someone else can try checking the entries in WinObj then running Virtual Kiosk, closing it, rebooting and checking the entries in WinObj again.


I have experienced this same exact situation today. I finally updated comodo, after postponing it for a few months now. When computer restart was requested, I postponed it, and very soon after that, the pop-ups started appearing for mchMixCache$…, exactly as described by others. I first allowed it once, but then another pop-up appeared right after, I kept pressing allowed for a while, but it didn’t stop. It seems the numbers after the $ sign were changing. I then tried blocking, then blocking and terminating, but the pop-ups never stopped, so I restarted the computer. This is where I’m at now. No more pop ups for now, and everything is working fine, but I’m a bit concerned with what happened and am curious about the possible cause of this.
I’m running Windows 7 on a Lenovo W520 laptop. when the update was happening, some Lenovo tool was running some kind of hardware scan on the whole computer. First I thought that this was related to the pop-ups, but after seeing this forum, I don’t think so anymore.

If anyone finds out more information, I’m all ears :wink:

I have experienced this as well, except my problem goes a step further.

This first happened to me a few months ago, when I let Comodo update and postponed the restart. Comodo soon popped up with mchMixCaches, which I blocked. At some point that night I tried using Photoshop and was unable to save files, with the message “The file name is not valid” popping up when I tried to hit the Save button. Checked MS Paint, it was broken too. As I’d installed Windows updates earlier that day, and wasn’t sure which broke things, I did a System Restore and the issue was gone.
I updated Windows and didn’t have a problem, so I assumed Comodo was the culprit and didn’t allow it to update for months.

Last night, my partner told me Comodo had done another update so I figured I’d try again, hopefully bypassing whatever happened last time. Did the update, postponed the restart for 30 mins, and then Comodo pops up with mchMixCache$14a0, the first of which I hit Allow and the second popup I said “Treat as Installer or Updater”. I then finished up what I was doing and did a restart. A few hours later I tried saving a screenshot through MS Paint - and got the same message “The file name is not valid” for every single file type option.

Currently I am unable to use MANY programs (Adobe ones, all the Microsoft Office programs, Notepad, Paint and probably others) to do work on and I don’t know what Comodo did to make it so I can’t save files. Sorry about the wall of text :o

Did more searching around about the “The file name is not valid” message and uninstalling ASUS Data Security Manager (the true culprit) was the fix. However, I’m not sure why Comodo updating would trigger the error in the program. The data security manager has been on my computer since receiving it (back in 2010)! If anyone has any information about what the mchMixCache thing is I’d love to know more.