Отправлено 12 Апрель 2008 - 18:09
After running the scanner in safe mode, upon reboot avast! AV found mchlnjDrv.sys and said it was a rootkit.
avast! was unable to remove mchlnjDrv.sys (or even find it) when subsequent scan was done on reboot.
I think that it was possibly alerting on a temp driver file used by Dr.Web® Scanner for Windows v4.44.5.
Does the Dr.Web scanner use that driver? Thank you!
Отправлено 12 Апрель 2008 - 19:10
Scanner creates random name Shield driver. Seems to me "mchlnjDrv.sys" is not Shield's name.
The name of the temporary driver of scanner DrWeb is not known to me.
Отправлено 12 Апрель 2008 - 19:29
you have to scheck anyway with all possible sources... but if you have Comodo Firewall, read this:
If the latter - you should be Ok :-)
Отправлено 12 Апрель 2008 - 20:17
I do run Comodo BOClean, but not FW. I wonder if that could be the reason that this driver caught the attention of avast!
I wish I knew if Dr.Web® Scanner for Windows v4.44.5 uses a driver filename mchlnjDrv.sys, but now I think it may be named RARSFXO.
I tried submitting my question to Dr.Web support but the submission form said the license key was invalid. (I copied and pasted the key from the program GUI).
But that's okay, I will eventually get to the bottom of this.
There is nothing to upload to Jotti or VirusTotal as the driver file does not appear in my directory.
It all could simply be an avast! false positive, too!
Thanks again and wish me luck.
Отправлено 13 Апрель 2008 - 02:17
mchinjDrv.sys was also used in the old Cyberhawk (and possibly now in ThreatFire) and in some a-squared programs. I think it is or was also used in PestPatrol. Same for webroot's SpySweeper. TrojanHunter has used this driver as well.
It is a legitimate driver, (though sometimes used for malicious purposes) from the Madshi libraries --> http://madshi.net/ .
mchinjDrv.sys stands for Mad Code Hook Injection Driver.
Several years ago, Gavin (now with TrojanHunter, previously with DiamondCS), said the reason it can't be located is because, "it is dropped by the EXE, then loaded into memory. It could likely then be deleted, the system only needs the memory image of the file".
Maybe some people will be interested in this post from the author of madCodeHook --> http://www.wilderssecurity.com/showpost.ph...34&postcount=58
Just wanted to post back with the info I found.
Читают тему: 0
0 пользователей, 0 гостей, 0 скрытых