Перейти к содержимому


Фото
- - - - -

mchlnjDrv.sys


  • Please log in to reply
7 ответов в этой теме

#1 mynorgeek

mynorgeek

    Newbie

  • Members
  • 3 Сообщений:

Отправлено 12 Апрель 2008 - 18:09

Please tell me if Dr.Web® Scanner for Windows v4.44.5 uses a driver filename mchlnjDrv.sys?

After running the scanner in safe mode, upon reboot avast! AV found mchlnjDrv.sys and said it was a rootkit.

avast! was unable to remove mchlnjDrv.sys (or even find it) when subsequent scan was done on reboot.

I think that it was possibly alerting on a temp driver file used by Dr.Web® Scanner for Windows v4.44.5.

Does the Dr.Web scanner use that driver? Thank you!

#2 SergM

SergM

    Guru

  • Moderators
  • 9 387 Сообщений:

Отправлено 12 Апрель 2008 - 18:34

Please check up a suspicious file on http://www.virustotal.com/en/indexf.html or http://virusscan.jotti.org
The name of driver SpIDer Guard File System Monitor - is spider.sys
The name of the temporary driver of scanner DrWeb is not known to me.

#3 Borka

Borka

    Забанен за флуд

  • Members
  • 19 512 Сообщений:

Отправлено 12 Апрель 2008 - 19:10

The name of the temporary driver of scanner DrWeb is not known to me.

Scanner creates random name Shield driver. Seems to me "mchlnjDrv.sys" is not Shield's name.

#4 Caracal

Caracal

    Newbie

  • Posters
  • 14 Сообщений:

Отправлено 12 Апрель 2008 - 19:29

Hi mynogreek,

you have to scheck anyway with all possible sources... but if you have Comodo Firewall, read this:
http://www.wilderssecurity.com/archive/ind...p/t-150519.html

If the latter - you should be Ok :-)

My regards

#5 mynorgeek

mynorgeek

    Newbie

  • Members
  • 3 Сообщений:

Отправлено 12 Апрель 2008 - 20:17

Thank you all for your helpful responses.

I do run Comodo BOClean, but not FW. I wonder if that could be the reason that this driver caught the attention of avast!

I wish I knew if Dr.Web® Scanner for Windows v4.44.5 uses a driver filename mchlnjDrv.sys, but now I think it may be named RARSFXO.

I tried submitting my question to Dr.Web support but the submission form said the license key was invalid. (I copied and pasted the key from the program GUI).

But that's okay, I will eventually get to the bottom of this.

There is nothing to upload to Jotti or VirusTotal as the driver file does not appear in my directory.

It all could simply be an avast! false positive, too!

Thanks again and wish me luck.

:)

#6 PiCo

PiCo

    Newbie

  • Posters
  • 34 Сообщений:

Отправлено 12 Апрель 2008 - 20:28

Good Luck !!

#7 Eugeny Gladkih

Eugeny Gladkih

    the Spirit of the Enlightenment

  • Dr.Web Staff
  • 5 297 Сообщений:

Отправлено 12 Апрель 2008 - 22:29

that's a part of Comodo Personal Firewall

#8 mynorgeek

mynorgeek

    Newbie

  • Members
  • 3 Сообщений:

Отправлено 13 Апрель 2008 - 02:17

I have learned some more about mchinjDrv.sys, and I feel better about it not being a rootkit.

mchinjDrv.sys was also used in the old Cyberhawk (and possibly now in ThreatFire) and in some a-squared programs. I think it is or was also used in PestPatrol. Same for webroot's SpySweeper. TrojanHunter has used this driver as well.

It is a legitimate driver, (though sometimes used for malicious purposes) from the Madshi libraries --> http://madshi.net/ .

mchinjDrv.sys stands for Mad Code Hook Injection Driver.

Several years ago, Gavin (now with TrojanHunter, previously with DiamondCS), said the reason it can't be located is because, "it is dropped by the EXE, then loaded into memory. It could likely then be deleted, the system only needs the memory image of the file".

Maybe some people will be interested in this post from the author of madCodeHook --> http://www.wilderssecurity.com/showpost.ph...34&postcount=58

Just wanted to post back with the info I found.


Читают тему: 0

0 пользователей, 0 гостей, 0 скрытых