Please tell me if Dr.Web® Scanner for Windows v4.44.5 uses a driver filename mchlnjDrv.sys?
After running the scanner in safe mode, upon reboot avast! AV found mchlnjDrv.sys and said it was a rootkit.
avast! was unable to remove mchlnjDrv.sys (or even find it) when subsequent scan was done on reboot.
I think that it was possibly alerting on a temp driver file used by Dr.Web® Scanner for Windows v4.44.5.
Does the Dr.Web scanner use that driver? Thank you!
mchlnjDrv.sys
Автор
mynorgeek
, апр 12 2008 18:09
7 ответов в этой теме
#2
SergM
-
- Moderators
- 9 387 Сообщений:
Guru
Отправлено 12 Апрель 2008 - 18:34
Please check up a suspicious file on http://www.virustotal.com/en/indexf.html or http://virusscan.jotti.org
The name of driver SpIDer Guard File System Monitor - is spider.sys
The name of the temporary driver of scanner DrWeb is not known to me.
The name of driver SpIDer Guard File System Monitor - is spider.sys
The name of the temporary driver of scanner DrWeb is not known to me.
#3
Borka
-
- Members
- 19 512 Сообщений:
Забанен за флуд
Отправлено 12 Апрель 2008 - 19:10
Scanner creates random name Shield driver. Seems to me "mchlnjDrv.sys" is not Shield's name.The name of the temporary driver of scanner DrWeb is not known to me.
#4
Caracal
-
- Posters
- 14 Сообщений:
Newbie
Отправлено 12 Апрель 2008 - 19:29
Hi mynogreek,
you have to scheck anyway with all possible sources... but if you have Comodo Firewall, read this:
http://www.wilderssecurity.com/archive/ind...p/t-150519.html
If the latter - you should be Ok :-)
My regards
you have to scheck anyway with all possible sources... but if you have Comodo Firewall, read this:
http://www.wilderssecurity.com/archive/ind...p/t-150519.html
If the latter - you should be Ok :-)
My regards
#5
mynorgeek
-
- Members
- 3 Сообщений:
Newbie
Отправлено 12 Апрель 2008 - 20:17
Thank you all for your helpful responses.
I do run Comodo BOClean, but not FW. I wonder if that could be the reason that this driver caught the attention of avast!
I wish I knew if Dr.Web® Scanner for Windows v4.44.5 uses a driver filename mchlnjDrv.sys, but now I think it may be named RARSFXO.
I tried submitting my question to Dr.Web support but the submission form said the license key was invalid. (I copied and pasted the key from the program GUI).
But that's okay, I will eventually get to the bottom of this.
There is nothing to upload to Jotti or VirusTotal as the driver file does not appear in my directory.
It all could simply be an avast! false positive, too!
Thanks again and wish me luck.
:)
I do run Comodo BOClean, but not FW. I wonder if that could be the reason that this driver caught the attention of avast!
I wish I knew if Dr.Web® Scanner for Windows v4.44.5 uses a driver filename mchlnjDrv.sys, but now I think it may be named RARSFXO.
I tried submitting my question to Dr.Web support but the submission form said the license key was invalid. (I copied and pasted the key from the program GUI).
But that's okay, I will eventually get to the bottom of this.
There is nothing to upload to Jotti or VirusTotal as the driver file does not appear in my directory.
It all could simply be an avast! false positive, too!
Thanks again and wish me luck.
:)
#7
Eugeny Gladkih
-
- Dr.Web Staff
-
- 5 295 Сообщений:
the Spirit of the Enlightenment
Отправлено 12 Апрель 2008 - 22:29
that's a part of Comodo Personal Firewall
#8
mynorgeek
-
- Members
- 3 Сообщений:
Newbie
Отправлено 13 Апрель 2008 - 02:17
I have learned some more about mchinjDrv.sys, and I feel better about it not being a rootkit.
mchinjDrv.sys was also used in the old Cyberhawk (and possibly now in ThreatFire) and in some a-squared programs. I think it is or was also used in PestPatrol. Same for webroot's SpySweeper. TrojanHunter has used this driver as well.
It is a legitimate driver, (though sometimes used for malicious purposes) from the Madshi libraries --> http://madshi.net/ .
mchinjDrv.sys stands for Mad Code Hook Injection Driver.
Several years ago, Gavin (now with TrojanHunter, previously with DiamondCS), said the reason it can't be located is because, "it is dropped by the EXE, then loaded into memory. It could likely then be deleted, the system only needs the memory image of the file".
Maybe some people will be interested in this post from the author of madCodeHook --> http://www.wilderssecurity.com/showpost.ph...34&postcount=58
Just wanted to post back with the info I found.
mchinjDrv.sys was also used in the old Cyberhawk (and possibly now in ThreatFire) and in some a-squared programs. I think it is or was also used in PestPatrol. Same for webroot's SpySweeper. TrojanHunter has used this driver as well.
It is a legitimate driver, (though sometimes used for malicious purposes) from the Madshi libraries --> http://madshi.net/ .
mchinjDrv.sys stands for Mad Code Hook Injection Driver.
Several years ago, Gavin (now with TrojanHunter, previously with DiamondCS), said the reason it can't be located is because, "it is dropped by the EXE, then loaded into memory. It could likely then be deleted, the system only needs the memory image of the file".
Maybe some people will be interested in this post from the author of madCodeHook --> http://www.wilderssecurity.com/showpost.ph...34&postcount=58
Just wanted to post back with the info I found.
Читают тему: 0
0 пользователей, 0 гостей, 0 скрытых
