HKLM\System\Controlset001(CurrentControlSet)\Services\mchInjDrv [Archive]

View Full Version : HKLM\System\Controlset001(CurrentControlSet)\Services\mchInjDrv

comrade89

May 16th, 2006, 09:38 AM

Hallo,
every time I clean my registry with RegSeeker, I will find these two entries, which I always delete, but they appear again and again:
HKLM\System\ControlSet001\Services\mchInjDrv and
HKLM\System\CurrentControlSet\Services\mchInjDrv.
With both entries there comes the comment from RegSeeker:
File or Path does not exist - Image Path:\??\C:\Windows\TEMP\mc22.tmp.
The number of the TEMP file is always changing, sometimes it is mc21.tmp or something else. I am cleaning my system every time with CCleaner from TEMP files and cache entries. Is this the reason for creating another number for the TEMP file? What is mchInjDrv? Somewhere I have read it could be a trojan or some programs like SpySweeper (which I used), a² (I still have this) and other similiar programs use it. I ran several programs to check my PC (AntiVir, Spybot S&D, a², Ad-Aware SE, Pest Patrol, Ewido, Escan, HijackThis, Spyware Doctor, DrWebCureIt and several online scanners, also tools to find rootkits. Nothing was found and I also have no problems.
Thank you very much for an answer.

Bubba

May 16th, 2006, 10:04 AM

{QUOTE-> every time I clean my registry with RegSeeker, I will find these two entries, which I always delete <-QUOTE}I would very cautious in the future when using programs such as RegSeeker ;)

A number of security applications such as Online Armor, Spyware Doctor, TrojanHunter, spysweeper, a2....etc....all add this registry entry. The "mchInjDrv" in "mchInjDrv" refers to madCodeHook which is a legitimate driver internally used by madCodeHook to inject dlls into other processes.

Not so recent Wilders thread but still very much valid thread concerning this matter and a comment by the author of madCodeHook:

Re: MchInjDrv (http://www.wilderssecurity.com/showthread.php?p=448334#post448334)
{QUOTE-> mchInjDrv is a driver which is internally used by madCodeHook to inject dlls into other processes. This is part of the whole API hooking technology. Now the injection driver in itself is quite innocent. It does nothing but inject a specified dll. It doesn't really know what purpose the dll has.

Unfortunately some programmers misused madCodeHook to write rootkits (I really hate that). I've contacted them and asked them to stop doing that. They promised to stop using madCodeHook for rootkits etc, hopefully they'll really do.
<-QUOTE}

Rico

May 17th, 2006, 10:30 AM

Hi Bubba,

I like Comrade89 also use "Regseeker" & have apps (Trojan Hunter, Spysweeper) that use "mchinjdrv" are you saying it would be wise to set "Regseeker" to ignore mchinjdrv? Would it be correct thinking, that when an application (Trojan Hunter, Spysweeper) start it/they replace the missing "mchinddrv.dll" file, & then when these programs close, & "Regseeker" is run, it cannot find a path for "mchinjdrv.dll" hence it flags mchinjdrv.dll for potential deletion? Also I have PG ver 3.2, all "global protection options" ticked, should i get a warning from PG when an app. wants to replace "mchinjdrv.dll?

Thanks & Take Care
rico