Anyone else have this showing up lately ..... MchInjDrv ???
Any thoughts

Hi,

This is used by those programs with injection based on MadCodeHook - usermode injection and hooking technologies. You should ALLOW this if you trust the program doing it - to prevent any incompatibilies

If this happened with an unknown program or possible trojan, you can send the file to submit(at)diamondcs.com.au for analysis

Thanks Gavin....There are two 'trusted' problems that want to use it. One is Spy Sweeper. It has been trying for the past two days and i have been using SS a lot longer then that with no sign of that driver and have not received any updates for awhile. Same with the other program....only these past two days....seems a bit strange.

Hi RainWalker, It may be to do with your SS settings. Have you changed some setting in SS that might initiate another process? If so PG is probably catching that.
I give SS all allows. ;)

Pilli

Hey Pilli :) ....changed nutt'n ....Have YOU seen that driver request prior to allowing?

Yep, I'm sure I saw it the first time I fired SS up after install but I cannot find it now using windows explorer :(

Pilli is right, i noticed it right after installing 3.0. :)

-{ Quote: "Yep, I'm sure I saw it the first time I fired SS up after install but I cannot find it now using windows explorer :(" }-

Ok....hate to keep beating that proverbial horse but isn't a bit odd you can't locate it
:-\

Opps sorry Don.....meant to thank you for your comment :)

BTW..i wrote Web...root yesterday and so far have heard nada.

You can't locate it because it is "dropped" by the EXE, then loaded into memory. It could likely then be deleted, the system only needs the memory image of the file

Yep, tested earlier. spysweeper.exe attempted to "drop" mchInjDrv after install and upon SS being run for the first time (at least for me)....I logged it :). I imagine it would be used for the Shields, judging by what Gavin said.

Wed 08 - 12:34:56 [DRIVER/SERVICE] c:\program files\webroot\spy sweeper\spysweeper.exe [652] Tried to install a driver/service named mchInjDrv
Wed 08 - 12:34:56 [DRIVER/SERVICE] c:\program files\webroot\spy sweeper\spysweeper.exe [652] Tried to install a driver/service named mchInjDrv


Regards,
Jade.

I just received this from Webroot:

Solution: We apologize for the trouble that you've had. Spy
Sweeper does not have the ability to add drivers to your system, it is
not necessary for use, however we will still look into the name of this
file, and hopefully we can determine it's source. SHould we find any
more information, we'll let you know.

-{ Quote: "I just received this from Webroot:

Solution: We apologize for the trouble that you've had. Spy
Sweeper does not have the ability to add drivers to your system, it is
not necessary for use, however we will still look into the name of this
file, and hopefully we can determine it's source. SHould we find any
more information, we'll let you know." }-

Thankx for the info from webroot.
In my view, it is kind of weird since they have made their softwares which they have not known details/components of softwares they have made?
- is it that they have used some existing source code from others?
- spysweeper 3x is infected already? it is kind of silly to say this, just anyway.

Looking forward to experts to clarify it out.
.

Hi quaduong, I doubt the person responding had any idea about RainWalkers question and has passed it on to a tech for a proper and more authoritive response.
I definately saw what Bowserman shows in his screenshot.

I will follow this up

Thanks Rainwalker, Don't you just love these little mysteries ;D

Cheers Pilli

-{ Quote: "Thanks Rainwalker, Don't you just love these little mysteries ;D

Cheers Pilli" }-
Yes indeedy, and i always prefer to err on the side of paranoia ;D

Just to say i have heard nothing back from Webroot as of today ???

Thanks for keeping us updated RainWalker :)

It might be that they have used the "Madshi" libraries and not noticed what it is actually capable of. Well.. it seems like the only explanation to me

-{ Quote: "It might be that they have used the "Madshi" libraries and not noticed what it is actually capable of. Well.. it seems like the only explanation to me" }-

I understand this is 'Madshi' stuff but nonetheless .............waiting to hear...i'll try them again sometime soon...they outta be knowing what they are selling better then they appear to, before they put it on the market.

UPDATE:
Wrote them 2 days ago (9-15-04).....still nothing......waiting :P

I got the same so should I give Spy Sweeper all alows or what?

Dave

I have found that SpySweeper needs the install driver / service allow.
Watch the alerts to ensure the necessary allows.

HTH Pilli

-{ Quote: "I have found that SpySweeper needs the install driver / service allow.
Watch the alerts to ensure the necessary allows.

HTH Pilli" }-
Hi Pilli.....so you found that it needs that driver for sure......did you test and all that ....... still have not heard a word from them and i think that stinks ( hoping 'stinks' is ok with everyone ::) ).... :)

Hi Rainwalker, I shall uninstall SpySweeper and reinstall under Process Guard 3 to see if I can reproduce what I saw earlier but it will not be until tomorrow.

Shame about their support, I can imagine the stuff you think they smell of ;)

Please report back if they condescend to convey anything useful to you.

Cheers. Pilli

Hi Rainwalker and Pilli

I installed PG 3 yesterday and Spy Sweeper wants to install MchInjDrv just as in PG 2, i have allowed this, however Spy Sweeper also wants "allow terminating" on C:\windows\system32\smss.exe, should i allow this or not ???

Stinks is ok with me, because you're so right about webroot's support, i like some of their products though (Spy Sweeper and Window Washer), hopefully they will start improving in this area. :)

Regards

-{ Quote: "Hi Pilli.....so you found that it needs that driver for sure......did you test and all that ....... still have not heard a word from them and i think that stinks ( hoping 'stinks' is ok with everyone ::) ).... :)" }-

Hi again Rainwalker :).

Just tested again under Process Guard 3 and yes, it would seem that it needs the driver. It also tries to Modify any process that is running at the time. Please see screenshot of Alert Log.
It only tried to do install the mchInjDrv after being installed and run for the first time...haven't seen it again after that. Also, after the initial attempt at Modify on any running processes, if any new processes are then run thereafter it will try to Modify them also.

Hope that helps,
Jade.

-{ Quote: "Hi Rainwalker, I shall uninstall SpySweeper and reinstall under Process Guard 3 to see if I can reproduce what I saw earlier but it will not be until tomorrow.

Shame about their support, I can imagine the stuff you think they smell of ;)

Please report back if they condescend to convey anything useful to you.

Cheers. Pilli" }-

Hi Pilli......just got home a bit ago and turned on the puter....yours' was the first post i read....after another day in the pits i sure needed the laugh you gave me...thanks
;D
You KNOW i'll report anything i hear from Webwhatever.
@ Don....... thanks for getting back.... sorry i can't recommend anything .....i ain't using it till i learn more for sure stuff :-\
@ Jade.......Hmmmmmmmmmmm

This is part of usermode hooking, it will need the injection driver to put a DLL inside all processes..

If you look in the registry (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service\mchInjDrv) would you be able to post all the contents of that reg folder.

Just for info, the same thing also happens on a².

On installing PG3 it informed me that a²guard.exe was trying to install a driver/service, mchInjDrv. I allowed it and am reasonably happy about it, having followed this thread.

It also wanted the right to terminate smss.exe. If I remove the termination right it just asks again. As I accept that a² is one of my trusted apps (or it wouldn't be on my PC) I'll leave it at that. It has obviously been like that since I installed a² and no harm has been done.

Can anyone speak to why this driver is suddenly showing up ......it is also now used with Trojan Hunter in their latest version.

RainWalker, My guess is that the as the Madshi stuff is already made, that it saves developers work and it may be a case that the developers do not necessarily have the skills to create kernel level drivers or hooks for themselves - Which I find kinda worrying though I do like SpySweeper.

HTH Pilli

-{ Quote: "Can anyone speak to why this driver is suddenly showing up ......it is also now used with Trojan Hunter in their latest version." }-

MchInjDrv = Mad code hook injection driver.

It is the temporary driver used (disappears shortly after) in this case by spysweeper.exe to inject a .dll into all running processes therefore creating a case of usermode hooking. It is most probably used for SpySweepers various shields (protection of running processes etc?).

As Gavin said earlier in the thread, if you trust the software that is using it....Allow it ;)


Hope my explanation makes sense :),
Jade.

Hi!

I don't know a whole lot about PG yet, but, my isp was downloading SS with their program. It wanted access to everything all the time, it drove me and McAfee (the security suite) mad, trying to change everything. (By then I wished the isp would just stick to connecting and e-mail.)

It was also a pain to get off my computer, little files attached to it would pop up in strange places??

I had some other problems, so just put in a new hard drive and started over without letting it get its' "hooks" in my computer again.

Hope you all get this mystery solved?!? It always seemed overly aggressive to the "home" it was in, instead of looking out the door, so to speak!

Marja8)

-{ Quote: "MchInjDrv = Mad code hook injection driver.

It is the temporary driver used (disappears shortly after) in this case by spysweeper.exe to inject a .dll into all running processes therefore creating a case of usermode hooking. It is most probably used for SpySweepers various shields (protection of running processes etc?).

As Gavin said earlier in the thread, if you trust the software that is using it....Allow it ;)


Hope my explanation makes sense :),
Jade." }-

Yes Jade, but i'm i wrong in wondering about a serious back door potential :-\

Its unlikely but not impossible. Rather doubtful is where I would put it, but you have to trust the writer of the library (Madshi) these programs are using. He does sell the libraries for use in programs, so he would have a lot to lose if caught putting backdoors in the code.

Using products which use this library imply this trust. There really isn't much you can do, unless you expect those programmers to go through EVERY line of code in the library, understand it, and be sure theres no backdoor. Thats not going to happen - if they could do that, they would write their own drivers in C instead..

-{ Quote: "Thats not going to happen - if they could do that, they would write their own drivers in C instead..." }-
Yes, it does beg the question - why DONT they develop their own job-specific drivers? Lets not beat around the bush, we are afterall talking about security here. So why use 3rd-party 'generic' drivers which they have absolutely no control over? If for example a bug or exploit was ever found (very possible due to the complexity of driver code) they'd be in a lot of trouble and have no capability to fix the problem - a serious problem when we're talking security, so clearly it's convenience and not security that's the main priority of programmers who make use of libraries like this, which is disappointing considering many programmers are using it to create security-related software.

Thanks Wayne and Gavin :). Certainly is food for thought regarding the trust factor involved in situations such as this.

Best regards,
Jade.

-{ Quote: "It does beg the question - why DONT they develop their own job-specific drivers? Afterall, they're supposed to be professionals, right? So why use 3rd-party 'generic' drivers which they have absolutely no control over?" }-

Simple. Time to market + headcount.

I, too, work in the Software industry and, over the course of the last 3 years, my company has, for industry-wide financial reasons, reduced its overall head-count by 40%, R&D included. By doing this, the company has survived, but lots haven't.

However, the required time to market for new products has, if anything, shortened and the rate of new product requirements has increased. As a result, there is a staggering amount of pressure to use third-party code/libraries where they are available (so long as they're stable and reliable). Our company is not going to make money (and that's what it's all about) by reinventing the wheel, but by producing products that nobody else has.

Not ideal, I readily admit, but it is a fact of life in the real world.

Jade,
Yeap. Trusting a program is only one part of the programs security, its developers should be trustworthy too. Like I said, we're talking security here afterall. :)

ctjc,
3rd-party components are great and we use them ourselves for the reasons you mentioned - but only when security isn't an issue. :)

Because the driver for Process Guard is security-related it's paramount for you as a customer and us as the developer that we have 100% control over the source code, including the R&D behind it. Anything less would be unacceptable for the customer due to possible compromises in security and inability for a fix to be produced.

Regards,
Wayne

Agreed, 100%

If your business is security (ours isn't), then yes, you have to be secure at all levels in the software stack.

BTW, great work in PG3. Working like a charm here. A few problems, but a great Beta (so far ;) )

Thanks all for your input.
@ Wayne.....you have hit the nail on the head........all that you said is what has been bothering me all along......wanted to wait for someone else to go there ;)
At the end of the day in many ways it's like a dart game :(

UPDATE:
Well, for what it's worth, here it is:

'I apologize for the confusion. We are using a driver as part of the Windows Installation Shield. If you were to turn off the shield. The driver should stop running.'

I feel sooo much better now

::)

Glad you eventually got an answer Rainwalker.
You can sleep nights now :D

Cheers. Pilli

;D Righto

-{ Quote: "UPDATE:
Well, for what it's worth, here it is:

'I apologize for the confusion. We are using a driver as part of the Windows Installation Shield. If you were to turn off the shield. The driver should stop running.'

I feel sooo much better now

::)" }-

That kind of makes me laugh. "Woah we just checked and lo and behold there is a driver, thanks for telling us Rainwalker" . :D

-{ Quote: "That kind of makes me laugh. "Woah we just checked and lo and behold there is a driver, thanks for telling us Rainwalker" . :D" }-
You are very welcome

Thank you all for this useful (and humorous :) ) thread. I had the same thing and was a bit scared and undecided what to do.Luckily there is ...Wildersforum! ;D

-{ Quote: "Hi,

This is used by those programs with injection based on MadCodeHook - usermode injection and hooking technologies. You should ALLOW this if you trust the program doing it - to prevent any incompatibilies

If this happened with an unknown program or possible trojan, you can send the file to submit(at)diamondcs.com.au for analysis" }-
Hi Folks,

I got the same message, but the program that tried to install it was the Process Guard itself, but it has blocked itself.
I looked at the log and didn´t find nothing, but Trojan Hunter trying to install it.

Is that correct ?

Best Regards,

DonKid.

-{ Quote: "I got the same message, but the program that tried to install it was the Process Guard itself, but it has blocked itself.
I looked at the log and didn´t find nothing, but Trojan Hunter trying to install it." }-Hi DonKid, ProcessGuard does not use those libraries but I believe that TH might and this is what you are seeing. DCS only use their own code for low level drivers.

HTH Pilli

-{ Quote: "Hi DonKid, ProcessGuard does not use those libraries but I believe that TH might and this is what you are seeing. DCS only use their own code for low level drivers.

HTH Pilli" }-

Thanks Pilli

Give another look at log, and I found it.

Best Regards,

DonKid.

-{ Quote: "Hi DonKid, ProcessGuard does not use those libraries but I believe that TH might and this is what you are seeing. DCS only use their own code for low level drivers.

HTH Pilli" }-
TH does indeed use it..........not that it is a bad thing.....

-{ Quote: "TH does indeed use it..........not that it is a bad thing....." }-

Thanks for your help.

Best Regards,

DonKid.

Just found this thread via google. I'm the author of madCodeHook and would like to add a comment:

As was already explained by the mods here (thank you!), mchInjDrv is a driver which is internally used by madCodeHook to inject dlls into other processes. This is part of the whole API hooking technology. Now the injection driver in itself is quite innocent. It does nothing but inject a specified dll. It doesn't really know what purpose the dll has.

Unfortunately some programmers misused madCodeHook to write rootkits (I really hate that). I've contacted them and asked them to stop doing that. They promised to stop using madCodeHook for rootkits etc, hopefully they'll really do.

On the positive side, a lot of good software "antiSomethingBad" is using madCodeHook for good purpose, and I'm quite happy about that.

When you see "mchInjDrv" on your PC, you can only check whether the process which wants to use that is a process which you trust or not. The injection driver itself is not bad, but the dll which is injected *can* potentially be bad (unfortunately). If there was a way to detect bad dlls, I'd love to add that functionality to the injection driver, but I don't think that's technically possible.

Why don't companies implement their own hooking technology? Because this is a *damn* difficult job to do. I've spent years to make madCodeHook stable and I'm proud to say that I believe it's one of the best available user mode API hooking packages on the market. All those companies using madCodeHook are just trying to not reinvent the wheel but to use a technology which is well tested and proven. Of course they could try to implement their own solution, but it would cost them years and the first versions would most probably be quite unstable (as mine were in the beginning).

Thanks for listening. And if you have any questions or suggestions, please let me know.

:-\ :lurking:

Hi madshi, -{ Quote: "Thanks for listening. " }-
Thank you very much for your input, I certainly appreciate it :)

Pilli

-{ Quote: "Unfortunately some programmers misused madCodeHook to write rootkits (I really hate that). I've contacted them and asked them to stop doing that. They promised to stop using madCodeHook for rootkits etc, hopefully they'll really do." }-
You might as well make a wish in one hand - and then sh!t in the other, and see which one get's full the fastest. Rules and Laws only apply to people who follow them - and when it comes to making money all the little niceties are dispensed with.

Thanks Pilli!

Rainwalker, would you mind to comment in text? :)

Mephisto, you're certainly right in that some people don't care about good/bad and just want to make money, no matter what. But then there are some programmers who write rootkits just to demonstrate their skills. Such hobby programmers (often school kids) are not necessarily as bad as those money eating moral ignoring people. Not that I would want to defend writing rootkits. I find it quite bad and I'm very angry about anyone misusing my madCodeHook package for such purpose!

-{ Quote: "Thanks Pilli!

Rainwalker, would you mind to comment in text? :)

Mephisto, you're certainly right in that some people don't care about good/bad and just want to make money, no matter what. But then there are some programmers who write rootkits just to demonstrate their skills. Such hobby programmers (often school kids) are not necessarily as bad as those money eating moral ignoring people. Not that I would want to defend writing rootkits. I find it quite bad and I'm very angry about anyone misusing my madCodeHook package for such purpose!" }-

No need :)

I get the file mc21.tmp being found by Norton Anti-Virus everytime i start my comp. It says that it is part of backdoor.graybird virus, a very nasty trojan. Dunno if anyone else gets this. I look for the .dll that is supposedly associated with the virus and registry entries, but they do not exist. But it appears everytime. I am worried that the virus has a variant that no progs have found yet. Any thoughts would be apreciated.

This seems to be a false alarm. I've been contacted already that Norton fires alarm for all software using madCodeHook. Quite stupid. I'm about to contact Norton to correct this...

I want to thank you guys for your ProcessGuard. I was going crazy with this new Backdoor.Graybird variant which generates "mc2X.tmp". All of the computers which has Spysweeper installed are susceptible. I installed ProcessGuard, rebooted to Safemode, uninstalled Spyweeper and removed the traces in the Registry (do a search for which every temp file your has been infected with), and rebooted.

Spydoctor also uses the mchinjdrv hook.