Warning mchInjDrv.sys at every start

Hello!

a warning from nod appeared recently at every start, putting mchInjDrv.sys in quarantine

This file is in C:/windows/system32/drivers and is created at every boot

nod32 also mentions it has beem modified by spware doctor but I know it's a false

I excluded the file and even the whole folder from AMON but it doesn't work !

Have you got a solution ? Thank you !!!!

 

I am 99.99 % sure that mchInjDrv.sys is a malware - real one.

You may need to~ upgrade to v4 of NOD32 (if you are running Windows 2000/XP/Vista/7)

v4 is considered much better than v2:
http://kb.eset.com/esetkb/index?page=content&id=SOLN357
http://www.eset.com/company/article...-Proactive-Protection/5800.php?contentID=5800

 

Thanks for your answer ASpace,

but I want to keep my nod32 2.70 it works very well for me and it seems that's really a false especially as I use spyware doctor:
http://www.a9services.com/base/index2.php?option=com_content&do_pdf=1&id=78
http://www.techsupportforum.com/sec...nerating-infection-startup-mchinjdrv-sys.html

How can I configure nod in order to avoid this warning at start up please

 

MmchInjDrv.sys is correctly classified and detected as Win32/Monitor.PCAgent potentially unsafe application. If you are sure that it's part of a legit application you can exclude it from scanning or disable detection of potentially unsafe applications.

 

it 's what I've already done in Amon excluding the file and folder

But with no effect ...

 

If you're not using Windows 95/98/ME or use NOD32 for Exchange, upgrade to the latest version 4.0.437.

 

Thanks Marcos for your advice but I really want to keep my version as it works very well for a long time ( maybe because of my own experience )

Although I excluded the file and folder from nod I still had those warnings regularly at the start

It just stopped recently as it seems when the file was not created

Hope it will be for good !!

 

Hi Flaeva,

As Marcos said that the file is classified a "potentially unsafe application", if you go to AMON Setup > Options and remove the check from that parameter it should no longer be stopped.

BFG

 

So any app which uses >> mchInjDrv.sys has to be potentail unsafe?
ThreatFire then too? Setup creates that file, ESET delete it but TF ran fine.
BufferZone (sandbox) uses it too.

source: http://www.file.net/prozess/mchinjdrv.sys.html

 

Similarly you might ask if any application using pskill.exe used for killing running processes is potentially unsafe. The tool has been exploited by malware and, even though it's part of various cleaners, it's flagged as potentially unsafe just for that reason. If a file is only exploited by malware and does not serve for legit purposes, it's flagged as a trojan. By enabling potentially unsafe application you've agreed with detection of such tools.

 

While the detection of that file may be legit, it should not be default setting to alert them.

It confuses users (e.g. why a-squared Anti-Malware or Mamutu contains Malware) which goes on cost of sales in the end.

Additionally ESET has to accept the fact that NOD32 will be stamped 'incompatible' with several security software tools too which doesn't really turn a good light on the company.

My suggestion therefore is:

Remove the signature or better: Fix it. Don't alert when the module is found in combination with a list of trusted vendors and alert it if not.

 

yea ok Marcos - right - it can be used to perform bad action (both)

btw emsisoft - im using mamutu beside for testing purpose - i have the service
and eset delete that dll on setup too (same as threatfire) - but mamutu works fine.

ok - i know what i' doing here - but in regular case a warning is acceptable

>> with a list of trusted vendors

might be a feature of next major or minor version of eset. Online Armor uses it
and Mamutu do also i guess (Threatfire too).

i very satiesfied with eset (in special eav - no ess) and now in the 4th year of use.
with the change of firewall i have time to test some additional security but i dont really need it. and a prepare for win7.

 

Hi,

mchInjDrv.sys ; mchInjDrv - or the Mad Code Hook Injection Driver ( MadCodeHook ): the SOLUTION: NO remove it, if is located in the folder C:\Windows\system32\drivers. In Registry: LEGACY_MCHINJDRV.
This is a False Positive ( FP ), NO rootkit, NO malware.

mchInjDrv is safe, not dangerous. It is a third-party driver used by many legitimate security applications to provide process protection. Used for example by Cyberhawk, ThreatFire, Windows Defender, Spyware Doctor, Spy Sweeper, Trojan Hunter, a-squared.

It is deleted from your hard disk automatically after each restart of your security software, so marked as suspect by some security applications ( FP, no worry!). You can see it on GMER/Modules.

Publisher is legitimate; it is creater by Mathias Rauen, madshi, look on madshi.net.

But it is often used by malicious software also.

Madshi on wilderssecurity forums says: https://www.wilderssecurity.com/showpost.php?p=448334&postcount=58

Also look here: https://www.wilderssecurity.com/showthread.php?t=150519

... and here: http://forum.emsisoft.com/default.aspx?g=posts&t=3860

I have mchInjDrv on my computer, my also.


PROROOTECT

 

As far as I know, Windows Defender does not use mchInjDrv and generally detects it as suspicious.

 

If you disable real time protection with NOD32, and install PCTools Spyware Doctor with Antivirus, and then setup exclusions they do not conflict with one another.. I run both on my home PC

 

And TWO: look this recent answer by madshi : http://forum.madshi.net/viewtopic.php?t=4971


P.