MchInjDrv

Rainwalker · #1 September 6th, 2004, 06:59 PM

Anyone else have this showing up lately ..... MchInjDrv

Any thoughts

Gavin - DiamondCS · #2 September 6th, 2004, 11:54 PM

Hi,

This is used by those programs with injection based on MadCodeHook - usermode injection and hooking technologies. You should ALLOW this if you trust the program doing it - to prevent any incompatibilies

If this happened with an unknown program or possible trojan, you can send the file to submit(at)diamondcs.com.au for analysis

Rainwalker · #3 September 7th, 2004, 12:04 AM

Thanks Gavin....There are two 'trusted' problems that want to use it. One is Spy Sweeper. It has been trying for the past two days and i have been using SS a lot longer then that with no sign of that driver and have not received any updates for awhile. Same with the other program....only these past two days....seems a bit strange.

Pilli · #4 September 7th, 2004, 04:37 AM

Hi RainWalker, It may be to do with your SS settings. Have you changed some setting in SS that might initiate another process? If so PG is probably catching that.
I give SS all allows.

Pilli

Rainwalker · #5 September 7th, 2004, 11:42 AM

Hey Pilli

....changed nutt'n ....Have YOU seen that driver request prior to allowing?

Pilli · #6 September 7th, 2004, 12:04 PM

Yep, I'm sure I saw it the first time I fired SS up after install but I cannot find it now using windows explorer

Don Pelotas · #7 September 7th, 2004, 12:23 PM

Pilli is right, i noticed it right after installing 3.0.

Rainwalker · #8 September 7th, 2004, 10:10 PM

Quote:

Originally Posted by Pilli

Yep, I'm sure I saw it the first time I fired SS up after install but I cannot find it now using windows explorer

Ok....hate to keep beating that proverbial horse but isn't a bit odd you can't locate it

Rainwalker · #9 September 7th, 2004, 10:14 PM

Opps sorry Don.....meant to thank you for your comment

Rainwalker · #10 September 7th, 2004, 10:22 PM

BTW..i wrote Web...root yesterday and so far have heard nada.

Gavin - DiamondCS · #11 September 7th, 2004, 11:36 PM

You can't locate it because it is "dropped" by the EXE, then loaded into memory. It could likely then be deleted, the system only needs the memory image of the file

Bowserman · #12 September 8th, 2004, 03:02 AM

Yep, tested earlier. spysweeper.exe attempted to "drop" mchInjDrv after install and upon SS being run for the first time (at least for me)....I logged it

. I imagine it would be used for the Shields, judging by what Gavin said.

Code:

Wed 08 - 12:34:56 [DRIVER/SERVICE] c:\program files\webroot\spy sweeper\spysweeper.exe [652] Tried to install a driver/service named mchInjDrv
Wed 08 - 12:34:56 [DRIVER/SERVICE] c:\program files\webroot\spy sweeper\spysweeper.exe [652] Tried to install a driver/service named mchInjDrv

Regards,
Jade.

Rainwalker · #13 September 11th, 2004, 07:52 AM

I just received this from Webroot:

Solution: We apologize for the trouble that you've had. Spy
Sweeper does not have the ability to add drivers to your system, it is
not necessary for use, however we will still look into the name of this
file, and hopefully we can determine it's source. SHould we find any
more information, we'll let you know.

#14 September 11th, 2004, 11:56 AM

Quote:

Originally Posted by Rainwalker

I just received this from Webroot:

Solution: We apologize for the trouble that you've had. Spy
Sweeper does not have the ability to add drivers to your system, it is
not necessary for use, however we will still look into the name of this
file, and hopefully we can determine it's source. SHould we find any
more information, we'll let you know.

Thankx for the info from webroot.
In my view, it is kind of weird since they have made their softwares which they have not known details/components of softwares they have made?
- is it that they have used some existing source code from others?
- spysweeper 3x is infected already? it is kind of silly to say this, just anyway.

Looking forward to experts to clarify it out.
.

Pilli · #15 September 11th, 2004, 12:04 PM

Hi quaduong, I doubt the person responding had any idea about RainWalkers question and has passed it on to a tech for a proper and more authoritive response.
I definately saw what Bowserman shows in his screenshot.

Rainwalker · #16 September 11th, 2004, 12:50 PM

I will follow this up

Pilli · #17 September 11th, 2004, 01:07 PM

Thanks Rainwalker, Don't you just love these little mysteries

Cheers Pilli

Rainwalker · #18 September 11th, 2004, 01:17 PM

Quote:

Originally Posted by Pilli

Thanks Rainwalker, Don't you just love these little mysteries

Cheers Pilli

Yes indeedy, and i always prefer to err on the side of paranoia

Rainwalker · #19 September 14th, 2004, 10:06 PM

Just to say i have heard nothing back from Webroot as of today

Pilli · #20 September 15th, 2004, 03:12 AM

Thanks for keeping us updated RainWalker

Gavin - DiamondCS · #21 September 15th, 2004, 04:50 AM

It might be that they have used the "Madshi" libraries and not noticed what it is actually capable of. Well.. it seems like the only explanation to me

Rainwalker · #22 September 15th, 2004, 12:41 PM

Quote:

Originally Posted by Gavin - DiamondCS

It might be that they have used the "Madshi" libraries and not noticed what it is actually capable of. Well.. it seems like the only explanation to me

I understand this is 'Madshi' stuff but nonetheless .............waiting to hear...i'll try them again sometime soon...they outta be knowing what they are selling better then they appear to, before they put it on the market.

Rainwalker · #23 September 17th, 2004, 11:31 PM

UPDATE:
Wrote them 2 days ago (9-15-04).....still nothing......waiting

worldcitizen · #24 September 21st, 2004, 01:49 AM

I got the same so should I give Spy Sweeper all alows or what?

Dave

Pilli · #25 September 21st, 2004, 02:29 AM

I have found that SpySweeper needs the install driver / service allow.
Watch the alerts to ensure the necessary allows.

HTH Pilli

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search