Discussion in 'ProcessGuard' started by Rainwalker, Sep 6, 2004.
You are very welcome
Thank you all for this useful (and humorous ) thread. I had the same thing and was a bit scared and undecided what to do.Luckily there is ...Wildersforum!
I got the same message, but the program that tried to install it was the Process Guard itself, but it has blocked itself.
I looked at the log and didn´t find nothing, but Trojan Hunter trying to install it.
Is that correct ?
Hi DonKid, ProcessGuard does not use those libraries but I believe that TH might and this is what you are seeing. DCS only use their own code for low level drivers.
Give another look at log, and I found it.
TH does indeed use it..........not that it is a bad thing.....
Thanks for your help.
Just found this thread via google. I'm the author of madCodeHook and would like to add a comment:
As was already explained by the mods here (thank you!), mchInjDrv is a driver which is internally used by madCodeHook to inject dlls into other processes. This is part of the whole API hooking technology. Now the injection driver in itself is quite innocent. It does nothing but inject a specified dll. It doesn't really know what purpose the dll has.
Unfortunately some programmers misused madCodeHook to write rootkits (I really hate that). I've contacted them and asked them to stop doing that. They promised to stop using madCodeHook for rootkits etc, hopefully they'll really do.
On the positive side, a lot of good software "antiSomethingBad" is using madCodeHook for good purpose, and I'm quite happy about that.
When you see "mchInjDrv" on your PC, you can only check whether the process which wants to use that is a process which you trust or not. The injection driver itself is not bad, but the dll which is injected *can* potentially be bad (unfortunately). If there was a way to detect bad dlls, I'd love to add that functionality to the injection driver, but I don't think that's technically possible.
Why don't companies implement their own hooking technology? Because this is a *damn* difficult job to do. I've spent years to make madCodeHook stable and I'm proud to say that I believe it's one of the best available user mode API hooking packages on the market. All those companies using madCodeHook are just trying to not reinvent the wheel but to use a technology which is well tested and proven. Of course they could try to implement their own solution, but it would cost them years and the first versions would most probably be quite unstable (as mine were in the beginning).
Thanks for listening. And if you have any questions or suggestions, please let me know.
Thank you very much for your input, I certainly appreciate it
You might as well make a wish in one hand - and then sh!t in the other, and see which one get's full the fastest. Rules and Laws only apply to people who follow them - and when it comes to making money all the little niceties are dispensed with.
Rainwalker, would you mind to comment in text?
Mephisto, you're certainly right in that some people don't care about good/bad and just want to make money, no matter what. But then there are some programmers who write rootkits just to demonstrate their skills. Such hobby programmers (often school kids) are not necessarily as bad as those money eating moral ignoring people. Not that I would want to defend writing rootkits. I find it quite bad and I'm very angry about anyone misusing my madCodeHook package for such purpose!
I get the file mc21.tmp being found by Norton Anti-Virus everytime i start my comp. It says that it is part of backdoor.graybird virus, a very nasty trojan. Dunno if anyone else gets this. I look for the .dll that is supposedly associated with the virus and registry entries, but they do not exist. But it appears everytime. I am worried that the virus has a variant that no progs have found yet. Any thoughts would be apreciated.
This seems to be a false alarm. I've been contacted already that Norton fires alarm for all software using madCodeHook. Quite stupid. I'm about to contact Norton to correct this...
I want to thank you guys for your ProcessGuard. I was going crazy with this new Backdoor.Graybird variant which generates "mc2X.tmp". All of the computers which has Spysweeper installed are susceptible. I installed ProcessGuard, rebooted to Safemode, uninstalled Spyweeper and removed the traces in the Registry (do a search for which every temp file your has been infected with), and rebooted.
Spydoctor also uses the mchinjdrv hook.
Separate names with a comma.