Warning mchInjDrv.sys at every start

Discussion in 'NOD32 version 2 Forum' started by Flaeva, Aug 3, 2009.

Thread Status:
Not open for further replies.
  1. Flaeva

    Flaeva Registered Member

    Joined:
    Nov 30, 2008
    Posts:
    7
    Hello!

    a warning from nod appeared recently at every start, putting mchInjDrv.sys in quarantine

    This file is in C:/windows/system32/drivers and is created at every boot

    nod32 also mentions it has beem modified by spware doctor but I know it's a false

    I excluded the file and even the whole folder from AMON but it doesn't work !

    Have you got a solution ? Thank you !!!!
     
  2. ASpace

    ASpace Guest

    Last edited by a moderator: Aug 3, 2009
  3. Flaeva

    Flaeva Registered Member

    Joined:
    Nov 30, 2008
    Posts:
    7
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    MmchInjDrv.sys is correctly classified and detected as Win32/Monitor.PCAgent potentially unsafe application. If you are sure that it's part of a legit application you can exclude it from scanning or disable detection of potentially unsafe applications.
     
  5. Flaeva

    Flaeva Registered Member

    Joined:
    Nov 30, 2008
    Posts:
    7
    it 's what I've already done in Amon excluding the file and folder

    But with no effect ...o_O
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you're not using Windows 95/98/ME or use NOD32 for Exchange, upgrade to the latest version 4.0.437.
     
  7. Flaeva

    Flaeva Registered Member

    Joined:
    Nov 30, 2008
    Posts:
    7
    Thanks Marcos for your advice but I really want to keep my version as it works very well for a long time ( maybe because of my own experience )

    Although I excluded the file and folder from nod I still had those warnings regularly at the start

    It just stopped recently as it seems when the file was not created

    Hope it will be for good !!
     
  8. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    Hi Flaeva,

    As Marcos said that the file is classified a "potentially unsafe application", if you go to AMON Setup > Options and remove the check from that parameter it should no longer be stopped.

    BFG
     
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    So any app which uses >> mchInjDrv.sys has to be potentail unsafe?
    ThreatFire then too? Setup creates that file, ESET delete it but TF ran fine.
    BufferZone (sandbox) uses it too.
    source: http://www.file.net/prozess/mchinjdrv.sys.html
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Similarly you might ask if any application using pskill.exe used for killing running processes is potentially unsafe. The tool has been exploited by malware and, even though it's part of various cleaners, it's flagged as potentially unsafe just for that reason. If a file is only exploited by malware and does not serve for legit purposes, it's flagged as a trojan. By enabling potentially unsafe application you've agreed with detection of such tools.
     
  11. emsisoft

    emsisoft Security Expert

    Joined:
    Mar 12, 2004
    Posts:
    312
    Location:
    Nelson, New Zealand
    While the detection of that file may be legit, it should not be default setting to alert them.

    It confuses users (e.g. why a-squared Anti-Malware or Mamutu contains Malware) which goes on cost of sales in the end.

    Additionally ESET has to accept the fact that NOD32 will be stamped 'incompatible' with several security software tools too which doesn't really turn a good light on the company.

    My suggestion therefore is:

    Remove the signature or better: Fix it. Don't alert when the module is found in combination with a list of trusted vendors and alert it if not.
     
  12. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    yea ok Marcos - right - it can be used to perform bad action (both)

    btw emsisoft - im using mamutu beside for testing purpose - i have the service
    and eset delete that dll on setup too (same as threatfire) - but mamutu works fine.

    ok - i know what i' doing here - but in regular case a warning is acceptable :)

    >> with a list of trusted vendors

    might be a feature of next major or minor version of eset. Online Armor uses it
    and Mamutu do also i guess (Threatfire too).

    i very satiesfied with eset (in special eav - no ess) and now in the 4th year of use.
    with the change of firewall i have time to test some additional security but i dont really need it. and a prepare for win7.
     
  13. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi,

    mchInjDrv.sys ; mchInjDrv - or the Mad Code Hook Injection Driver ( MadCodeHook ): the SOLUTION: NO remove it, if is located in the folder C:\Windows\system32\drivers. In Registry: LEGACY_MCHINJDRV.
    This is a False Positive ( FP ), NO rootkit, NO malware.

    mchInjDrv is safe, not dangerous. It is a third-party driver used by many legitimate security applications to provide process protection. Used for example by Cyberhawk, ThreatFire, Windows Defender, Spyware Doctor, Spy Sweeper, Trojan Hunter, a-squared.

    It is deleted from your hard disk automatically after each restart of your security software, so marked as suspect by some security applications ( FP, no worry!). You can see it on GMER/Modules.

    Publisher is legitimate; it is creater by Mathias Rauen, madshi, look on madshi.net.

    But it is often used by malicious software also.

    Madshi on wilderssecurity forums says: https://www.wilderssecurity.com/showpost.php?p=448334&postcount=58

    Also look here: https://www.wilderssecurity.com/showthread.php?t=150519

    ... and here: http://forum.emsisoft.com/default.aspx?g=posts&t=3860

    I have mchInjDrv on my computer, my also.


    PROROOTECT
     
  14. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    As far as I know, Windows Defender does not use mchInjDrv and generally detects it as suspicious.
     
  15. bradtech

    bradtech Guest

    If you disable real time protection with NOD32, and install PCTools Spyware Doctor with Antivirus, and then setup exclusions they do not conflict with one another.. I run both on my home PC
     
  16. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
Thread Status:
Not open for further replies.