What is mchlnjDrv?

Discussion in 'malware problems & news' started by SecurityFan, Mar 7, 2006.

Thread Status:
Not open for further replies.
  1. SecurityFan

    SecurityFan Registered Member

    Joined:
    Oct 2, 2005
    Posts:
    28
    This has happened twice in the space of about a month:

    I turn on my computer and access my user account. Up pops Unhackme informing me of a rootkit service named mchlnjDrv. It says it's in image path username\locals~Temp\mc243.tmp. And then I kill it. This time, before killing it, I looked for this file and couldn't find it. I also looked under processes and didn't see mchlnjDrv.

    I have Norton Firewall, Norton AV, and TrojanHunter -- along with Unhackme. Unhackme has been quietly sitting on my computer for months. Then in the past month these 2 incidents. I should mention the first time this happened with a previous version of Unhackme, this time with the current version. None of the other apps has made a peep. The Norton AV did intercept a trojan (also when starting up) a few months back.

    Is this really a rootkit? Google didn't tell me much. I use my computer heavily online to read news, articles, and emails. I'm not going to any parts of the internet that should warrant getting a rootkit. I'm not opening email attachments.

    Does anyone have any thoughts about this? ... One idea I have is to get Online Armor to block something from installing itself like this. I want to know when something is installing itself. Evidently Norton AV, and TrojanHunter realtime don't even see whatever is causing this and just let this thing in to install itself, no questions asked. Or maybe this is a false positive?

    Anyway, I'd welcome advice and info about mchlnjDrv.

    Thanks
     
  2. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Are you sure this is mchlnjDrv and not MCHINJDRV?

    If it is mchnjDrv, I'm fairly positive that this is a false positive for UnHackMe, and nothing to be worried about. I encountered the exact same thing that you did, researched a little more and discovered that mchnjDrv is a driver related to/which TrojanHunter uses. I spoke with and asked a couple of very experienced and helpful moderators at both the Greatis software (UnHackMe) and then Mischel Internet Security (TrojanHunter) forums, and they expressed their belief that this is what it is as well. Magnus Mischel (the creator of TrojanHunter) posted this comment in his forums regarding this driver on March 2 of last year:

    Hope this helps...
     
    Last edited: Mar 7, 2006
  3. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    https://www.wilderssecurity.com/showthread.php?t=47024&page=3&pp=25


    As JC says If it is mchnjDrv, I'm fairly positive that this is a false positive for UnHackMe

    Quite a few apps use this approach Spyware doctor etc
     
  4. SecurityFan

    SecurityFan Registered Member

    Joined:
    Oct 2, 2005
    Posts:
    28
    It definitely was mchlnjDrv, and not MCHINJDRV, when UnHackMe popped up its warning. So I guess it was just a false positive afterall.

    JRCATES and starfish, thanks for your help!
     
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    So even all commercial programmers can use this madshi code for free?

    In that case there often could happen false positives.

    But I still don´t understand why serious developers are not able to code their own hooks. A professional company should be able to make their own hooks, to have skilled people to do that right, then we wouldn´t have these problems of false positives.
     
  6. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041

    I doubt his lic is for free?
     
  7. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    The Madshi code is not free for commercial use, and you must pay to get the source code which is essential for any commercial project anyhow.

    It doesn't come down to can or can't code it. What it comes down to is a build or buy decision, which comes to time vs money.

    The madshi library can be licenced immediately, for a relatively small amount of money (I think it cost us about $1,000 or so from memory).

    Or, you could re-create the same code - which may take a long period of time. Of course, each developer is paid by the hour - so the long period of time means that:

    (a) I have to wait for my developers to reproduce something that has already been created, instead of doing the other valuable work.

    (b) The developers are paid hourly (or salary) - so in effect, I can either buy Madshi code "right now" for $1,000 (say) and start to use it immediately, or, alternatively, I could buy it over a year for $100,000 and begin using it next year. (or, if it took 6 months to reproduce, say $50,000)

    Of course, once you have the basic API hooking core there is still a LOT of work to do to make any product and it's best to pay the developers to work on things that improve usability and the product in general rather than re-inventing the wheel.

    There's a whole lot of work that goes on in programming surrounding re-use. A dll is one type of reusable object... "components", object oriented design, frameworks, all serve to make programming more efficient.

    Another example - there are very limited API's to Outlook Express, and for a client project, we needed to work with Outlook Express. Rather than have one of my developers spend months on a reverse engineering task (which the client would not have paid for) we looked around and saw what we could find.

    One company has spent months (or years) to reverse engineer it and produce a product which gives you access to extend Outlook Express. $3,000 to get this library. It's worth it if it works well, and you couldn't do it for the same price in a timely fashion.

    Of course, if you're a one man band, a hobbyist, or can't afford to drop thousands here and there to save months then writing it yourself is the only way to go.

    Similarly, if you can't find code of the quality you need or that works how you want it to - another reason to write it yourself. But writing everything yourself by default is the "dumb" approach to programming that most professional programmers get out of quickly.

    So, that's why *I* licenced the Madshi code. And, now we're working on Kernel mode versions of Online Armor and we find that there is not a suitable library we can licence to get done what we need. So, we're doing it ourselves. It costs more, and takes longer that way but in this case it's the only choice.


    Mike
     
  8. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    SecurityFan please visit here http://www.greatissoftware.com/forums/ and Dmitry will be glad to help you. He would probably try to help here but It has recently been frowned upon for developers to give detailed assistance if not an official forum. Please do not just assume this is a false positive. It may well be but it's always best to check it out thoroughly.

    Thanks,

    Chris
     
  9. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Good advice, and thanks for bringing this up, Chris, because according to SecurityFan's post:

    Since MchnjDrv is used by TrojanHunter, and SecurityFan posted that it was "mchlnjDrv, and not MCHINJDRV".....this could be something totally different. Although, I'm still guessing that it was actually MchnjDrv (used by TH), and that perhaps (or HOPEFULLY) SF was simply mistaken as to which alert he received.....
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Thanks Mike for your long info about the reasons, sounds logical.
     
  11. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i think it is interesting that "unhackme" flags "mchinjdrv", but PG 3.15 doesn't give any alerts regarding "mchinjdrv"..

    UPDATE: i installed "unhackme", but it did not flag "mchinjdrv" on my computer.. (i have a2-personal and trojanhunter which both use "mchinjdrv", but i don't have THGuard running, at present)..
     
    Last edited: Mar 14, 2006
  12. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Hi redwolfe_98,

    UnHackMe doesn't constantly or consistently flag this driver for me either.....it has on only two occasions, and both times were during startup. I have both the TH Guard and UnHackMe running as startup programs. Not sure what causes it to alert, but like I said, in my case it has alerted to it twice in about a 7 month period for me....
     
  13. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Same here
     
Loading...
Thread Status:
Not open for further replies.