Command Service: mchInjDrv in HKLM:CurrentControlSet

B

bitman

Esteemed Member
Alpha Testers
Want to inform and confirm with Team Spybot that this may be a false positive in the 02-12-05 detections.

We've seen a thread in both the Malware and Spybot forums discussing this.

Unable to fix "Command Service"
http://forums.spybot.info/showthread.php?t=730
HKLM cmd srvce settings
http://forums.spybot.info/showthread.php?t=710

There's also the following thread at BroadBand Reports.

Spybot detects "Command Service" as malware
http://www.dslreports.com/forum/remark,14933661
TrojanHunter, spysweeper, a2 all add this registry entry, probably more security apps also.
mchInjDrv (Mad code hook injection driver)
malware can use it, but if you use any of the above security apps, then it's a false positive.
Click to expand...

The following are the detected keys.
Code: 
Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mchInjDrv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\m chInjDrv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\m chInjDrv
 
I am working with someone at Castlecops with the same detection. Here is what shows to be in the registry keys in ControlSet001. This really looks like a known malicious service:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv]
"Type"=dword:00000001
"ErrorControl"=dword:00000000
"Start"=dword:00000004
"ImagePath"="\\??\\C:\\WINDOWS\\TEMP\\mc21.tmp"
"DeleteFlag"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv\Enum]
"0"="Root\\LEGACY_MCHINJDRV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Click to expand...
Original Topic
 
Okay, but there is obviously a real registry entry there and it is part of a genuine malicious signature. I agree that the threat is not active but still don't really feel that the detection is false.

Is Spybot going to quit detecting this or is it something that we should just tell users to ignore?
 
Its not always malicious

For example I have trojan hunter when we use its guard it creates the same key.

Regards
 
We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !:bigthumb:
 
Buster said:
We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !:bigthumb:
Click to expand...

Hello,

Checked for updates - and there were none to be had for me - yet Spybot still detects "Command Service" and mchindrjv??

Please advice.

Thanks in advance!:)
thomcats
 
thomcats:

On 2005-12-07, Buster posted:
Buster said:
We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !:bigthumb:
Click to expand...
The following post would indicate that modifications were made to the "Command Service" detections on 2005-12-09:
++ Command Service
Click to expand...
It appears that something happened during the preparation of the update for 2005-12-16 and update facility is not currently working:
Go into Spybot > Help > About. If you are still running with 2005-12-05 updates, ignore the detections until you get new updates. If you have the 2005-12-09 updates, run another scan. When the scan completes, right click on the results list and select "Copy results to clipboard" then paste the clipboard into a new post so that a “Member of Team Spybot” can see the detection and the update level that you are running.
 
19-12-05 defs do not fix cmd.service reg issue

copy of clipboard


--- Search result list ---
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService


--- Spybot - Search && Destroy version: 1.3 ---
2005-12-09 Includes\Cookies.sbi
2005-12-09 Includes\Dialer.sbi
2005-12-09 Includes\Hijackers.sbi
2005-12-09 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-12-09 Includes\Malware.sbi
2005-12-09 Includes\PUPS.sbi
2005-12-09 Includes\Revision.sbi
2005-12-09 Includes\Security.sbi
2005-12-09 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-12-09 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB867282
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221



--- Process list ---
Spybot - Search && Destroy process list report, 12/17/2005 11:35:14 AM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 440 (2012) D:\Apps\Daemon Tools\daemon.exe
PID: 452 (2012) D:\Apps\iTunes\iTunesHelper.exe
PID: 492 ( 784) D:\Apps\Common Framework\FrameworkService.exe
PID: 512 ( 988) naPrdMgr.exe
PID: 516 (2012) C:\WINDOWS\system32\RunDll32.exe
PID: 524 (2012) C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
PID: 532 (2012) C:\Program Files\Saitek\Software\Profiler.exe
PID: 548 (2012) C:\Program Files\Saitek\Software\SaiSmart.exe
PID: 564 (2012) C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
PID: 660 ( 4) \SystemRoot\System32\smss.exe
PID: 708 ( 660) csrss.exe
PID: 736 ( 660) \??\C:\WINDOWS\system32\winlogon.exe
PID: 784 ( 736) C:\WINDOWS\system32\services.exe
PID: 796 ( 736) C:\WINDOWS\system32\lsass.exe
PID: 924 (2012) C:\Program Files\Internet Explorer\iexplore.exe
PID: 936 (2012) D:\Apps\VirusScan\SHSTAT.EXE
PID: 944 (2012) D:\Apps\Common Framework\UpdaterUI.exe
PID: 972 ( 784) C:\WINDOWS\system32\Ati2evxx.exe
PID: 988 ( 784) C:\WINDOWS\system32\svchost.exe
PID: 1012 (2012) C:\Program Files\Messenger\msmsgs.exe
PID: 1020 (2012) C:\WINDOWS\system32\ctfmon.exe
PID: 1060 ( 784) svchost.exe
PID: 1160 ( 784) C:\WINDOWS\System32\svchost.exe
PID: 1300 ( 784) svchost.exe
PID: 1312 (2012) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PID: 1352 (2012) C:\Program Files\VIA\RAID\raid_tool.exe
PID: 1360 ( 784) D:\Apps\VirusScan\mcshield.exe
PID: 1452 ( 784) wdfmgr.exe
PID: 1456 ( 784) svchost.exe
PID: 1576 ( 784) D:\Apps\VirusScan\vstskmgr.exe
PID: 1660 ( 784) C:\WINDOWS\system32\spoolsv.exe
PID: 1784 ( 784) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1912 ( 736) C:\WINDOWS\system32\Ati2evxx.exe
PID: 2012 (1952) C:\WINDOWS\Explorer.EXE
PID: 2108 ( 784) D:\Apps\ipod\bin\iPodService.exe
PID: 2432 ( 784) C:\WINDOWS\System32\imapi.exe
PID: 2624 (2012) C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
PID: 2900 ( 784) alg.exe
PID: 3032 (2012) C:\Program Files\Internet Explorer\iexplore.exe
PID: 3168 (2012) C:\WINDOWS\system32\notepad.exe
PID: 3268 (2624) C:\Program Files\Ahead\nero\nero.exe
PID: 3312 (1616) C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
PID: 3568 ( 784) C:\WINDOWS\System32\svchost.exe
PID: 3988 (2012) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 12/17/2005 11:35:14 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com.au/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm








md usa spybot fan said:
thomcats:

On 2005-12-07, Buster posted:

The following post would indicate that modifications were made to the "Command Service" detections on 2005-12-09:

Go into Spybot > Help > About. If you are still running with 2005-12-05 updates, ignore the detections until you get new updates. If you have the 2005-12-09 updates, run another scan. When the scan completes, right click on the results list and select "Copy results to clipboard" then paste the clipboard into a new post so that a “Member of Team Spybot” can see the detection and the update level that you are running.
Click to expand...
 
Hello!

All problems seems to be solved now. I have updated to definitions as per Dec 16 and all is working fine.

Thanks for all work and attention in this matter.

Cheers:bigthumb:
thomcats
 
Tank5 said:
copy of clipboard


--- Search result list ---
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService


--- Spybot - Search && Destroy version: 1.3 ---
2005-12-09 Includes\Cookies.sbi
2005-12-09 Includes\Dialer.sbi
2005-12-09 Includes\Hijackers.sbi
2005-12-09 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-12-09 Includes\Malware.sbi
2005-12-09 Includes\PUPS.sbi
2005-12-09 Includes\Revision.sbi
2005-12-09 Includes\Security.sbi
2005-12-09 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-12-09 Includes\Trojans.sbi
Click to expand...
Tank5 you might want to update to Version 1.4. :)

Please see:


Solution to fix the pop-ups in TeaTimer. (Spybot-S&D V 1.4)
http://forums.spybot.info/showthread.php?t=122

Cheers.
 
Below are my results, the fixed entry does reappear on a reboot.
Do you have any advice on whether this is (still) regarded as a false positive, or something more serious. I don't think I have been doing anything else to warrent the number of other (removable) trojans or trackers I keep finding.
Thanks for anything you can suggest.
J

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-10-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-10 Includes\Cookies.sbi (*)
2006-03-10 Includes\Dialer.sbi (*)
2006-03-10 Includes\Hijackers.sbi (*)
2006-03-10 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-03-10 Includes\Malware.sbi (*)
2006-03-10 Includes\PUPS.sbi (*)
2006-03-10 Includes\Revision.sbi (*)
2006-03-10 Includes\Security.sbi (*)
2006-03-10 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-03-10 Includes\Trojans.sbi (*)
 
I have indeed tried safe mode. And I have followed your advice and the instructions found via that link. Thanks for the quick response!
J
 
Hello to all.....
I joined this forum only on 1st Dec,2006. and this is my first posting.
I am using Spybot S&D for the last one year and presently I am having version 1.4 and the latest detection updates are upto 2006.12.01.
For the last one month I am being troubled with "Command Service". After reading all the above discussion, I am thinking I can ignore it. But the scan report when it shows in red, it is quite annoying. There are three entries, all the three are registry keys. Can we delete them? and how?
These are the registry keys :
HKEY_LOCAL_MACHINE\SYSTEM\Control Set 003.....
\Control Set 001....
\Control
I am having win XP(Home) with SP1& 2
Thanks in advance for any response.
 
thanks
Its coused by the way Ad-Aware removes command service. it leaves
registry entries with modified permisions in place, they are harmless , but if you want to remove it post in our malware section.
 
Hai LonnyRjones....
Thank you for the quick response. I will follow your advise and post it in the malware section.
Thank you again.
 
You must log in or register to reply here.
Back
Top