PDA

View Full Version : Is MadInjection.rtk Unremoveable?


berikken
2009-02-17, 21:01
I can read member "rokut" had the same question as me about this annoying "mchInjDrv.sys" file that keep on beeing written after reboot and I can see that he didn't get any respons either.

My question to the expertise panel:
Is MadInjection.rtk unremoveable???

So far on the internet I've found two ways that's suppose to work, but the problem is that none of them actually work???
What is this file and what does it do.....anyone....please ;-)
If it's harmeless I'll sleep better at night :-)

I quote from the file "mchInjDrv.sys" from what I can read:

-This program cannot be run in DOS mode
-B a s e N a m e d O b j e c t s \ m c h I n j D r v M a p
-Close YZwUnmapViewOfSection memcpy @ ExAllocatePoolWithTag ZwMapViewOfSection ZwOpenSection RtlInitUnicodeString %ObfDereferenceObject ZwAllocateVirtualMemory ObOpenObjectByPointer rPsLookupProcessByProcessId IofCompleteRequest PsSetCreateProcessNotifyRoutine ntoskrnl.exe

Is there anybody who can tell me what this file is doing from this???
tashi
2009-02-17, 21:45
Hello berikken,


I can read member "rokut" had the same question as me about this annoying "mchInjDrv.sys" file that keep on beeing written after reboot and I can see that he didn't get any respons either.

rokut started a topic in the malware removal forum yesterday. http://forums.spybot.info/showthread.php?t=45811 (http://forums.spybot.info/showthread.php?t=45811)

Your topic started today: http://forums.spybot.info/showthread.php?t=45857

Volunteer analysts assist users as soon as they are able, otherwise there is this sticky.

Manual Removal Guide for MadInjection.rtk (http://forums.spybot.info/showthread.php?t=40524)

Best regards. :)
berikken
2009-02-18, 11:01
Oki :-)
I've allready tried that manual removal guide and it didn't work for me, tried running in safe mode too and same result :-(

I'll try to be more patient in the future ;-) But there isn't so many places there's information about this little bugger :-) Hope some of you guru's can fix it.
Hated to see the @ and % in the "mchInjDrv.sys" file ;-)
berikken
2009-02-18, 11:53
Guess I was lucky...The file doesn't appear in system32/driver anymore ;-)

I found this quote: it's used by programs which use MadCodeHook for code injection

And all I did was to make a registry search for anything called: MadCodeHook

I found 3 directories named "mchInjDrv" and since they only refered to MadCodeHook I just deleted them and made a reboot......voila...

:-)

I run win xp...
berikken
2009-02-18, 12:07
Is there anybody here can tell me what programs use this? I understand that it only is in memory and it's been used for checking dll's but what programs?

That would probably make it much easier for others to find it in the registry?

I might have been just lucky and we'll se if it reappears later ;-)
tashi
2009-03-12, 16:29
Malware topic was archived due to lack of a response to analyst.
http://forums.spybot.info/showthread.php?t=45857