PDA

View Full Version : Command Service: mchInjDrv in HKLM:CurrentControlSet



bitman
2005-12-05, 14:12
Want to inform and confirm with Team Spybot that this may be a false positive in the 02-12-05 detections.

We've seen a thread in both the Malware and Spybot forums discussing this.

Unable to fix "Command Service"
http://forums.spybot.info/showthread.php?t=730
HKLM cmd srvce settings
http://forums.spybot.info/showthread.php?t=710

There's also the following thread at BroadBand Reports.

Spybot detects "Command Service" as malware
http://www.dslreports.com/forum/remark,14933661

TrojanHunter, spysweeper, a2 all add this registry entry, probably more security apps also.
mchInjDrv (Mad code hook injection driver)
malware can use it, but if you use any of the above security apps, then it's a false positive.

The following are the detected keys.

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mchInjDrv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\m chInjDrv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\m chInjDrv

tashi
2005-12-05, 18:05
Thank you Bitman, we have brought to Team's attention.

Oldfrog
2005-12-06, 01:17
I am working with someone at Castlecops with the same detection. Here is what shows to be in the registry keys in ControlSet001. This really looks like a known malicious service:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv]
"Type"=dword:00000001
"ErrorControl"=dword:00000000
"Start"=dword:00000004
"ImagePath"="\\??\\C:\\WINDOWS\\TEMP\\mc21.tmp"
"DeleteFlag"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv\Enum]
"0"="Root\\LEGACY_MCHINJDRV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Original Topic (http://castlecops.com/t140229-Possible_False_Positive_Command_Service.html)

LonnyRJones
2005-12-06, 02:17
Hi Oldfrog
It is a false possitive unless a 020 cmdservice command.exe is also present

Regards

Oldfrog
2005-12-06, 18:31
Okay, but there is obviously a real registry entry there and it is part of a genuine malicious signature. I agree that the threat is not active but still don't really feel that the detection is false.

Is Spybot going to quit detecting this or is it something that we should just tell users to ignore?

LonnyRJones
2005-12-07, 02:46
Its not always malicious

For example I have trojan hunter when we use its guard it creates the same key.

Regards

Buster
2005-12-07, 13:09
We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !:bigthumb:

thomcats
2005-12-16, 21:43
We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !:bigthumb:

Hello,

Checked for updates - and there were none to be had for me - yet Spybot still detects "Command Service" and mchindrjv??

Please advice.

Thanks in advance!:)
thomcats

md usa spybot fan
2005-12-16, 22:20
thomcats:

On 2005-12-07, Buster posted:

We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !:bigthumb:
The following post would indicate that modifications were made to the "Command Service" detections on 2005-12-09:
Detection updates 2005-12-09
http://forums.spybot.info/showthread.php?t=895

++ Command Service
It appears that something happened during the preparation of the update for 2005-12-16 and update facility is not currently working:
Upadate (sic) problem.
http://forums.spybot.info/showthread.php?t=1057
Problem with Update !
http://forums.spybot.info/showthread.php?t=1060
Go into Spybot > Help > About. If you are still running with 2005-12-05 updates, ignore the detections until you get new updates. If you have the 2005-12-09 updates, run another scan. When the scan completes, right click on the results list and select "Copy results to clipboard" then paste the clipboard into a new post so that a “Member of Team Spybot” can see the detection and the update level that you are running.

Tank5
2005-12-17, 02:49
copy of clipboard


--- Search result list ---
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService


--- Spybot - Search && Destroy version: 1.3 ---
2005-12-09 Includes\Cookies.sbi
2005-12-09 Includes\Dialer.sbi
2005-12-09 Includes\Hijackers.sbi
2005-12-09 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-12-09 Includes\Malware.sbi
2005-12-09 Includes\PUPS.sbi
2005-12-09 Includes\Revision.sbi
2005-12-09 Includes\Security.sbi
2005-12-09 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-12-09 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB867282
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221



--- Process list ---
Spybot - Search && Destroy process list report, 12/17/2005 11:35:14 AM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 440 (2012) D:\Apps\Daemon Tools\daemon.exe
PID: 452 (2012) D:\Apps\iTunes\iTunesHelper.exe
PID: 492 ( 784) D:\Apps\Common Framework\FrameworkService.exe
PID: 512 ( 988) naPrdMgr.exe
PID: 516 (2012) C:\WINDOWS\system32\RunDll32.exe
PID: 524 (2012) C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
PID: 532 (2012) C:\Program Files\Saitek\Software\Profiler.exe
PID: 548 (2012) C:\Program Files\Saitek\Software\SaiSmart.exe
PID: 564 (2012) C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
PID: 660 ( 4) \SystemRoot\System32\smss.exe
PID: 708 ( 660) csrss.exe
PID: 736 ( 660) \??\C:\WINDOWS\system32\winlogon.exe
PID: 784 ( 736) C:\WINDOWS\system32\services.exe
PID: 796 ( 736) C:\WINDOWS\system32\lsass.exe
PID: 924 (2012) C:\Program Files\Internet Explorer\iexplore.exe
PID: 936 (2012) D:\Apps\VirusScan\SHSTAT.EXE
PID: 944 (2012) D:\Apps\Common Framework\UpdaterUI.exe
PID: 972 ( 784) C:\WINDOWS\system32\Ati2evxx.exe
PID: 988 ( 784) C:\WINDOWS\system32\svchost.exe
PID: 1012 (2012) C:\Program Files\Messenger\msmsgs.exe
PID: 1020 (2012) C:\WINDOWS\system32\ctfmon.exe
PID: 1060 ( 784) svchost.exe
PID: 1160 ( 784) C:\WINDOWS\System32\svchost.exe
PID: 1300 ( 784) svchost.exe
PID: 1312 (2012) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PID: 1352 (2012) C:\Program Files\VIA\RAID\raid_tool.exe
PID: 1360 ( 784) D:\Apps\VirusScan\mcshield.exe
PID: 1452 ( 784) wdfmgr.exe
PID: 1456 ( 784) svchost.exe
PID: 1576 ( 784) D:\Apps\VirusScan\vstskmgr.exe
PID: 1660 ( 784) C:\WINDOWS\system32\spoolsv.exe
PID: 1784 ( 784) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1912 ( 736) C:\WINDOWS\system32\Ati2evxx.exe
PID: 2012 (1952) C:\WINDOWS\Explorer.EXE
PID: 2108 ( 784) D:\Apps\ipod\bin\iPodService.exe
PID: 2432 ( 784) C:\WINDOWS\System32\imapi.exe
PID: 2624 (2012) C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
PID: 2900 ( 784) alg.exe
PID: 3032 (2012) C:\Program Files\Internet Explorer\iexplore.exe
PID: 3168 (2012) C:\WINDOWS\system32\notepad.exe
PID: 3268 (2624) C:\Program Files\Ahead\nero\nero.exe
PID: 3312 (1616) C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
PID: 3568 ( 784) C:\WINDOWS\System32\svchost.exe
PID: 3988 (2012) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 12/17/2005 11:35:14 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com.au/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm









thomcats:

On 2005-12-07, Buster posted:

The following post would indicate that modifications were made to the "Command Service" detections on 2005-12-09:
Detection updates 2005-12-09
http://forums.spybot.info/showthread.php?t=895

Go into Spybot > Help > About. If you are still running with 2005-12-05 updates, ignore the detections until you get new updates. If you have the 2005-12-09 updates, run another scan. When the scan completes, right click on the results list and select "Copy results to clipboard" then paste the clipboard into a new post so that a “Member of Team Spybot” can see the detection and the update level that you are running.

thomcats
2005-12-18, 11:29
Hello!

All problems seems to be solved now. I have updated to definitions as per Dec 16 and all is working fine.

Thanks for all work and attention in this matter.

Cheers:bigthumb:
thomcats

tashi
2005-12-18, 17:41
copy of clipboard


--- Search result list ---
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService


--- Spybot - Search && Destroy version: 1.3 ---
2005-12-09 Includes\Cookies.sbi
2005-12-09 Includes\Dialer.sbi
2005-12-09 Includes\Hijackers.sbi
2005-12-09 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-12-09 Includes\Malware.sbi
2005-12-09 Includes\PUPS.sbi
2005-12-09 Includes\Revision.sbi
2005-12-09 Includes\Security.sbi
2005-12-09 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-12-09 Includes\Trojans.sbi

Tank5 you might want to update to Version 1.4. :)

Please see:

Spybot-S&D Version 1.4 Download (http://www.spybot.info/en/download/index.html)


Uninstalling Previous Spybot-S&D (http://www.safer-networking.org/en/faq/27.html)



Tutorial (http://www.spybot.info/en/tutorial/index.html)


Solution to fix the pop-ups in TeaTimer. (Spybot-S&D V 1.4)
http://forums.spybot.info/showthread.php?t=122

Cheers.

j.a.s.o.n
2006-03-13, 18:47
Below are my results, the fixed entry does reappear on a reboot.
Do you have any advice on whether this is (still) regarded as a false positive, or something more serious. I don't think I have been doing anything else to warrent the number of other (removable) trojans or trackers I keep finding.
Thanks for anything you can suggest.
J

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-10-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-10 Includes\Cookies.sbi (*)
2006-03-10 Includes\Dialer.sbi (*)
2006-03-10 Includes\Hijackers.sbi (*)
2006-03-10 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-03-10 Includes\Malware.sbi (*)
2006-03-10 Includes\PUPS.sbi (*)
2006-03-10 Includes\Revision.sbi (*)
2006-03-10 Includes\Security.sbi (*)
2006-03-10 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-03-10 Includes\Trojans.sbi (*)

LonnyRJones
2006-03-13, 19:33
Welcome to the forum j.a.s.o.n

Have you tried running a check for problems with SpyBot while the PC is in safe mode ?

Weather or not you have i suggest you Start a topic in our malware area
Please go here and follow instructions.
http://forums.spybot.info/showthread.php?t=288
Someone will then take a look at the system and advise you.

j.a.s.o.n
2006-03-15, 20:03
I have indeed tried safe mode. And I have followed your advice and the instructions found via that link. Thanks for the quick response!
J

thanks
2006-12-04, 16:46
Hello to all.....
I joined this forum only on 1st Dec,2006. and this is my first posting.
I am using Spybot S&D for the last one year and presently I am having version 1.4 and the latest detection updates are upto 2006.12.01.
For the last one month I am being troubled with "Command Service". After reading all the above discussion, I am thinking I can ignore it. But the scan report when it shows in red, it is quite annoying. There are three entries, all the three are registry keys. Can we delete them? and how?
These are the registry keys :
HKEY_LOCAL_MACHINE\SYSTEM\Control Set 003.....
\Control Set 001....
\Control
I am having win XP(Home) with SP1& 2
Thanks in advance for any response.

LonnyRJones
2006-12-04, 16:53
thanks
Its coused by the way Ad-Aware removes command service. it leaves
registry entries with modified permisions in place, they are harmless , but if you want to remove it post in our malware section.

thanks
2006-12-06, 17:16
Hai LonnyRjones....
Thank you for the quick response. I will follow your advise and post it in the malware section.
Thank you again.