Command Service: mchInjDrv in HKLM:CurrentControlSet
Want to inform and confirm with Team Spybot that this may be a false positive in the 02-12-05 detections.
We've seen a thread in both the Malware and Spybot forums discussing this.
Unable to fix "Command Service"
http://forums.spybot.info/showthread.php?t=730
HKLM cmd srvce settings
http://forums.spybot.info/showthread.php?t=710
There's also the following thread at BroadBand Reports.
Spybot detects "Command Service" as malware
http://www.dslreports.com/forum/remark,14933661
Quote:
TrojanHunter, spysweeper, a2 all add this registry entry, probably more security apps also.
mchInjDrv (Mad code hook injection driver)
malware can use it, but if you use any of the above security apps, then it's a false positive.
The following are the detected keys.
Code:
Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\m chInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\m chInjDrv
19-12-05 defs do not fix cmd.service reg issue
copy of clipboard
--- Search result list ---
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
--- Spybot - Search && Destroy version: 1.3 ---
2005-12-09 Includes\Cookies.sbi
2005-12-09 Includes\Dialer.sbi
2005-12-09 Includes\Hijackers.sbi
2005-12-09 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-12-09 Includes\Malware.sbi
2005-12-09 Includes\PUPS.sbi
2005-12-09 Includes\Revision.sbi
2005-12-09 Includes\Security.sbi
2005-12-09 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-12-09 Includes\Trojans.sbi
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB867282
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221
--- Process list ---
Spybot - Search && Destroy process list report, 12/17/2005 11:35:14 AM
PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 440 (2012) D:\Apps\Daemon Tools\daemon.exe
PID: 452 (2012) D:\Apps\iTunes\iTunesHelper.exe
PID: 492 ( 784) D:\Apps\Common Framework\FrameworkService.exe
PID: 512 ( 988) naPrdMgr.exe
PID: 516 (2012) C:\WINDOWS\system32\RunDll32.exe
PID: 524 (2012) C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
PID: 532 (2012) C:\Program Files\Saitek\Software\Profiler.exe
PID: 548 (2012) C:\Program Files\Saitek\Software\SaiSmart.exe
PID: 564 (2012) C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
PID: 660 ( 4) \SystemRoot\System32\smss.exe
PID: 708 ( 660) csrss.exe
PID: 736 ( 660) \??\C:\WINDOWS\system32\winlogon.exe
PID: 784 ( 736) C:\WINDOWS\system32\services.exe
PID: 796 ( 736) C:\WINDOWS\system32\lsass.exe
PID: 924 (2012) C:\Program Files\Internet Explorer\iexplore.exe
PID: 936 (2012) D:\Apps\VirusScan\SHSTAT.EXE
PID: 944 (2012) D:\Apps\Common Framework\UpdaterUI.exe
PID: 972 ( 784) C:\WINDOWS\system32\Ati2evxx.exe
PID: 988 ( 784) C:\WINDOWS\system32\svchost.exe
PID: 1012 (2012) C:\Program Files\Messenger\msmsgs.exe
PID: 1020 (2012) C:\WINDOWS\system32\ctfmon.exe
PID: 1060 ( 784) svchost.exe
PID: 1160 ( 784) C:\WINDOWS\System32\svchost.exe
PID: 1300 ( 784) svchost.exe
PID: 1312 (2012) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PID: 1352 (2012) C:\Program Files\VIA\RAID\raid_tool.exe
PID: 1360 ( 784) D:\Apps\VirusScan\mcshield.exe
PID: 1452 ( 784) wdfmgr.exe
PID: 1456 ( 784) svchost.exe
PID: 1576 ( 784) D:\Apps\VirusScan\vstskmgr.exe
PID: 1660 ( 784) C:\WINDOWS\system32\spoolsv.exe
PID: 1784 ( 784) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1912 ( 736) C:\WINDOWS\system32\Ati2evxx.exe
PID: 2012 (1952) C:\WINDOWS\Explorer.EXE
PID: 2108 ( 784) D:\Apps\ipod\bin\iPodService.exe
PID: 2432 ( 784) C:\WINDOWS\System32\imapi.exe
PID: 2624 (2012) C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
PID: 2900 ( 784) alg.exe
PID: 3032 (2012) C:\Program Files\Internet Explorer\iexplore.exe
PID: 3168 (2012) C:\WINDOWS\system32\notepad.exe
PID: 3268 (2624) C:\Program Files\Ahead\nero\nero.exe
PID: 3312 (1616) C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
PID: 3568 ( 784) C:\WINDOWS\System32\svchost.exe
PID: 3988 (2012) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 12/17/2005 11:35:14 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com.au/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Quote:
Originally Posted by md usa spybot fan
thomcats:
On 2005-12-07, Buster posted:
The following post would indicate that modifications were made to the "Command Service" detections on 2005-12-09:
Go into Spybot > Help > About. If you are still running with 2005-12-05 updates, ignore the detections until you get new updates. If you have the 2005-12-09 updates, run another scan. When the scan completes, right click on the results list and select "Copy results to clipboard" then paste the clipboard into a new post so that a “Member of Team Spybot” can see the detection and the update level that you are running.