Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Command Service: mchInjDrv in HKLM:CurrentControlSet

  1. #1
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    554

    Default Command Service: mchInjDrv in HKLM:CurrentControlSet

    Want to inform and confirm with Team Spybot that this may be a false positive in the 02-12-05 detections.

    We've seen a thread in both the Malware and Spybot forums discussing this.

    Unable to fix "Command Service"
    http://forums.spybot.info/showthread.php?t=730
    HKLM cmd srvce settings
    http://forums.spybot.info/showthread.php?t=710

    There's also the following thread at BroadBand Reports.

    Spybot detects "Command Service" as malware
    http://www.dslreports.com/forum/remark,14933661
    TrojanHunter, spysweeper, a2 all add this registry entry, probably more security apps also.
    mchInjDrv (Mad code hook injection driver)
    malware can use it, but if you use any of the above security apps, then it's a false positive.
    The following are the detected keys.
    Code:
    Command Service: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mchInjDrv
    
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\m chInjDrv
    
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\m chInjDrv

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,432

    Default

    Thank you Bitman, we have brought to Team's attention.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member Oldfrog's Avatar
    Join Date
    Dec 2005
    Posts
    2

    Default

    I am working with someone at Castlecops with the same detection. Here is what shows to be in the registry keys in ControlSet001. This really looks like a known malicious service:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv]
    "Type"=dword:00000001
    "ErrorControl"=dword:00000000
    "Start"=dword:00000004
    "ImagePath"="\\??\\C:\\WINDOWS\\TEMP\\mc21.tmp"
    "DeleteFlag"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv\Enum]
    "0"="Root\\LEGACY_MCHINJDRV\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001
    Original Topic

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi Oldfrog
    It is a false possitive unless a 020 cmdservice command.exe is also present

    Regards

  5. #5
    Junior Member Oldfrog's Avatar
    Join Date
    Dec 2005
    Posts
    2

    Default

    Okay, but there is obviously a real registry entry there and it is part of a genuine malicious signature. I agree that the threat is not active but still don't really feel that the detection is false.

    Is Spybot going to quit detecting this or is it something that we should just tell users to ignore?

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Its not always malicious

    For example I have trojan hunter when we use its guard it creates the same key.

    Regards

  7. #7
    Member of Team Spybot Buster's Avatar
    Join Date
    Oct 2005
    Location
    Bochum/Germany
    Posts
    389

    Default

    We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !
    "The advantage of wisdom is that you can always act the fool. The opposite is quite tough."

    K. Tucholsky

    _______________________________________________________________

    Please help us improve Spybot and download our distributed testing client.

  8. #8
    Junior Member
    Join Date
    Dec 2005
    Posts
    2

    Default

    Quote Originally Posted by Buster
    We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !
    Hello,

    Checked for updates - and there were none to be had for me - yet Spybot still detects "Command Service" and mchindrjv??

    Please advice.

    Thanks in advance!
    thomcats

  9. #9
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    thomcats:

    On 2005-12-07, Buster posted:
    Quote Originally Posted by Buster
    We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !
    The following post would indicate that modifications were made to the "Command Service" detections on 2005-12-09:

    ++ Command Service
    It appears that something happened during the preparation of the update for 2005-12-16 and update facility is not currently working:

    Go into Spybot > Help > About. If you are still running with 2005-12-05 updates, ignore the detections until you get new updates. If you have the 2005-12-09 updates, run another scan. When the scan completes, right click on the results list and select "Copy results to clipboard" then paste the clipboard into a new post so that a “Member of Team Spybot” can see the detection and the update level that you are running.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  10. #10
    Junior Member
    Join Date
    Dec 2005
    Posts
    1

    Exclamation 19-12-05 defs do not fix cmd.service reg issue

    copy of clipboard


    --- Search result list ---
    Command Service: Settings (Registry key, fixing failed)
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

    Command Service: Settings (Registry key, fixing failed)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService


    --- Spybot - Search && Destroy version: 1.3 ---
    2005-12-09 Includes\Cookies.sbi
    2005-12-09 Includes\Dialer.sbi
    2005-12-09 Includes\Hijackers.sbi
    2005-12-09 Includes\Keyloggers.sbi
    2004-11-29 Includes\LSP.sbi
    2005-12-09 Includes\Malware.sbi
    2005-12-09 Includes\PUPS.sbi
    2005-12-09 Includes\Revision.sbi
    2005-12-09 Includes\Security.sbi
    2005-12-09 Includes\Spybots.sbi
    2005-02-17 Includes\Tracks.uti
    2005-12-09 Includes\Trojans.sbi


    --- System information ---
    Windows XP (Build: 2600) Service Pack 2
    / Internet Explorer 6 / SP1: Windows XP Hotfix - KB867282
    / Windows XP / SP2: Windows XP Service Pack 2
    / Windows XP / SP3: Windows XP Hotfix - KB873333
    / Windows XP / SP3: Windows XP Hotfix - KB873339
    / Windows XP / SP3: Security Update for Windows XP (KB883939)
    / Windows XP / SP3: Windows XP Hotfix - KB885250
    / Windows XP / SP3: Windows XP Hotfix - KB885835
    / Windows XP / SP3: Windows XP Hotfix - KB885836
    / Windows XP / SP3: Windows XP Hotfix - KB886185
    / Windows XP / SP3: Windows XP Hotfix - KB887472
    / Windows XP / SP3: Windows XP Hotfix - KB887742
    / Windows XP / SP3: Windows XP Hotfix - KB888113
    / Windows XP / SP3: Windows XP Hotfix - KB888302
    / Windows XP / SP3: Security Update for Windows XP (KB890046)
    / Windows XP / SP3: Windows XP Hotfix - KB890047
    / Windows XP / SP3: Windows XP Hotfix - KB890175
    / Windows XP / SP3: Windows XP Hotfix - KB890859
    / Windows XP / SP3: Windows XP Hotfix - KB890923
    / Windows XP / SP3: Windows XP Hotfix - KB891781
    / Windows XP / SP3: Security Update for Windows XP (KB893066)
    / Windows XP / SP3: Windows XP Hotfix - KB893086
    / Windows XP / SP3: Security Update for Windows XP (KB893756)
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)
    / Windows XP / SP3: Update for Windows XP (KB894391)
    / Windows XP / SP3: Security Update for Windows XP (KB896358)
    / Windows XP / SP3: Security Update for Windows XP (KB896422)
    / Windows XP / SP3: Security Update for Windows XP (KB896423)
    / Windows XP / SP3: Security Update for Windows XP (KB896424)
    / Windows XP / SP3: Security Update for Windows XP (KB896428)
    / Windows XP / SP3: Security Update for Windows XP (KB896688)
    / Windows XP / SP3: Update for Windows XP (KB896727)
    / Windows XP / SP3: Update for Windows XP (KB898461)
    / Windows XP / SP3: Security Update for Windows XP (KB899587)
    / Windows XP / SP3: Security Update for Windows XP (KB899588)
    / Windows XP / SP3: Security Update for Windows XP (KB899589)
    / Windows XP / SP3: Security Update for Windows XP (KB899591)
    / Windows XP / SP3: Security Update for Windows XP (KB900725)
    / Windows XP / SP3: Security Update for Windows XP (KB901017)
    / Windows XP / SP3: Security Update for Windows XP (KB901214)
    / Windows XP / SP3: Security Update for Windows XP (KB902400)
    / Windows XP / SP3: Security Update for Windows XP (KB903235)
    / Windows XP / SP3: Security Update for Windows XP (KB904706)
    / Windows XP / SP3: Security Update for Windows XP (KB905414)
    / Windows XP / SP3: Security Update for Windows XP (KB905749)
    / Windows XP / SP3: Security Update for Windows XP (KB905915)
    / Windows XP / SP3: Update for Windows XP (KB910437)
    / Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221



    --- Process list ---
    Spybot - Search && Destroy process list report, 12/17/2005 11:35:14 AM

    PID: 0 ( 0) [System]
    PID: 4 ( 0) System
    PID: 440 (2012) D:\Apps\Daemon Tools\daemon.exe
    PID: 452 (2012) D:\Apps\iTunes\iTunesHelper.exe
    PID: 492 ( 784) D:\Apps\Common Framework\FrameworkService.exe
    PID: 512 ( 988) naPrdMgr.exe
    PID: 516 (2012) C:\WINDOWS\system32\RunDll32.exe
    PID: 524 (2012) C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    PID: 532 (2012) C:\Program Files\Saitek\Software\Profiler.exe
    PID: 548 (2012) C:\Program Files\Saitek\Software\SaiSmart.exe
    PID: 564 (2012) C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    PID: 660 ( 4) \SystemRoot\System32\smss.exe
    PID: 708 ( 660) csrss.exe
    PID: 736 ( 660) \??\C:\WINDOWS\system32\winlogon.exe
    PID: 784 ( 736) C:\WINDOWS\system32\services.exe
    PID: 796 ( 736) C:\WINDOWS\system32\lsass.exe
    PID: 924 (2012) C:\Program Files\Internet Explorer\iexplore.exe
    PID: 936 (2012) D:\Apps\VirusScan\SHSTAT.EXE
    PID: 944 (2012) D:\Apps\Common Framework\UpdaterUI.exe
    PID: 972 ( 784) C:\WINDOWS\system32\Ati2evxx.exe
    PID: 988 ( 784) C:\WINDOWS\system32\svchost.exe
    PID: 1012 (2012) C:\Program Files\Messenger\msmsgs.exe
    PID: 1020 (2012) C:\WINDOWS\system32\ctfmon.exe
    PID: 1060 ( 784) svchost.exe
    PID: 1160 ( 784) C:\WINDOWS\System32\svchost.exe
    PID: 1300 ( 784) svchost.exe
    PID: 1312 (2012) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    PID: 1352 (2012) C:\Program Files\VIA\RAID\raid_tool.exe
    PID: 1360 ( 784) D:\Apps\VirusScan\mcshield.exe
    PID: 1452 ( 784) wdfmgr.exe
    PID: 1456 ( 784) svchost.exe
    PID: 1576 ( 784) D:\Apps\VirusScan\vstskmgr.exe
    PID: 1660 ( 784) C:\WINDOWS\system32\spoolsv.exe
    PID: 1784 ( 784) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    PID: 1912 ( 736) C:\WINDOWS\system32\Ati2evxx.exe
    PID: 2012 (1952) C:\WINDOWS\Explorer.EXE
    PID: 2108 ( 784) D:\Apps\ipod\bin\iPodService.exe
    PID: 2432 ( 784) C:\WINDOWS\System32\imapi.exe
    PID: 2624 (2012) C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
    PID: 2900 ( 784) alg.exe
    PID: 3032 (2012) C:\Program Files\Internet Explorer\iexplore.exe
    PID: 3168 (2012) C:\WINDOWS\system32\notepad.exe
    PID: 3268 (2624) C:\Program Files\Ahead\nero\nero.exe
    PID: 3312 (1616) C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    PID: 3568 ( 784) C:\WINDOWS\System32\svchost.exe
    PID: 3988 (2012) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


    --- Browser start & search pages list ---
    Spybot - Search && Destroy browser pages report, 12/17/2005 11:35:14 AM

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\WINDOWS\system32\blank.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    http://ie.search.msn.com
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.google.com.au/
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://ie.search.msn.com
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL
    about:blank
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
    %SystemRoot%\system32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
    http://ie.search.msn.com
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm








    Quote Originally Posted by md usa spybot fan
    thomcats:

    On 2005-12-07, Buster posted:

    The following post would indicate that modifications were made to the "Command Service" detections on 2005-12-09:


    Go into Spybot > Help > About. If you are still running with 2005-12-05 updates, ignore the detections until you get new updates. If you have the 2005-12-09 updates, run another scan. When the scan completes, right click on the results list and select "Copy results to clipboard" then paste the clipboard into a new post so that a “Member of Team Spybot” can see the detection and the update level that you are running.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •