Command Service: mchInjDrv in HKLM:CurrentControlSet

[bitman]

Want to inform and confirm with Team Spybot that this may be a false positive in the 02-12-05 detections.

We've seen a thread in both the Malware and Spybot forums discussing this.

Unable to fix "Command Service"
http://forums.spybot.info/showthread.php?t=730
HKLM cmd srvce settings
http://forums.spybot.info/showthread.php?t=710

There's also the following thread at BroadBand Reports.

Spybot detects "Command Service" as malware
http://www.dslreports.com/forum/remark,14933661

TrojanHunter, spysweeper, a2 all add this registry entry, probably more security apps also.
mchInjDrv (Mad code hook injection driver)
malware can use it, but if you use any of the above security apps, then it's a false positive.

The following are the detected keys.

Code:

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mchInjDrv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\m chInjDrv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\m chInjDrv

[tashi]

Thank you Bitman, we have brought to Team's attention.

[Oldfrog]

I am working with someone at Castlecops with the same detection. Here is what shows to be in the registry keys in ControlSet001. This really looks like a known malicious service:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv]
"Type"=dword:00000001
"ErrorControl"=dword:00000000
"Start"=dword:00000004
"ImagePath"="\\??\\C:\\WINDOWS\\TEMP\\mc21.tmp"
"DeleteFlag"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv\Enum]
"0"="Root\\LEGACY_MCHINJDRV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Original Topic

[LonnyRJones]

Hi Oldfrog
It is a false possitive unless a 020 cmdservice command.exe is also present

Regards

[Oldfrog]

Okay, but there is obviously a real registry entry there and it is part of a genuine malicious signature. I agree that the threat is not active but still don't really feel that the detection is false.

Is Spybot going to quit detecting this or is it something that we should just tell users to ignore?

[LonnyRJones]

Its not always malicious

For example I have trojan hunter when we use its guard it creates the same key.

Regards

[Buster]

We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !

[thomcats]

We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !

Hello,

Checked for updates - and there were none to be had for me - yet Spybot still detects "Command Service" and mchindrjv??

Please advice.

Thanks in advance!
thomcats

[md usa spybot fan]

thomcats:

On 2005-12-07, Buster posted:

We decided to remove mchinjdrv from Spybot´s detections. Thanks for reporting !

The following post would indicate that modifications were made to the "Command Service" detections on 2005-12-09:

• Detection updates 2005-12-09
  http://forums.spybot.info/showthread.php?t=895

++ Command Service

It appears that something happened during the preparation of the update for 2005-12-16 and update facility is not currently working:

• Upadate (sic) problem.
  http://forums.spybot.info/showthread.php?t=1057
• Problem with Update !
  http://forums.spybot.info/showthread.php?t=1060

Go into Spybot > Help > About. If you are still running with 2005-12-05 updates, ignore the detections until you get new updates. If you have the 2005-12-09 updates, run another scan. When the scan completes, right click on the results list and select "Copy results to clipboard" then paste the clipboard into a new post so that a “Member of Team Spybot” can see the detection and the update level that you are running.

[Tank5]

copy of clipboard


--- Search result list ---
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService


--- Spybot - Search && Destroy version: 1.3 ---
2005-12-09 Includes\Cookies.sbi
2005-12-09 Includes\Dialer.sbi
2005-12-09 Includes\Hijackers.sbi
2005-12-09 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-12-09 Includes\Malware.sbi
2005-12-09 Includes\PUPS.sbi
2005-12-09 Includes\Revision.sbi
2005-12-09 Includes\Security.sbi
2005-12-09 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-12-09 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB867282
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221



--- Process list ---
Spybot - Search && Destroy process list report, 12/17/2005 11:35:14 AM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 440 (2012) D:\Apps\Daemon Tools\daemon.exe
PID: 452 (2012) D:\Apps\iTunes\iTunesHelper.exe
PID: 492 ( 784) D:\Apps\Common Framework\FrameworkService.exe
PID: 512 ( 988) naPrdMgr.exe
PID: 516 (2012) C:\WINDOWS\system32\RunDll32.exe
PID: 524 (2012) C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
PID: 532 (2012) C:\Program Files\Saitek\Software\Profiler.exe
PID: 548 (2012) C:\Program Files\Saitek\Software\SaiSmart.exe
PID: 564 (2012) C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
PID: 660 ( 4) \SystemRoot\System32\smss.exe
PID: 708 ( 660) csrss.exe
PID: 736 ( 660) \??\C:\WINDOWS\system32\winlogon.exe
PID: 784 ( 736) C:\WINDOWS\system32\services.exe
PID: 796 ( 736) C:\WINDOWS\system32\lsass.exe
PID: 924 (2012) C:\Program Files\Internet Explorer\iexplore.exe
PID: 936 (2012) D:\Apps\VirusScan\SHSTAT.EXE
PID: 944 (2012) D:\Apps\Common Framework\UpdaterUI.exe
PID: 972 ( 784) C:\WINDOWS\system32\Ati2evxx.exe
PID: 988 ( 784) C:\WINDOWS\system32\svchost.exe
PID: 1012 (2012) C:\Program Files\Messenger\msmsgs.exe
PID: 1020 (2012) C:\WINDOWS\system32\ctfmon.exe
PID: 1060 ( 784) svchost.exe
PID: 1160 ( 784) C:\WINDOWS\System32\svchost.exe
PID: 1300 ( 784) svchost.exe
PID: 1312 (2012) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PID: 1352 (2012) C:\Program Files\VIA\RAID\raid_tool.exe
PID: 1360 ( 784) D:\Apps\VirusScan\mcshield.exe
PID: 1452 ( 784) wdfmgr.exe
PID: 1456 ( 784) svchost.exe
PID: 1576 ( 784) D:\Apps\VirusScan\vstskmgr.exe
PID: 1660 ( 784) C:\WINDOWS\system32\spoolsv.exe
PID: 1784 ( 784) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 1912 ( 736) C:\WINDOWS\system32\Ati2evxx.exe
PID: 2012 (1952) C:\WINDOWS\Explorer.EXE
PID: 2108 ( 784) D:\Apps\ipod\bin\iPodService.exe
PID: 2432 ( 784) C:\WINDOWS\System32\imapi.exe
PID: 2624 (2012) C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
PID: 2900 ( 784) alg.exe
PID: 3032 (2012) C:\Program Files\Internet Explorer\iexplore.exe
PID: 3168 (2012) C:\WINDOWS\system32\notepad.exe
PID: 3268 (2624) C:\Program Files\Ahead\nero\nero.exe
PID: 3312 (1616) C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
PID: 3568 ( 784) C:\WINDOWS\System32\svchost.exe
PID: 3988 (2012) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 12/17/2005 11:35:14 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com.au/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

thomcats:

On 2005-12-07, Buster posted:

The following post would indicate that modifications were made to the "Command Service" detections on 2005-12-09:

• Detection updates 2005-12-09
  http://forums.spybot.info/showthread.php?t=895

Go into Spybot > Help > About. If you are still running with 2005-12-05 updates, ignore the detections until you get new updates. If you have the 2005-12-09 updates, run another scan. When the scan completes, right click on the results list and select "Copy results to clipboard" then paste the clipboard into a new post so that a “Member of Team Spybot” can see the detection and the update level that you are running.