"probably a variant of Win32/Genetik" was a False Positive from ESET's NOD32 which was solved the next day.

Rootkit is a technique which can be used by Malware, rootkit is NOT another name for Malware.

Several good security products also use rootkit techniques, i even got another security product (AČ) on my machine that uses mchInjDrv.sys

Yes i Know differents between malware and rootkit, what i trying to describe here is that mchInjDrv.sys is not a rootkit it is a bad trojan. as i said earlier when i used nod32 as an example yes it was the very latest of nod32 i got Trojan "True positives - win32trojan ... modified"

btw it has nothing to do with nod32 its just alerted....
mchInjDrv.sys will install anyway without nod32.

let me explain this in this way...

It will install an Rootkit that hides "mchInjDrv.sys" so its become invincible and it WILL always be
active in memory even if you restart your comp.
"mchInjDrv.sys" will not be found anywhere because its under rootkits safety.

But with a rku rootkitunhoker...
verify this for yourself in a clean system...
you will see this file under drivers in a rku link under ...

http://forum.sysinternals.com/uploads/20071210_182632_rku37300509.rar

and if you check little more with rku you see that it is running
in memory..

funny when prevx csi in some circumstances finds it itself
but without a license as i dont ove i couldnt remove that.

try
Uninstall prevx CSI, and you see its still there. why?
its all up to you if you take this serious and not...
But it has your compo under control....

but you can always buy the product. i will not!

I think its bad that when peoducts install bad files when trying a new security program of anykind. Just to nearly force you to get ridth with the bad things... that is ugly....

Nice one Tony

He he you are a funny man

yeah my english is not perfect and a wrongspelling there and there thats really something to peek floating away from facts.

its humans nature behaviors flee away subject with jokes. ha ha
serously it was quite fun to read it )

as long as everyone is honest its fine by me.

Anyway look at this picture mr perfect... except for your mouth then

PrevxCSI in action found itself.JPG
Description:	PrevxCSI in action found itself
Filesize:	50.83 KB
Viewed:	126 Time(s)

Strange location for the temp folder.


Check Prevx CSI log, find C:\0\Temp1\Tmp__(number)\prevxcsi.exe
And copy the MD5 and PX5 code






On my machine and this version of Prevx CSI it is;

C:\Documents and Settings\pc1\Local Settings\Temp\Tmp___2791\prevxcsi.exe
MD5: 166177AAE9C1AF94E35DB08031A58730
PX5: 8B1772F80012057182A4010BA27F6900D0ECF28A

Quick check in Prevx database;

This executable program has a file size of 98,816 bytes, it is most frequently called PREVXCSI.EXE and is most frequently located in the %programfiles%\prevxcsi\ folder.
The file header contains the following information:
Vendor : Prevx
Product: Prevx Computer Security Investigator
Version: 1, 0, 0,

This file is considered safe. It was first seen on Friday, Feb 22 2008

As *always* :

Before claiming we are the new CIA and we take under our control your pc, have you sent us your CSI log along with a support ticket asking what is happening?

We have nothing to do with that Madshi hook library nor with the other driver you reported before.

Where have you downloaded this version of Prevx CSI?
Sometimes ago a fake version of CSI was spreading around.

I had the paid-for version of this software. After three separate false positives, the last of which identified some software from Steve Gibson's site as 'dangerous', and deleted it, I removed Prevx CSI from my PC.

I think we can safely say that Prevx 'official' support have abandoned this forum and any Prevx users that come here from their won website link! LOL

I think we can safely say that Prevx 'official' support have abandoned this forum and any Prevx users that come here from their won website link! LOL