|
Joined: Mar 2007
Posts: 1
Mostly harmless
|
OP
Mostly harmless
Joined: Mar 2007
Posts: 1 |
I haven't been using mIRC in awhile, and I just did a scan right now and my zonealarm security suite detected a trojan called.........Win32.PrcView.3725
mIRC v6.21
I'm not sure if it's false but I deleted it just in case. If it's false then please let me know.
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\DisplayName
RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\UninstallString
|
|
|
|
Joined: Aug 2004
Posts: 7,252
Hoopy frood
|
Hoopy frood
Joined: Aug 2004
Posts: 7,252 |
This is a false positive that ZoneAlarm detects. This has been reported before.
|
|
|
|
Joined: Jul 2004
Posts: 11
Pikka bird
|
Pikka bird
Joined: Jul 2004
Posts: 11 |
I am using XP with AVG virus and Sygate firewall which I have been using for about 6 months and all of a sudden my XoftSpySE is detecting 13 incidents of mIRC script trojans in the registry keys etc. All I have to do is open the program and the scan detects it. I can delete them, then reopen the program and they are back! If I remove them and then do another scan without opening mIRC they are not there but then I reopen the program..they are back again. I get no warning or options to stop this. Do I need to uninstall the program and reinstall? How may I get rid of this? Any suggestions or info on htis will be greatly appreciated.. XoftSpySE lists this as it hightest risk.
Regards Sylvia
Last edited by sylgf; 15/05/07 06:54 PM.
|
|
|
|
Joined: Mar 2006
Posts: 396
Pan-dimensional mouse
|
Pan-dimensional mouse
Joined: Mar 2006
Posts: 396 |
are you using bare mirc or do you have scripts/dll's in use?
[02:16] * Titanic has quit IRC (Excess Flood)
|
|
|
|
Joined: Jul 2004
Posts: 11
Pikka bird
|
Pikka bird
Joined: Jul 2004
Posts: 11 |
Hello and thank you for your attention. I believe I am just bare bones. No special scripts that I know of. How and where would I look to see? Regards, Sylvia
|
|
|
|
Joined: Mar 2006
Posts: 396
Pan-dimensional mouse
|
Pan-dimensional mouse
Joined: Mar 2006
Posts: 396 |
in mIRC, press ALT+R if its blank, your using plain vanilla mirc  Oh and if its blank, your probably safe 
Last edited by The_JD; 16/05/07 01:56 PM.
[02:16] * Titanic has quit IRC (Excess Flood)
|
|
|
|
Joined: Jul 2004
Posts: 11
Pikka bird
|
Pikka bird
Joined: Jul 2004
Posts: 11 |
I did the Alt R and it shows nothing. I wonder if I should delete the program and do a new install. This just started a coupole of weeks ago.
|
|
|
|
Joined: Aug 2004
Posts: 7,252
Hoopy frood
|
Hoopy frood
Joined: Aug 2004
Posts: 7,252 |
As The_JD stated, since you have no scripts showing, you're probably safe, however, if you wish to uninstall (preferred over deletion) and then re-install, to ensure that you are using a completely clean version, please ensure that you obtain the version from here, as other locations may have had viruses introduced to them.
|
|
|
|
Joined: Jul 2004
Posts: 11
Pikka bird
|
Pikka bird
Joined: Jul 2004
Posts: 11 |
So frustrating. I was not able to find an uninstall in either the control panel remove menu nor an uninstall in the mirc folder itself so I deleted it. I installed the new one and the trojan showed again. I My virus protection detected the trojan and removed it (or so it said). I did a spyware scan and it detected the trojan again. They are all listed as Mirc Script Trojan in Registry keys as follows. Chat file\defaulticon Chat file\shell\open\command Chat file\shell\open\ddeexec chat file\shell\open\ddeexec\application chat file\shell\open\ddeexec\ifexec chat file\shell\open\ddeexec\topic Software\classes\irc software\classes\irc\defauticon software\classes\irc\shell\open\command software\classes\irc\shell\open\ddeexec software\classes\irc\shell\open\ddeexec\\application software\classes\irc\shell\open\ddeexec\topic software\microsoft\windows\current version\uninstall\mirc\display name software\microsoft\windows\current version\uninstall\mirc\uninstallstring
I hope that I have that all typed in OK.
Regards, Sylvia
|
|
|
|
Joined: May 2007
Posts: 3
Self-satisified door
|
Self-satisified door
Joined: May 2007
Posts: 3 |
I have the same problem as the other Sylvia.
I'm using mIRC for years and never had any warnings about viruses and such until two ago when I installed the new XoftSpySE. The old XoftSpy didn't show anything for mIRC. Since I had an older version of mIRC I uninstalled it and downloaded the latest version. I didn't use any backups, but configured mIRC from scratch. The Trojan still shows when running XoftSpySE. I remove it, open mIRC, run XoftSpySE and there it is again. Same Registry keys as typed by Sylvia. I don't use any scripts - the Alt+R shows up blank. I disabled DDE-Server - still the same.
None of my other anti-Spyware programs nor my anti-virus program - I'm using Avast - detects a Trojan in mIRC.
What else I find strange is that XoftSpySE says a "mIRC Script Trojan" is found, but doesn't specify. Shouldn't there be a file-name for the Trojan?
Is it possible for an anti-Spyware program to be "over-sensitive", interpreting a certain string of programming or commands as dangerous when it isn't?
|
|
|
|
Joined: Aug 2004
Posts: 7,252
Hoopy frood
|
Hoopy frood
Joined: Aug 2004
Posts: 7,252 |
The report of mIRC Script Trojan is actually a cautionary message, rather than a true trojan notification. The anti-virus is detecting that mIRC has the capability of being scripted with a trojan virus, however, I'd say probably 99% (or more) of mIRC's scripting capabilities have nothing to do with trojans, and there are several safeguards in mIRC, either on by default or accessible by using a single parameter in a code, to prevent or eliminate this possibility. If you don't have any scripts, then you are safe. If you do have scripts, then ensure that you know who/where you got the script from, and what each portion of the script does. If you don't know that, then don't use the script until someone that you do know has had a chance to look at and review the code. Some of the helpers on this site will be more than happy to review a code if given the location where the code was downloaded from, or if that's not possible, accessing it from one of many pastebins that are available.
|
|
|
|
Joined: May 2007
Posts: 3
Self-satisified door
|
Self-satisified door
Joined: May 2007
Posts: 3 |
Thank you. Since I'm only chatting with a few people who know even less than I do about programming, scripts, viruses and all it seems I'm safe to continue using mIRC. 
|
|
|
|
Joined: Jul 2004
Posts: 11
Pikka bird
|
Pikka bird
Joined: Jul 2004
Posts: 11 |
Hi, It is strange that we both have experienced the same set of circumstances. I have been in contact with XoftSpySe folks and they have had me try different things but nothing helps. I wonder if it is a false positive. Meanwhile, when I open mIRC, I run XoftSpySe and remove the 13 entries (leaving mIRC opoen). I feel pretty safe then to use the program as long as I do not close and reopen.
|
|
|
|
Joined: Aug 2004
Posts: 7,252
Hoopy frood
|
Hoopy frood
Joined: Aug 2004
Posts: 7,252 |
I've noticed a few people asking about this on the help channels that I assist on, and specifically in regards to that program. There are a number of alternative programs that you can try in place of, or in conjunction with XoftSpySe. Reference the posts in this sticky for further information.
|
|
|
|
Joined: Jul 2004
Posts: 11
Pikka bird
|
Pikka bird
Joined: Jul 2004
Posts: 11 |
Thanks for your response. Along with XoftSpySE, I use Spybot, CounterSpy, RegCure, Ad-Aware SE Plus, AVG anti-virus and Sygate firewall. XoftSpySe is the only one that shows this alert so like SylviaK, I feel safe to use it. I shall open the file and remove those alerts for my peace of mind. I only use it on Sundays to visit with my brothers so it isn't that much of a hassle.
Thank you all for your input. I will check back from time to time to see if there is any additional information about this and likewise, if I learn anything, I will post it here for anyone who is interested. Sylvia
|
|
|
|
Joined: Jun 2006
Posts: 508
Fjord artisan
|
Fjord artisan
Joined: Jun 2006
Posts: 508 |
So frustrating. I was not able to find an uninstall in either the control panel remove menu nor an uninstall in the mirc folder itself so I deleted it. I installed the new one and the trojan showed again. I My virus protection detected the trojan and removed it (or so it said). I did a spyware scan and it detected the trojan again. They are all listed as Mirc Script Trojan in Registry keys as follows. Chat file\defaulticon Chat file\shell\open\command Chat file\shell\open\ddeexec chat file\shell\open\ddeexec\application chat file\shell\open\ddeexec\ifexec chat file\shell\open\ddeexec\topic Software\classes\irc software\classes\irc\defauticon software\classes\irc\shell\open\command software\classes\irc\shell\open\ddeexec software\classes\irc\shell\open\ddeexec\\application software\classes\irc\shell\open\ddeexec\topic software\microsoft\windows\current version\uninstall\mirc\display name software\microsoft\windows\current version\uninstall\mirc\uninstallstring
I hope that I have that all typed in OK.
Regards, Sylvia
These are all normal registry entries for mIRC, there's nothing sinister in any of them. You can prevent them from being re-added if you really want, by using the -portable switch. To do that... - Right-click on the shortcut you use to open mIRC
- Choose "Properties"
- In the "Target box, after the "C:\path to\mirc.exe" text that is already there (don't alter that at all), add {space}-portable (Don't type {space}, just put a space in there so it becomes "C:\path to\mirc.exe" -portable)
- Click "OK"
This makes mIRC avoid all use of the registry.
|
|
|
|
Joined: Jul 2004
Posts: 11
Pikka bird
|
Pikka bird
Joined: Jul 2004
Posts: 11 |
Thanks Deegee. As promised, I am inputing the final response that I got from XoftSpySE. <quote> I have received an update from the developers here. They have reviewed the file here and the registry entries the application is noting in the log file. After careful review we have found some similarities between the registry entries the mIRC installer has entered and those for the script trojan. None of the script trojan files are being installed on the system, in fact the log file clearly is not seeing any of the infectious files being installed, all it see is some registry information.
We will be updating the definitions for this to prevent the messages from coming up over this application, this will be included in the next update. Your system is safe, we apologize for any concern this has caused you. <end quote>
I hope that this will be helpful to others who have had this experience. Sylvia
|
|
|
|
Joined: May 2007
Posts: 3
Self-satisified door
|
Self-satisified door
Joined: May 2007
Posts: 3 |
I just downloaded XoftSpySE's update and the messages are gone.  Thanks, Sylvia, for alerting XoftSpy to the problem. I would never have thought about writing to them. Might have to do with the fact that I'm German and though my English is well enough to have a "normal" conversation I'm a bit unsure using it in "official" business. And thanks to Russel IB and deegee, too. With your explanations I was confident to use mIRC as usual.
|
|
|
|
Joined: Aug 2004
Posts: 7,252
Hoopy frood
|
Hoopy frood
Joined: Aug 2004
Posts: 7,252 |
Most companies, especially those that do business world-wide, have at least one person on staff that is fluent in, or at least knows other languages. Since your native tongue is German, there is nothing stopping you from sending them a message in German, and then letting them hassle with the translation end (heck, that's what some people are paid for, so you might as well make them earn their pay).
|
|
|
|
|