mIRC Home    About    Download    Register    News    Help

Print Thread
trojan detected #172022 04/03/07 04:07 AM
Joined: Mar 2007
Posts: 1
K
kaylin007 Offline OP
Mostly harmless
OP Offline
Mostly harmless
K
Joined: Mar 2007
Posts: 1
I haven't been using mIRC in awhile, and I just did a scan right now and my zonealarm security suite detected a trojan called.........Win32.PrcView.3725

mIRC v6.21

I'm not sure if it's false but I deleted it just in case. If it's false then please let me know.

RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\DisplayName

RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\UninstallString

Re: trojan detected [Re: kaylin007] #172025 04/03/07 04:39 AM
Joined: Aug 2004
Posts: 7,252
R
RusselB Offline
Hoopy frood
Offline
Hoopy frood
R
Joined: Aug 2004
Posts: 7,252
This is a false positive that ZoneAlarm detects. This has been reported before.


Re: trojan detected (script) [Re: kaylin007] #176874 15/05/07 06:49 PM
Joined: Jul 2004
Posts: 11
S
sylgf Offline
Pikka bird
Offline
Pikka bird
S
Joined: Jul 2004
Posts: 11
I am using XP with AVG virus and Sygate firewall which I have been using for about 6 months and all of a sudden my XoftSpySE is detecting 13 incidents of mIRC script trojans in the registry keys etc. All I have to do is open the program and the scan detects it. I can delete them, then reopen the program and they are back! If I remove them and then do another scan without opening mIRC they are not there but then I reopen the program..they are back again. I get no warning or options to stop this. Do I need to uninstall the program and reinstall? How may I get rid of this? Any suggestions or info on htis will be greatly appreciated.. XoftSpySE lists this as it hightest risk.

Regards Sylvia

Last edited by sylgf; 15/05/07 06:54 PM.
Re: trojan detected (script) [Re: sylgf] #176880 15/05/07 08:31 PM
Joined: Mar 2006
Posts: 393
T
The_JD Offline
Fjord artisan
Offline
Fjord artisan
T
Joined: Mar 2006
Posts: 393
are you using bare mirc or do you have scripts/dll's in use?


[02:16] * Titanic has quit IRC (Excess Flood)
Re: trojan detected (script) [Re: The_JD] #176913 16/05/07 01:47 PM
Joined: Jul 2004
Posts: 11
S
sylgf Offline
Pikka bird
Offline
Pikka bird
S
Joined: Jul 2004
Posts: 11
Hello and thank you for your attention. I believe I am just bare bones. No special scripts that I know of. How and where would I look to see?
Regards, Sylvia

Re: trojan detected (script) [Re: sylgf] #176917 16/05/07 01:56 PM
Joined: Mar 2006
Posts: 393
T
The_JD Offline
Fjord artisan
Offline
Fjord artisan
T
Joined: Mar 2006
Posts: 393
in mIRC, press ALT+R if its blank, your using plain vanilla mirc smile

Oh and if its blank, your probably safe smile

Last edited by The_JD; 16/05/07 01:56 PM.

[02:16] * Titanic has quit IRC (Excess Flood)
Re: trojan detected (script) [Re: The_JD] #177131 20/05/07 01:38 PM
Joined: Jul 2004
Posts: 11
S
sylgf Offline
Pikka bird
Offline
Pikka bird
S
Joined: Jul 2004
Posts: 11
I did the Alt R and it shows nothing. I wonder if I should delete the program and do a new install. This just started a coupole of weeks ago.

Re: trojan detected (script) [Re: sylgf] #177138 20/05/07 04:10 PM
Joined: Aug 2004
Posts: 7,252
R
RusselB Offline
Hoopy frood
Offline
Hoopy frood
R
Joined: Aug 2004
Posts: 7,252
As The_JD stated, since you have no scripts showing, you're probably safe, however, if you wish to uninstall (preferred over deletion) and then re-install, to ensure that you are using a completely clean version, please ensure that you obtain the version from here, as other locations may have had viruses introduced to them.

Re: trojan detected (script) [Re: RusselB] #177214 21/05/07 05:13 PM
Joined: Jul 2004
Posts: 11
S
sylgf Offline
Pikka bird
Offline
Pikka bird
S
Joined: Jul 2004
Posts: 11
So frustrating. I was not able to find an uninstall in either the control panel remove menu nor an uninstall in the mirc folder itself so I deleted it. I installed the new one and the trojan showed again. I My virus protection detected the trojan and removed it (or so it said). I did a spyware scan and it detected the trojan again.
They are all listed as Mirc Script Trojan in Registry keys as follows.
Chat file\defaulticon
Chat file\shell\open\command
Chat file\shell\open\ddeexec
chat file\shell\open\ddeexec\application
chat file\shell\open\ddeexec\ifexec
chat file\shell\open\ddeexec\topic
Software\classes\irc
software\classes\irc\defauticon
software\classes\irc\shell\open\command
software\classes\irc\shell\open\ddeexec
software\classes\irc\shell\open\ddeexec\\application
software\classes\irc\shell\open\ddeexec\topic
software\microsoft\windows\current version\uninstall\mirc\display name
software\microsoft\windows\current version\uninstall\mirc\uninstallstring

I hope that I have that all typed in OK.

Regards, Sylvia


Re: trojan detected (script) [Re: sylgf] #177514 26/05/07 08:24 AM
Joined: May 2007
Posts: 3
S
SylviaK Offline
Self-satisified door
Offline
Self-satisified door
S
Joined: May 2007
Posts: 3
I have the same problem as the other Sylvia.

I'm using mIRC for years and never had any warnings about viruses and such until two ago when I installed the new XoftSpySE. The old XoftSpy didn't show anything for mIRC.

Since I had an older version of mIRC I uninstalled it and downloaded the latest version. I didn't use any backups, but configured mIRC from scratch. The Trojan still shows when running XoftSpySE. I remove it, open mIRC, run XoftSpySE and there it is again. Same Registry keys as typed by Sylvia. I don't use any scripts - the Alt+R shows up blank. I disabled DDE-Server - still the same.

None of my other anti-Spyware programs nor my anti-virus program - I'm using Avast - detects a Trojan in mIRC.

What else I find strange is that XoftSpySE says a "mIRC Script Trojan" is found, but doesn't specify. Shouldn't there be a file-name for the Trojan?

Is it possible for an anti-Spyware program to be "over-sensitive", interpreting a certain string of programming or commands as dangerous when it isn't?

Re: trojan detected (script) [Re: SylviaK] #177516 26/05/07 09:39 AM
Joined: Aug 2004
Posts: 7,252
R
RusselB Offline
Hoopy frood
Offline
Hoopy frood
R
Joined: Aug 2004
Posts: 7,252
The report of mIRC Script Trojan is actually a cautionary message, rather than a true trojan notification. The anti-virus is detecting that mIRC has the capability of being scripted with a trojan virus, however, I'd say probably 99% (or more) of mIRC's scripting capabilities have nothing to do with trojans, and there are several safeguards in mIRC, either on by default or accessible by using a single parameter in a code, to prevent or eliminate this possibility.
If you don't have any scripts, then you are safe. If you do have scripts, then ensure that you know who/where you got the script from, and what each portion of the script does.
If you don't know that, then don't use the script until someone that you do know has had a chance to look at and review the code.
Some of the helpers on this site will be more than happy to review a code if given the location where the code was downloaded from, or if that's not possible, accessing it from one of many pastebins that are available.

Re: trojan detected (script) [Re: RusselB] #177522 26/05/07 02:59 PM
Joined: May 2007
Posts: 3
S
SylviaK Offline
Self-satisified door
Offline
Self-satisified door
S
Joined: May 2007
Posts: 3
Thank you. Since I'm only chatting with a few people who know even less than I do about programming, scripts, viruses and all it seems I'm safe to continue using mIRC. smile

Re: trojan detected (script) [Re: SylviaK] #177578 28/05/07 03:50 AM
Joined: Jul 2004
Posts: 11
S
sylgf Offline
Pikka bird
Offline
Pikka bird
S
Joined: Jul 2004
Posts: 11
Hi, It is strange that we both have experienced the same set of circumstances. I have been in contact with XoftSpySe folks and they have had me try different things but nothing helps. I wonder if it is a false positive. Meanwhile, when I open mIRC, I run XoftSpySe and remove the 13 entries (leaving mIRC opoen). I feel pretty safe then to use the program as long as I do not close and reopen.

Re: trojan detected (script) [Re: sylgf] #177580 28/05/07 04:33 AM
Joined: Aug 2004
Posts: 7,252
R
RusselB Offline
Hoopy frood
Offline
Hoopy frood
R
Joined: Aug 2004
Posts: 7,252
I've noticed a few people asking about this on the help channels that I assist on, and specifically in regards to that program.

There are a number of alternative programs that you can try in place of, or in conjunction with XoftSpySe.

Reference the posts in this sticky for further information.

Re: trojan detected (script) [Re: RusselB] #177597 28/05/07 02:39 PM
Joined: Jul 2004
Posts: 11
S
sylgf Offline
Pikka bird
Offline
Pikka bird
S
Joined: Jul 2004
Posts: 11
Thanks for your response. Along with XoftSpySE, I use Spybot, CounterSpy, RegCure, Ad-Aware SE Plus, AVG anti-virus and Sygate firewall. XoftSpySe is the only one that shows this alert so like SylviaK, I feel safe to use it. I shall open the file and remove those alerts for my peace of mind. I only use it on Sundays to visit with my brothers so it isn't that much of a hassle.

Thank you all for your input. I will check back from time to time to see if there is any additional information about this and likewise, if I learn anything, I will post it here for anyone who is interested. Sylvia

Re: trojan detected (script) [Re: sylgf] #177691 29/05/07 05:29 PM
Joined: Jun 2006
Posts: 508
D
deegee Offline
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2006
Posts: 508
Originally Posted By: sylgf
So frustrating. I was not able to find an uninstall in either the control panel remove menu nor an uninstall in the mirc folder itself so I deleted it. I installed the new one and the trojan showed again. I My virus protection detected the trojan and removed it (or so it said). I did a spyware scan and it detected the trojan again.
They are all listed as Mirc Script Trojan in Registry keys as follows.
Chat file\defaulticon
Chat file\shell\open\command
Chat file\shell\open\ddeexec
chat file\shell\open\ddeexec\application
chat file\shell\open\ddeexec\ifexec
chat file\shell\open\ddeexec\topic
Software\classes\irc
software\classes\irc\defauticon
software\classes\irc\shell\open\command
software\classes\irc\shell\open\ddeexec
software\classes\irc\shell\open\ddeexec\\application
software\classes\irc\shell\open\ddeexec\topic
software\microsoft\windows\current version\uninstall\mirc\display name
software\microsoft\windows\current version\uninstall\mirc\uninstallstring

I hope that I have that all typed in OK.

Regards, Sylvia


These are all normal registry entries for mIRC, there's nothing sinister in any of them.

You can prevent them from being re-added if you really want, by using the -portable switch. To do that...
  • Right-click on the shortcut you use to open mIRC
  • Choose "Properties"
  • In the "Target box, after the "C:\path to\mirc.exe" text that is already there (don't alter that at all), add {space}-portable (Don't type {space}, just put a space in there so it becomes "C:\path to\mirc.exe" -portable)
  • Click "OK"
This makes mIRC avoid all use of the registry.


Re: trojan detected (script) [Re: deegee] #177769 31/05/07 02:57 AM
Joined: Jul 2004
Posts: 11
S
sylgf Offline
Pikka bird
Offline
Pikka bird
S
Joined: Jul 2004
Posts: 11
Thanks Deegee. As promised, I am inputing the final response that I got from XoftSpySE.
<quote>
I have received an update from the developers here. They have reviewed the file here and the registry entries the application is noting in the log file. After careful review we have found some similarities between the registry entries the mIRC installer has entered and those for the script trojan. None of the script trojan files are being installed on the system, in fact the log file clearly is not seeing any of the infectious files being installed, all it see is some registry information.

We will be updating the definitions for this to prevent the messages from coming up over this application, this will be included in the next update. Your system is safe, we apologize for any concern this has caused you.
<end quote>

I hope that this will be helpful to others who have had this experience. Sylvia

Re: trojan detected (script) [Re: sylgf] #177879 01/06/07 05:47 PM
Joined: May 2007
Posts: 3
S
SylviaK Offline
Self-satisified door
Offline
Self-satisified door
S
Joined: May 2007
Posts: 3
I just downloaded XoftSpySE's update and the messages are gone. grin

Thanks, Sylvia, for alerting XoftSpy to the problem. I would never have thought about writing to them. Might have to do with the fact that I'm German and though my English is well enough to have a "normal" conversation I'm a bit unsure using it in "official" business.

And thanks to Russel IB and deegee, too. With your explanations I was confident to use mIRC as usual.

Re: trojan detected (script) [Re: SylviaK] #177889 01/06/07 11:01 PM
Joined: Aug 2004
Posts: 7,252
R
RusselB Offline
Hoopy frood
Offline
Hoopy frood
R
Joined: Aug 2004
Posts: 7,252
Most companies, especially those that do business world-wide, have at least one person on staff that is fluent in, or at least knows other languages. Since your native tongue is German, there is nothing stopping you from sending them a message in German, and then letting them hassle with the translation end (heck, that's what some people are paid for, so you might as well make them earn their pay).