mIRC Home    About    Download    Register    News    Help

Print Thread
#184281 27/08/07 08:14 AM
Joined: Aug 2007
Posts: 5
C
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Aug 2007
Posts: 5
System is clean, I've done Spybot Search and Destroy, AVG, and Windows Defender after updating each. Clean as a whistle, buuuut..

Every so often (haven't noticed exact trend yet) a file called security.mrc will create itself into the mIRC folder, and load when I connect to a server. I cannot find the source of what is creating this file.

When it loads, it will do all of this,

on 1:join:#:{ .notice $nick Hey, check out this awesome program. It will search the internet for a serial/crack/keygen for ANY program! : -edit- }
on 1:connect:{ .timermsg [ $+ [ $server ] ] 0 900 .amsg Hey, check out this awesome program. It will search the internet for a serial/crack/keygen for ANY program! : -edit- }
on 1:disconnect:{ .timermsg [ $+ [ $server ] ] off }

Any clues to where this file is coming from, and how to stop it?!

Last edited by Mentality; 01/09/07 04:41 AM.
Joined: Feb 2003
Posts: 3,432
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Feb 2003
Posts: 3,432
try delete the file, then type /remote off , see if the file is created. if not, then look in your scripts "if you added any" if one of them have on *:start: { or on *:connect: {, try unload them one by one if they have that in them.


if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }
Joined: Oct 2004
Posts: 8,330
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
Look through your remotes (Alt-R > View menu). See if there are any scripts loaded that you don't recognize the names of. If so, check them for any /write commands or "security.mrc". Of course, you can just do a clean install of mIRC and only load scripts that you recognize.


Invision Support
#Invision on irc.irchighway.net
Joined: Aug 2007
Posts: 5
C
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Aug 2007
Posts: 5
I didn't see it there. I tried uninstalling mIRC and reinstalling, it still adds the code to the mIRC.ini to create and run the security.mrc file, noticing to people.

=(

Joined: Nov 2006
Posts: 1,559
H
Hoopy frood
Offline
Hoopy frood
H
Joined: Nov 2006
Posts: 1,559
So the "add" seems to originate from without mIRC itself - start a full system scan for viruses/malware. (Assuming you reinstalled mirc without any scripts loaded, and having loaded mIRC from a secure source like mirc.com)

Joined: Feb 2003
Posts: 3,432
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Feb 2003
Posts: 3,432
A good online scanner you should try is this one:

http://www.bitdefender.com/scan8/ie.html

But you need to start it from Internet Explorer in windows, if you try load it in Firefox you will get error.

You maybe also like to try three other:

http://support.f-secure.com/enu/home/ols.shtml
working with Firefox

http://www.tenebril.com/scanner/main_scan.php
working with Internet Explorer

http://www.spywareguide.com/onlinescan.php
Working with Firefox


if ($me != tired) { return } | else { echo -a Get a pot of coffee now $+($me,.) }
Joined: Aug 2007
Posts: 5
C
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Aug 2007
Posts: 5
Already ran Windows Defender, Spybot Search & Destroy, AVG Free, and a couple online scanners. Nothing picks up anything.

At one point I had a Serial Searcher 2000.exe, but it was deleted... Yet some part must still be lingering. No malicious code is harming my system, just that annoying notice that gets sent to people, coming from the security.mrc script.

Joined: Jun 2006
Posts: 508
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2006
Posts: 508
You could remove it on startup and on connect, it doesn't fix the underlying problem though..
Code:
on *:start:-security
on *:connect:-security
alias -security {
  if $script(security.mrc) {
    .unload -rs $qt($v1)
    .remove $qt($v1)
    echo -astice info * Security.mrc found, unloaded and removed:  $qt($v1)
  }
}


[EDIT]
That link in the first post redirects to a rapidshare downlad of "Serial Searcher 2000.exe" This file IS DEFINITELY A VIRUS!
Perhaps a mod would delete the link.

Last edited by deegee; 01/09/07 03:22 AM.
Joined: Aug 2007
Posts: 5
C
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Aug 2007
Posts: 5
Thank you, I'll try giving that a shot, but will keep updating and scanning with my virus and spyware programs.

Doing a google search doesn't turn up anything, which is odd. Generally would have thousands of pages on the file.

Joined: Jun 2006
Posts: 508
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2006
Posts: 508
That link redirects to a rapidshare downlad of "Serial Searcher 2000.exe" This file IS DEFINITELY A VIRUS!

"Serial Searcher 2000.exe" installs (amongst other things) a file called 'regmon.exe' in "%WinDir%\system32\drivers\"
Regmon.exe contains in plain text the code your finding in security.mrc (as well as the filename). It's started every time you boot/restart your PC, via [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
as
"Registry Monitor"="C:\\WINDOWS\\system32\\drivers\\regmon.exe"
(Obviously "C;\Windows\" is realtive to the machine)

There is also other files added, some deleted, some attributes altered, other regkeys added and/or altered, but that seems to be the main culprit as far as the writing of mIRC scriptcode goes.

FWIW: Nod32 picked this up and quarantined it before I could run/install it, and appears to clean it after ignoring the warning and restoring from quarantine and then running it.

After rebooting (needed), it appears to be cleaned. (I can't be totally sure of that though, my limited testing was done in a sandboxed environment)

Note: regmon.exe is also the name of a legitimate progrom, but the legit version would not likely be in the system32\drivers directory.

Joined: Aug 2007
Posts: 5
C
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Aug 2007
Posts: 5
I'll have to give it a shot, thank you considerably. This one was wracking my mind.


Link Copied to Clipboard