mIRC Home    About    Download    Register    News    Help

Print Thread
Hacked #967 10/12/02 08:51 PM
Joined: Dec 2002
Posts: 1
S
sniper801 Offline OP
Mostly harmless
OP Offline
Mostly harmless
S
Joined: Dec 2002
Posts: 1
I am asking for help. About a month ago I was hacked into and everytime I reboot secedit runs with MIRC running on top of that. I know I was hacked as I watched the dos window pop up and ipconfig running with a few other things. Why would soomeone want to use MIRC for that? I noticed every 30 secs or so a new user name would log in..Anyone have any Ideas? Thanks, Sniper801

Re: Hacked #968 10/12/02 09:58 PM
Joined: Dec 2002
Posts: 3,127
P
ParaBrat Offline
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
WHY would they? i have no clue...but sadly, they do. You were most likely infected from an url you clicked on or something you downloaded. There are a few that do this, so its hard for me to give you an easy fix. But, fix it you have to.
You will need to do a virus scan (be sure you have updated your virus scanner). Since not all scanners will find IRC type trojans, try one of the free online scanners as well http://www.antivirus.com/free_tools/ is a good one, altho it was down when i checked a couple days ago. http://zine.dal.net/previousissues/issue19/letter-from-the-editor.php gives other resources. On DALnet, the nice ops in #nohack can help you, as well as their website, www.nohack.net
Altho for some wierd reason i cant get it to open, others can, so check http://www.mirc.co.uk/help/virus.html

/me is just an electronics bermuda triangle *sigh*


ParaBrat @#mIRCAide DALnet
Re: Hacked #969 11/12/02 05:52 AM
Joined: Dec 2002
Posts: 155
S
Strider Offline
Vogon poet
Offline
Vogon poet
S
Joined: Dec 2002
Posts: 155
Using an antivirus will not solve your problem entirely since mIRC will keep running on startup. You need to remove mIRC from your startup, and to do this with no risk of removing something else, you need to run msconfig.exe and then go to the Startup tab and uncheck the line that belongs to mIRC.

If you want to permanently remove that line from msconfig.exe, you'll need to find where mIRC is being executed from at startup. There's several possibilites, but the most commonly used by "hackers" (though they are not) is win.ini. All you need to do is find the line that starts with "run=" or "load=" and then remove the name that belongs to the mIRC exe file. They can also make it run from your registry, but editing your registry manually isn't recommended unless you really know what you're doing. But anyway, the keys from which it can run are:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

I hope that helps.

Re: Hacked #970 11/12/02 07:02 AM
Joined: Dec 2002
Posts: 56
W
wshs Offline
Babel fish
Offline
Babel fish
W
Joined: Dec 2002
Posts: 56
Sounds like you are infected with what's called GtBot, or Global Threat. Due to the rather low quality of modern virus prevention systems, it's easy for this virus to bypass the scanners. Additionally, different versions of the virus installl itself in different ways, but 99% of the time, it's installed by running a downloaded program. It could be from downloading a "Channel Password Hacker", or Appster, or something similar. It's not a fast spreading virus, but it can do quite some damage. On the other hand, there's the nospam virus, which is spreading twice as fast as Melissa did.


Acquire. Analyze. Adapt.
Re: Hacked #971 11/12/02 08:03 AM
Joined: Dec 2002
Posts: 164
M
Merlin Offline
Vogon poet
Offline
Vogon poet
M
Joined: Dec 2002
Posts: 164
Goto http://www.nohack.net/gtbots.htm for the GTBot removal.


DALnet: #HelpDesk, #mIRC, #MISHScript - Undernet: #mIRC, #mIRC-Scripts
Re: Hacked #972 11/12/02 07:58 PM
Joined: Dec 2002
Posts: 32
S
SyN Offline
Ameglian cow
Offline
Ameglian cow
S
Joined: Dec 2002
Posts: 32
agreed anti viral scanners do a pretty crappy job with mirc scripts
I believe it was either norton or mcaffe that notified me I had a virus in a script I wrote. turned out just to be the run command. the interesting thing is that it didn't care about my socket script which could have just as easily been a backdoor or virus. I imagine with very little creativity one could easily script circles around an anti viral definition.


It's only called insanity if you're poor.
I stay alive to spite those that wish me dead.
Re: Hacked #973 11/12/02 10:51 PM
Joined: Dec 2002
Posts: 3,127
P
ParaBrat Offline
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
Just a word of caution, before you muck about in your registry, do a back up!


ParaBrat @#mIRCAide DALnet
Re: Hacked #974 12/12/02 04:12 AM
Joined: Dec 2002
Posts: 3
J
JayneJett Offline
Self-satisified door
Offline
Self-satisified door
J
Joined: Dec 2002
Posts: 3
I have the same problem I think I was hacked also. I want to know how to uninstall this Mirc. I found out that I do have a GTbot and a Network Crack Wizard 99 on my computer. I used Swat It, but does this mean they can still hack my computer with the original method they used???

Re: Hacked #975 12/12/02 05:37 PM
Joined: Dec 2002
Posts: 3,127
P
ParaBrat Offline
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
people get these trojans/viriis by downloading/opening infected files/scripts or clicking on urls that infect you. Read the other threads on this here, (like http://forums.mirc.com/showflat.php?Cat=...amp;amp;fpart=1 and check out the urls mentioned for good info on how to help stop this from happening, like http://zine.dal.net/previousissues/issue19/letter-from-the-editor.php

Hopefully SwatIt cleaned out everything and your machine is now ok..but if you are still having the FAKE mIRC open, then it didnt take care of everything.


ParaBrat @#mIRCAide DALnet