mIRC Homepage
Posted By: CainMadness [Virus?] Security.mrc - 27/08/07 08:14 AM
System is clean, I've done Spybot Search and Destroy, AVG, and Windows Defender after updating each. Clean as a whistle, buuuut..

Every so often (haven't noticed exact trend yet) a file called security.mrc will create itself into the mIRC folder, and load when I connect to a server. I cannot find the source of what is creating this file.

When it loads, it will do all of this,

on 1:join:#:{ .notice $nick Hey, check out this awesome program. It will search the internet for a serial/crack/keygen for ANY program! : -edit- }
on 1:connect:{ .timermsg [ $+ [ $server ] ] 0 900 .amsg Hey, check out this awesome program. It will search the internet for a serial/crack/keygen for ANY program! : -edit- }
on 1:disconnect:{ .timermsg [ $+ [ $server ] ] off }

Any clues to where this file is coming from, and how to stop it?!
Posted By: sparta Re: [Virus?] Security.mrc - 27/08/07 09:25 AM
try delete the file, then type /remote off , see if the file is created. if not, then look in your scripts "if you added any" if one of them have on *:start: { or on *:connect: {, try unload them one by one if they have that in them.
Posted By: Riamus2 Re: [Virus?] Security.mrc - 28/08/07 01:23 AM
Look through your remotes (Alt-R > View menu). See if there are any scripts loaded that you don't recognize the names of. If so, check them for any /write commands or "security.mrc". Of course, you can just do a clean install of mIRC and only load scripts that you recognize.
Posted By: CainMadness Re: [Virus?] Security.mrc - 31/08/07 08:01 PM
I didn't see it there. I tried uninstalling mIRC and reinstalling, it still adds the code to the mIRC.ini to create and run the security.mrc file, noticing to people.

=(
Posted By: Horstl Re: [Virus?] Security.mrc - 31/08/07 08:44 PM
So the "add" seems to originate from without mIRC itself - start a full system scan for viruses/malware. (Assuming you reinstalled mirc without any scripts loaded, and having loaded mIRC from a secure source like mirc.com)
Posted By: sparta Re: [Virus?] Security.mrc - 01/09/07 12:06 AM
A good online scanner you should try is this one:

http://www.bitdefender.com/scan8/ie.html

But you need to start it from Internet Explorer in windows, if you try load it in Firefox you will get error.

You maybe also like to try three other:

http://support.f-secure.com/enu/home/ols.shtml
working with Firefox

http://www.tenebril.com/scanner/main_scan.php
working with Internet Explorer

http://www.spywareguide.com/onlinescan.php
Working with Firefox
Posted By: CainMadness Re: [Virus?] Security.mrc - 01/09/07 01:21 AM
Already ran Windows Defender, Spybot Search & Destroy, AVG Free, and a couple online scanners. Nothing picks up anything.

At one point I had a Serial Searcher 2000.exe, but it was deleted... Yet some part must still be lingering. No malicious code is harming my system, just that annoying notice that gets sent to people, coming from the security.mrc script.
Posted By: deegee Re: [Virus?] Security.mrc - 01/09/07 02:02 AM
You could remove it on startup and on connect, it doesn't fix the underlying problem though..
Code:
on *:start:-security
on *:connect:-security
alias -security {
  if $script(security.mrc) {
    .unload -rs $qt($v1)
    .remove $qt($v1)
    echo -astice info * Security.mrc found, unloaded and removed:  $qt($v1)
  }
}


[EDIT]
That link in the first post redirects to a rapidshare downlad of "Serial Searcher 2000.exe" This file IS DEFINITELY A VIRUS!
Perhaps a mod would delete the link.
Posted By: CainMadness Re: [Virus?] Security.mrc - 01/09/07 03:12 AM
Thank you, I'll try giving that a shot, but will keep updating and scanning with my virus and spyware programs.

Doing a google search doesn't turn up anything, which is odd. Generally would have thousands of pages on the file.
Posted By: deegee Re: [Virus?] Security.mrc - 01/09/07 03:40 AM
That link redirects to a rapidshare downlad of "Serial Searcher 2000.exe" This file IS DEFINITELY A VIRUS!

"Serial Searcher 2000.exe" installs (amongst other things) a file called 'regmon.exe' in "%WinDir%\system32\drivers\"
Regmon.exe contains in plain text the code your finding in security.mrc (as well as the filename). It's started every time you boot/restart your PC, via [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
as
"Registry Monitor"="C:\\WINDOWS\\system32\\drivers\\regmon.exe"
(Obviously "C;\Windows\" is realtive to the machine)

There is also other files added, some deleted, some attributes altered, other regkeys added and/or altered, but that seems to be the main culprit as far as the writing of mIRC scriptcode goes.

FWIW: Nod32 picked this up and quarantined it before I could run/install it, and appears to clean it after ignoring the warning and restoring from quarantine and then running it.

After rebooting (needed), it appears to be cleaned. (I can't be totally sure of that though, my limited testing was done in a sandboxed environment)

Note: regmon.exe is also the name of a legitimate progrom, but the legit version would not likely be in the system32\drivers directory.
Posted By: CainMadness Re: [Virus?] Security.mrc - 01/09/07 04:33 AM
I'll have to give it a shot, thank you considerably. This one was wracking my mind.
© mIRC Discussion Forums