Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

msrc - trojan, keylogger??????

0 views
Skip to first unread message

Mike

unread,
May 10, 2002, 9:58:52 AM5/10/02
to
I normally do a little system check before I connect to the net and do
anything, but today I just logged into two hotmail accounts on messenger, I
noticed that I couldnt get the 'close program' box up when I pressed
ctrl+alt+delete so I checked under regedit and under microsoft\windows\run
and found a program that wasnt there before that was installed to
C:\windows\system\smp\msrc.exe
well then I looked in "messenger recieved files" and "my pic.exe" was there,
I thought oh shi* and deleted the entry in the registry and rebooted, had a
look at the registry and the key was still there, so I moved the "smp"
folder to the desktop, restarted and checked the registry, it was still
pointing to C:\windows\system\smp\msrc.exe so I deleted the smp dir off the
desktop and deleted the key and restarted. I think its gone.

I opened up "my pic.exe" in wordpad, and saw lots of stuff relateing to msn
messenger. This is some of the words inside the file :

"Kryptonic Ghost by The-Elite-Oracle Team"
"Sensible KeyLogger" "c:\keylog.txt" (checked and that file doesnt
exist)
"GetKeyState" "gethostbyname"
"Rundll32" "Msrc" "Ghost" in the same line
"C:\Program Files\Messenger\msmsgs.exe"
"Sign in to .NET Messenger Service - MSN Messenger"
even things like "ExitWindows"

it looks like its a visual basic 6 file
I looked on google for msrc, Elite Oracle Team, Kryptonic Ghost
but cant really find anything, though I did find 2 other "msn progz"
by the "The Elite Oracle"

Does anyone have any idea what this is
I checked the properties of the msrc program before I deleted it, it said
'copyright microsoft' and 'rundll32' 'msrc'and stuff, but that certainly
aint a microsoft file, I checked the properties and version tab of the "my
pic.exe" and it is the same as the msrc program.
I changed my passwords twice and reinstalled messenger but now it keeps
telling me theres a problem with my internet connection (could just be a
normal fault).


Jonathan Kay [MVP]

unread,
May 10, 2002, 9:50:34 AM5/10/02
to
Greetings Mike,

Sounds like some sort of virus/trojan to me. You should do a virus scan to be sure you're
not infected. A trial version of Norton Antivirus can be found at:
http://nct.digitalriver.com/fulfill/0001.14#form
____________________________________________
Jonathan Kay
Windows MVP, Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com

"Mike" <aot...@dsl.pipex.com> wrote in message
news:3cdb61e3$0$8508$cc9e...@news.dial.pipex.com...

Mike

unread,
May 11, 2002, 4:34:24 AM5/11/02
to
I got AVP free edition, it said no viruses detected, I dont think any virus
checker would pick it up,
I would expect a page on norton or mcafee detailing this, but cant find
anything, so maybe they dont
know about it or dont class it as a virus.


Jonathan Kay [MVP] <msnews...@jonathankay.com> wrote in message
news:uOKfqmC#BHA.2636@tkmsftngp05...

Jonathan Kay [MVP]

unread,
May 10, 2002, 10:41:56 PM5/10/02
to
Hi Mike,

Symantec/Norton has plenty of MSN viruses in their database, search the following for "msn
messenger":
http://securityresponse.symantec.com/avcenter/vinfodb.html

However, it is sometimes rather difficult to find the exact one you're looking for.


____________________________________________
Jonathan Kay
Windows MVP, Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com

"Mike" <aot...@dsl.pipex.com> wrote in message

news:3cdc6757$0$225$cc9e...@news.dial.pipex.com...

0 new messages