Sapient2003
Technical User
Magic-PS is a key logger that only affects Yahoo Messenger users. It's purpose it to log and send the user's password to another Yahoo Chat member through a private message sent by the victim's Yahoo Messenger. It disables Yahoo Messenger's Save Password feature, so you are required to type in the password. Signs of infection include a fast Yahoo Messenger private message window that opens and closes uplon login.
Removel:
Please note that the removal of Magic PS differs depending on the options the attacker choose: Disable Taskmgr xp-2k, Disable regedit, and Disable Msconfig. I will try to cover everything.
Step 1- Look for suspicious processes
Magic PS has a default filename list that users can choose from within the program that generates the key logger.
regsvr.exe spool_32.exe spool_32.exe svchost .exe
winzip_32.exe MsTask .exe winzip_try.exe spoolsvr.exe
ExpIorer.exe taskmgr_32.exe system_32.exe intranet.exe
norton.exe regclean.exe starter .exe iexpIore.exe
regscan_32.exe osa .exe
Note that these are just the default names. The user can choose any filename he wants. In this case, you will have to rely on other means of detecting it. If your Task Manager is enabled, look for a process that is running under your Windows user account that is using about 3,416k in memory. This alone doesn't mean it is Magic PS, however.
To make sure the suspected process is in fact Magic PS, you should run a memory editor on the process. I suggest WinHack 2 ( Extract the contents of winhack2.zip and open WinHack2.exe. Under the Edit a Game's Memory tab, you will see a Process drop down box with currently running processes. Choose the process that took about 3,416k in memory and click on the Edit Memory tab. You will see a search box, enter: magic-ps. If found, this is the right process. Close it with Task Manager, if enabled. If the Task Manager is disabled, you will have to use a third-party process viewer/terminator. You can download one at Note that you need to close the process before you can delete Magic PS.
Step 2- Removing Magic PS
After the Magic PS process is closed, click on the Start Menu, go to Search, and click on For Files and Folders. Click on the All files and folders button. Enter "Magic_w" without the quotes in the A word or phrase in the file text box and click search. Delete all entries.
Step 3- Fixing taskmanager, regedit, and msconfig
--Sapient2003 - sapient@sapient2003.com
"The worst insecurity is believing you are too secure."
Removel:
Please note that the removal of Magic PS differs depending on the options the attacker choose: Disable Taskmgr xp-2k, Disable regedit, and Disable Msconfig. I will try to cover everything.
Step 1- Look for suspicious processes
Magic PS has a default filename list that users can choose from within the program that generates the key logger.
regsvr.exe spool_32.exe spool_32.exe svchost .exe
winzip_32.exe MsTask .exe winzip_try.exe spoolsvr.exe
ExpIorer.exe taskmgr_32.exe system_32.exe intranet.exe
norton.exe regclean.exe starter .exe iexpIore.exe
regscan_32.exe osa .exe
Note that these are just the default names. The user can choose any filename he wants. In this case, you will have to rely on other means of detecting it. If your Task Manager is enabled, look for a process that is running under your Windows user account that is using about 3,416k in memory. This alone doesn't mean it is Magic PS, however.
To make sure the suspected process is in fact Magic PS, you should run a memory editor on the process. I suggest WinHack 2 ( Extract the contents of winhack2.zip and open WinHack2.exe. Under the Edit a Game's Memory tab, you will see a Process drop down box with currently running processes. Choose the process that took about 3,416k in memory and click on the Edit Memory tab. You will see a search box, enter: magic-ps. If found, this is the right process. Close it with Task Manager, if enabled. If the Task Manager is disabled, you will have to use a third-party process viewer/terminator. You can download one at Note that you need to close the process before you can delete Magic PS.
Step 2- Removing Magic PS
After the Magic PS process is closed, click on the Start Menu, go to Search, and click on For Files and Folders. Click on the All files and folders button. Enter "Magic_w" without the quotes in the A word or phrase in the file text box and click search. Delete all entries.
Step 3- Fixing taskmanager, regedit, and msconfig
--Sapient2003 - sapient@sapient2003.com
"The worst insecurity is believing you are too secure."
