While searching for the file "explorer.exe" on XP (due to it having a
high CPU usage), I found a copy in the folder
C:\winnt\system32\drivers. In this folder, I also found the following
files:

FireDaemon.exe
hexplore.exe
explore.exe
remote.ini
script1.ini
sec.bat
winini.bat

explore.exe had the name mIRC associated with it; doing a search for
it turned up the name of a trojan. Needless to say, this all looked
pretty suspicious. However, searching my registry turned up none of
the registry entries associated with this virus. And I run anti-virus
and anti-trojan software regularly, so am surprised nothing was
detected.

I found mIrc in the "Add/Remove Programs" dialog box, and I recall
installing IRC software a year or two back. (I removed it once found).
Is it possible this was a trojan, or does the legit mIrc install files
to the above folder, and therefore can be confused with the trojan?
Should I be worried, and if so, what should I look for, and can anyone
recommend a good anti-trojan program? (I moved from the now-default
Anti-Trojan 5.5.x to the new a(2)).

Thanks,

P.

If you had a file named FireDaemon.exe on your
system and you malware scanning tools did not
trigger, then you should question the quality of
that scanning tool or your understanding of what
it is that it scans for.
Having these files tucked down in the drivers folder
is in itself suspicious. A legitimate installer would
not drop files there, let alone leave them there.
You should carefully examine that system with a
few good tools, monitor what ports have things bound
to them, etc.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Paul Moloney" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> While searching for the file "explorer.exe" on XP (due to it having a
> high CPU usage), I found a copy in the folder
> C:\winnt\system32\drivers. In this folder, I also found the following
> files:
>
> FireDaemon.exe
> hexplore.exe
> explore.exe
> remote.ini
> script1.ini
> sec.bat
> winini.bat
>
> explore.exe had the name mIRC associated with it; doing a search for
> it turned up the name of a trojan. Needless to say, this all looked
> pretty suspicious. However, searching my registry turned up none of
> the registry entries associated with this virus. And I run anti-virus
> and anti-trojan software regularly, so am surprised nothing was
> detected.
>
> I found mIrc in the "Add/Remove Programs" dialog box, and I recall
> installing IRC software a year or two back. (I removed it once found).
> Is it possible this was a trojan, or does the legit mIrc install files
> to the above folder, and therefore can be confused with the trojan?
> Should I be worried, and if so, what should I look for, and can anyone
> recommend a good anti-trojan program? (I moved from the now-default
> Anti-Trojan 5.5.x to the new a(2)).
>
> Thanks,
>
> P.

its a irc trojan
a very widespread trojan and it usually installs to the drivers or
drivers/etc dir
i would suspect your anti virus has at some point killed it already
these files are whats left

firedaemon is a legitimate program so a lot of v checkers wont pull it
it is used to install a program as a service
in this case explore.exe which is just mirc renemaed
the other files are scripts mirc uses

just delete them all and relax

ceedee

"Roger Abell" <(E-Mail Removed)> wrote in message
news:%235G$(E-Mail Removed)...
> If you had a file named FireDaemon.exe on your
> system and you malware scanning tools did not
> trigger, then you should question the quality of
> that scanning tool or your understanding of what
> it is that it scans for.
> Having these files tucked down in the drivers folder
> is in itself suspicious. A legitimate installer would
> not drop files there, let alone leave them there.
> You should carefully examine that system with a
> few good tools, monitor what ports have things bound
> to them, etc.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Paul Moloney" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > While searching for the file "explorer.exe" on XP (due to it having a
> > high CPU usage), I found a copy in the folder
> > C:\winnt\system32\drivers. In this folder, I also found the following
> > files:
> >
> > FireDaemon.exe
> > hexplore.exe
> > explore.exe
> > remote.ini
> > script1.ini
> > sec.bat
> > winini.bat
> >
> > explore.exe had the name mIRC associated with it; doing a search for
> > it turned up the name of a trojan. Needless to say, this all looked
> > pretty suspicious. However, searching my registry turned up none of
> > the registry entries associated with this virus. And I run anti-virus
> > and anti-trojan software regularly, so am surprised nothing was
> > detected.
> >
> > I found mIrc in the "Add/Remove Programs" dialog box, and I recall
> > installing IRC software a year or two back. (I removed it once found).
> > Is it possible this was a trojan, or does the legit mIrc install files
> > to the above folder, and therefore can be confused with the trojan?
> > Should I be worried, and if so, what should I look for, and can anyone
> > recommend a good anti-trojan program? (I moved from the now-default
> > Anti-Trojan 5.5.x to the new a(2)).
> >
> > Thanks,
> >
> > P.
>
>