Directory C:\winnt\system32\drivers found on XP - Trojan?

P

Paul Moloney

While searching for the file "explorer.exe" on XP (due to it having a
high CPU usage), I found a copy in the folder
C:\winnt\system32\drivers. In this folder, I also found the following
files:

FireDaemon.exe
hexplore.exe
explore.exe
remote.ini
script1.ini
sec.bat
winini.bat

explore.exe had the name mIRC associated with it; doing a search for
it turned up the name of a trojan. Needless to say, this all looked
pretty suspicious. However, searching my registry turned up none of
the registry entries associated with this virus. And I run anti-virus
and anti-trojan software regularly, so am surprised nothing was
detected.

I found mIrc in the "Add/Remove Programs" dialog box, and I recall
installing IRC software a year or two back. (I removed it once found).
Is it possible this was a trojan, or does the legit mIrc install files
to the above folder, and therefore can be confused with the trojan?
Should I be worried, and if so, what should I look for, and can anyone
recommend a good anti-trojan program? (I moved from the now-default
Anti-Trojan 5.5.x to the new a(2)).

Thanks,

P.
 
R

Roger Abell

If you had a file named FireDaemon.exe on your
system and you malware scanning tools did not
trigger, then you should question the quality of
that scanning tool or your understanding of what
it is that it scans for.
Having these files tucked down in the drivers folder
is in itself suspicious. A legitimate installer would
not drop files there, let alone leave them there.
You should carefully examine that system with a
few good tools, monitor what ports have things bound
to them, etc.
 
C

ceedee

its a irc trojan
a very widespread trojan and it usually installs to the drivers or
drivers/etc dir
i would suspect your anti virus has at some point killed it already
these files are whats left

firedaemon is a legitimate program so a lot of v checkers wont pull it
it is used to install a program as a service
in this case explore.exe which is just mirc renemaed
the other files are scripts mirc uses

just delete them all and relax

ceedee
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

'lsass.exe' Trojan Virus? 2
Trojan Horse Virus Infected C:Windows\System32\svcinit.exe 1
Trojan removal from XP 4
TrojanDownloader in C:\FOUND files 1
Trojan horse Downloader.Rvp.D in system info folder 2
Replace an infected system32/winlogon.ece (688) 4
Bizarre browser behavior after a Trojan cleanup 6
msrexe 3

Top