|Subject:||Re: Directory C:\winnt\system32\drivers found on XP - Trojan?|
|Posted by:||Roger Abell (mvpNOSp…@asu.edu)|
|Date:||Wed, 10 Dec 2003|
If you had a file named FireDaemon.exe on your
system and you malware scanning tools did not
trigger, then you should question the quality of
that scanning tool or your understanding of what
it is that it scans for.
Having these files tucked down in the drivers folder
is in itself suspicious. A legitimate installer would
not drop files there, let alone leave them there.
You should carefully examine that system with a
few good tools, monitor what ports have things bound
to them, etc.
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Paul Moloney" <paul_molon…@hotmail.com> wrote in message
> While searching for the file "explorer.exe" on XP (due to it having a
> high CPU usage), I found a copy in the folder
> C:\winnt\system32\drivers. In this folder, I also found the following
> explore.exe had the name mIRC associated with it; doing a search for
> it turned up the name of a trojan. Needless to say, this all looked
> pretty suspicious. However, searching my registry turned up none of
> the registry entries associated with this virus. And I run anti-virus
> and anti-trojan software regularly, so am surprised nothing was
> I found mIrc in the "Add/Remove Programs" dialog box, and I recall
> installing IRC software a year or two back. (I removed it once found).
> Is it possible this was a trojan, or does the legit mIrc install files
> to the above folder, and therefore can be confused with the trojan?
> Should I be worried, and if so, what should I look for, and can anyone
> recommend a good anti-trojan program? (I moved from the now-default
> Anti-Trojan 5.5.x to the new a(2)).
Directory C:\winnt\system32\drivers found on XP - Trojan? posted by Paul Moloney on 10 Dec 2003