DelphiFAQ Home Search:

What is FireDaemon.exe - harmless or a trojan?

 

commentsThis article has not been rated yet. After reading, feel free to leave comments and rate it.

Yesterday I came to my PC which runs 24x7 and found that explorer was not running.
My immediate thought that someone had broken into my PC messed with it and as a side effect, this person killed Explorer.

I looked in the task manager and found a strange task FireDaemon running. I found contradicting information on the web about this file. Some pages (around 4 of the 5 that I visited) say it is a legitimate tool that enables you to run a regular application as a service.
Only one web site said it was a back door (trojan horse).
I believe that the version of FireDaemon that I list below, is indeed a trojan horse.
It is called TR/Servuftp.B

I could not shut FireDaemon.exe down through the task manager.
I looked for FireDaemon on my disk and found it in
C:\WINNT\system32\spool\PRINTERS

There were a bunch of other files that do not belong there. In fact, I believe that this whole folder should be empty.

I took a snapshot of this Windows installation a while ago and burned it on a CDROM.
I am writing this 9/12/2006 and this snapshot was actually taken on 2/10/2001.
Yes, 5 years and 7 months ago. But I have not installed much software since then.
Certainly no new hardware and most definitely no printers.
The folder was empty back then.

My conclusion was that I had to delete the files in this folder.

All except these 4 files were deleted in the first attempt: FireDaemon.exe BugSlayerUtil.dll libeay32.dll events.exe I terminated FireDaemon.exe using a process tool (pv.exe). Then I could delete it. I terminated events.exe (also using pv.exe) and then I could delete events.exe and the two DLLs.

I ran a virus scanner which found no problems now.

I still think someone may have had access to my machine and changed the admin password. I took a look in the list of users and found an account that I had not seen before (see posted picture below - user 'ctouu'.) I deleted that account. I don't remember why I would need an account ASPNET and deleted that one as well ;-)

C:\WINNT\system32\spool\PRINTERS>dir
 Volume in drive C has no label.
 Volume Serial Number is 046A-15F1

 Directory of C:\WINNT\system32\spool\PRINTERS

09/01/2003  05:23a                   0 hexxed.txt
02/10/2001  05:30p      <DIR>          ..
02/10/2001  05:30p      <DIR>          .
01/19/2004  04:09a                  15 hacked.bat
10/22/2003  07:30p                  54 rmtxp.bat
07/27/2004  02:29p                  75 make.bat
05/25/2003  03:12a                 135 sleep.com
05/26/2003  04:22a                 275 chgdir.dll
09/11/2006  03:38p                 296 a3d.hlp~
01/16/2005  11:34p                 327 osinstall.bat
09/11/2006  03:38p                 348 a3d.hlp
09/12/2006  05:53p                 616 ServUStartUpLog.txt
01/30/2002  05:03p                 963 Servucert.key
01/30/2002  05:03p                 973 Servucert.crt
05/20/2006  09:43p               1,291 Wm.txt
09/12/2006  05:53p               1,306 servudaemon.ini
09/13/2002  04:01p               2,267 FireDaemon.dtd
10/16/2004  05:27p               4,608 cygcrypt-0.dll
03/11/1999  09:23p              10,752 BugSlayerUtil.dll
12/26/2004  11:06p              13,729 hex.exe
04/07/2003  12:26a              30,640 cygregex.dll
11/30/2001  02:13p              36,864 TzoLibr.dll
10/12/2002  08:55p              40,960 FireDaemon.exe
03/14/2001  09:33p              62,464 ServUPerfCount.dll
09/30/2003  12:58p              67,584 ssleay32.dll
05/24/2003  04:23a             118,784 SvcAdmin.dll
08/05/2003  05:53a             128,784 Imagehlp.dll
10/16/2004  05:27p             442,249 cygwin1.dll
01/15/2002  08:48a             675,840 libeay32.dll
03/01/2004  01:46p             769,024 events.exe
11/02/2001  09:23p             938,062 libxml2.dll
              29 File(s)      3,349,285 bytes
               2 Dir(s)   2,461,302,784 bytes free

C:\WINNT\system32\spool\PRINTERS>del.
C:\WINNT\system32\spool\PRINTERS\*, Are you sure (Y/N)? y

Comments:

2006-09-12, 19:14:30
Peter (Author) from United States  
Someone created a Windows account 'ctouu' on my system:


Keywords:
2014-12-16, 09:48:38
anonymous from Westervoort, Netherlands  
Hola recien lo draescgo, lo provare para luego decir como me fue, pero les adelanto que esto de los softwares es muy importante para el desarrollo de los universitarios y no la porqueria de esos ingenieros que ensef1an a lo antiguo, es decir solo teoria
2014-12-19, 01:23:20
anonymous from Mexico, Mexico  
Draq 发表于2012年02月2119: 30上个体验版没有解决这个问题,也没人联 我,我就想知道你们到底在干什么。就因为 个体验版,我装上去后在覆盖正式版的都运 不起来,最后卸载了,把文件都删了才装上 式版的,我的设置皮肤都没了,你们敢有个 答吗?我交年费就换来这服务?广告都还没 你们的事呢。我再发一遍,诺顿安全特警2012 式版报的警,我买的正版激活码,别说是用用的破解杀毒软件完整路径: c:\program files (x86)\common files\thunder<a href=' http://koqntbm.com'> nretowk</a>\tp\ver1\1.1.2.101_1111\minizip.dll威胁: WS.Reputat. 1________________________________________________________在在电脑上的创建时间 不可用上次使用时间 2012/2/17 ( 12:52:03 )启动项目 否已启 _________________________________________________________未知诺顿社区中使用此文件的用户数 知____________________________未知此文件版本当前 未知。____________________________中此文件具有中 程度风险。____________________________威胁详细信濡息威胁类型: 智能网络威胁 多迹象表明此文件不可信任,不安全________________________________________________________ 件操作斜文件: c:\program files (x86)\common files\thunder<a href=' http://koqntbm.com'> nretowk</a>\tp\ver1\1.1.2.101_1111\minizip.dll已删除____________________________文件指纹 SHA: e612f29d671235b5d83bc9701390d659001a22a4b43261d6e8e59d8238237ceb665____________________________文件指纹 MD5: 45e651145bf7880cccb640bf8a2bf8ff_______________________________完整路径: c:\program files (x86)\common files\thunder<a href=' http://koqntbm.com'> nretowk</a>\tp\ver1\1.1.2.101_1111\zlib1.dll威胁: WS.Reputat. 1________________________________________________________在在电脑上的创建时间 不可用上次使用时间 2012/2/17 ( 12:52:59 )启动项目 否已启 _________________________________________________________未知诺顿社区中使用此文件的用户数 知____________________________未知此文件版本当前 未知。____________________________中此文件具有中 程度风险。____________________________威胁详细信濡息威胁类型: 智能网络威胁 多迹象表明此文件不可信任,不安全________________________________________________________ 件操作斜文件: c:\program files (x86)\common files\thunder<a href=' http://koqntbm.com'> nretowk</a>\tp\ver1\1.1.2.101_1111\zlib1.dll已删除____________________________文件指纹 SHA: a25fbe3d11e9a386dd88829d1ef37b7c0b26ce2943b9734b67d7021d21d2c09d2c1____________________________文件指纹 MD5: bf9275314e9dd2ef1a65e9240b7b49d7_______________________________完整路径: c:\program files (x86)\common files\thunder<a href=' http://koqntbm.com'> nretowk</a>\tp\ver1\1.1.2.101_1111\libexpat.dll威胁: WS.Reputat. 1________________________________________________________在在电脑上的创建时间 不可用上次使用时间 2012/2/17 ( 12:55:16 )启动项目 否已启 _________________________________________________________未知诺顿社区中使用此文件的用户数 知____________________________未知此文件版本当前 未知。____________________________中此文件具有中 程度风险。____________________________威胁详细信濡息威胁类型: 智能网络威胁 多迹象表明此文件不可信任,不安全________________________________________________________ 件操作斜文件: c:\program files (x86)\common files\thunder<a href=' http://koqntbm.com'> nretowk</a>\tp\ver1\1.1.2.101_1111\libexpat.dll已删除____________________________文件指纹 SHA: 353e7be5cfa58f86d35cd146aef08982a807224ec67c56ab49d5de9a79a77ef24ed____________________________文件指纹 MD5: 91741355fd2ce25ddef5c6318769471c_______________________________希望你们查明是怎么回事。QQ:2709****||

 

 

NEW: Optional: Register   Login
Email address (not necessary):

Rate as
Hide my email when showing my comment.
Please notify me once a day about new comments on this topic.
Please provide a valid email address if you select this option, or post under a registered account.
 

Show city and country
Show country only
Hide my location
You can mark text as 'quoted' by putting [quote] .. [/quote] around it.
Please type in the code:

Please do not post inappropriate pictures. Inappropriate pictures include pictures of minors and nudity.
The owner of this web site reserves the right to delete such material.

photo Add a picture: