Got a call from my mother on the east coast asking for help with her computer. Hooked up VNC Viewer. Looks like Avast has been updating itself fine and running system checks.

Yesterday it removed a couple more including a "Win32-hiderun-f" which I can't find much on other than that it can be installed by trojans like boohoo.

Avast scnas fine without picking anything else up right now.

Upon starting her system though she gets a message saying that FireDaemon has crashed and asking whether or not to send a report to MS.

I know that FireDaemon can be installed as a service and used as a remote admin program.

Am wondering whether one of the many trojans or viruses the computer has picked up installed FireDaemon as a service before getting picked up and disabled by Avast...so Windows thinks it's a legit program and throws up the error message...that FireDaemon was disabled by Avast but is still trying to run or something like that.

Can't find any evidence of FD but am not sure I know where to look other than msconfig startup, add/remove.

Any help greatly appreciated, thanks

Start--->Run---->services.msc---->look for any Firedaemon entries and disable them. Reboot and see if the error comes back. Search the registry for Firedaemon and look at the keys to see which app FD is associated with.

Search the registry for Firedaemon and look at the keys to see which app FD is associated with.


thansk Prey.

How do I search the registry? manually look through the keys or is there a search function?

and how can I go about un-installing the damn thing instead of just disabling it?

Ya, once you open up the regedit hit Ctrl+F, this will open up the search box, type in the string you want to search and it will go to the first one it finds, after you check out what it finds, hit F3 and it will go on to look for the next entry, when it's done, it will tell you that it's finished searching the registry.

Prey's tips are right on point, but if you did not install Fire Daemon yourself, go into the Control Panel and uninstall the program using "Add/Remove Programs". A typical Fire Daemon install should show up in that list.

Then, once updated, let Avast run a full scan and see if anything is lingering. You may also want to install and run the following:

Ad Aware: http://www.lavasoftusa.com/
Spybot: http://www.spybot.com/en/download/index.html
CCleaner: http://www.ccleaner.com/download/

Thanks guys, going to post a couple pics to see if that clarifies anything.

Never saw FD installed in add/remove but it was listed this time around in services. Have run CrapCleaner (took about 10 minutes:D) and AdAware.

http://mail.google.com/mail/?view=att&disp=inline&attid=0.1&th=10dc8e8edf284b64

Here's the error message she got when she turned the system on:
http://humboldt32.googlepages.com/desktop.JPG

and the only registry entry I found:
http://humboldt32.googlepages.com/fd.JPG

Have run Avast again, AdAware, CCleaner, and Trend housecall.

Will let you know if it turns up the next time she reboots.

oh, and after I disabled FD in the registry it occured to me to try to delete FD through the command line.

but it said there was no exe found with that name:confused:

used this:
To Delete A Service

* Start | Run and type cmd in the Open: line. Click OK.
* Type: sc delete <service name>
* Reboot the system

You can also right click my computer, then go to the manage tab, from there you will see a service start up area....open that and check as well. Hope it help!

P.S. If it is listed there, you can at least disable it from there..too...if it is listed.

and then this just popped up.

WTF is this???
http://humboldt32.googlepages.com/wtf.JPG

I would do a scan if possible at http://housecall.trendmicro.com

I would do a scan if possible at http://housecall.trendmicro.com


:D
Have run Avast again, AdAware, CCleaner, and Trend housecall.

ssls googled brings up bitdaemon

how about posting a hijackthis log?

ssls googled brings up bitdaemon

how about posting a hijackthis log?

whoops, so it does:D

I didn't see that last "s", was searching for ssl.exe and getting other results.

duh

will post hijackthis log in a moment

Logfile of HijackThis v1.99.1
Scan saved at 11:18:49 PM, on 9/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Documents and Settings\Administrator\Desktop\f@h\FAH504-Console.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mts\QTASK\LSASS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\dllcache\EvtMgr.exe
C:\Documents and Settings\Administrator\Desktop\f@h\FahCore_78.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\config\mui\data\office\smss.exe
C:\WINDOWS\System32\mts\QTASK\LSASS.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\mts\QTASK\WINMNGR.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\IBMTOOLS\Apps\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unc.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.lib.unc.edu/htbin/config
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\Updater\ucstartup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [LoadPowerProfiles] COnfig\mui\data\office\run.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\Common Files\IBMTOOLS\Apps\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FAH@C:+Documents and Settings+Administrator+Desktop+f@h+FAH504-Console.exe - Stanford University - C:\Documents and Settings\Administrator\Desktop\f@h\FAH504-Console.exe
O23 - Service: FAH@C:+Documents and Settings+Administrator+Desktop+FAH504-Console.exe - Unknown owner - C:\Documents and Settings\Administrator\Desktop\FAH504-Console.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Networks (MNS) - Unknown owner - C:\WINDOWS\System32\mts\QTASK\LSASS.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual Guide Monitor (r_server) - Unknown owner - C:\WINDOWS\system32\dllcache\EvtMgr.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows Manager (Winmngr) - Unknown owner - C:\WINDOWS\System32\mts\QTASK\LSASS.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Nothing related to fire or bitdaemon there.

Besides the registry, you could check for any entries in msconfig(start > run > msconfig [enter] ) if you havent already.

Have checked services and startup there, not exactly sure what I'm looking for but not seeing anything jump out at me.

What about that last screenshot I posted?

I've never seen a program say "sorry about that" much less that URL something put in the browser address bar and tried to download. When I just went to start/run to type msconfig again, that same address was in the run field.

The ircfree junk address? i would remove that.

Hmmm
To be honest i was using quite a few trojans when i was teen,I always installed at least 3-4 remote programs just in case so i can get back, even encrypted part of the HDD and when i was bored i did restart their computers and did some crazy stuffs.Of course 2 keyloggers were installed too.BO (back orifice is pretty old, maybe it was updated, i have no idea) but once he got a hold of her computer format, use router and software firewall.I have coupon for Zonealarm if you are interested and router i dont use.Let me know bud.
Its all kiddie scripts, i stoped following it 10 years ago he can take or do whatever he wants and i'm positive after 10 years the programs are even more wicked, also they mean "no harm" unless you do internet banking or something similar.But if i found out somebody was here man i would go postal :irate:

Hmmm
To be honest i was using quite a few trojans when i was teen,I always installed at least 3-4 remote programs just in case so i can get back, even encrypted part of the HDD and when i was bored i did restart their computers and did some crazy stuffs.Of course 2 keyloggers were installed too.BO (back orifice is pretty old, maybe it was updated, i have no idea) but once he got a hold of her computer format, use router and software firewall.I have coupon for Zonealarm if you are interested and router i dont use.Let me know bud.
Its all kiddie scripts, i stoped following it 10 years ago he can take or do whatever he wants and i'm positive after 10 years the programs are even more wicked, also they mean "no harm" unless you do internet banking or something similar.But if i found out somebody was here man i would go postal :irate:


:irate:

so why isn't any of this showing up in the scans?

I've done trend online housecall, updated avast scan, avast virus removal tool scan, mcafee stinger virus tool scan, hijack this scan, adawre scan, crapcleaner scan

Found something else with McAfee Stinger Virus Remover
McAfee AVERT Stinger Version 2.6.0. built on Apr 5 2006

Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Feb 2 2006.

Ready to scan for 55 viruses, trojans and variants.



Scan initiated on Tue Sep 19 23:58:23 2006

C:\WINDOWS\WinSecurity\socket1.ifo\socket1.ifo

Found the W32/Sober@MM!M681 virus !!!

C:\WINDOWS\WinSecurity\socket1.ifo\socket1.ifo could not be repaired.

C:\WINDOWS\WinSecurity\socket2.ifo\socket2.ifo

Found the W32/Sober@MM!M681 virus !!!

C:\WINDOWS\WinSecurity\socket2.ifo\socket2.ifo could not be repaired.

C:\WINDOWS\WinSecurity\socket3.ifo\socket3.ifo

Found the W32/Sober@MM!M681 virus !!!

C:\WINDOWS\WinSecurity\socket3.ifo\socket3.ifo could not be repaired.

Number of clean files: 98605

Number of infected files: 3


Looking it up now, feedback appreciated, thanks

:irate:

so why isn't any of this showing up in the scans?

I've done trend online housecall, updated avast scan, avast virus removal tool scan, mcafee stinger virus tool scan, hijack this scan, adawre scan, crapcleaner scan
they can hide it
i'm telling you bud i'm not following kiddie scripts, i know as a fact they can mod your antivirus/whatever they want so he cant pick it up.They are way more advanced now (trojans).

Try and look into your netstat /all who is connected and where are you connected.If you will see something like bang.my.balls.com you know for sure he is in using bnc.

Looked like a Win32 sober variant.

Thanks for the help:thumb:

and then this just popped up.

WTF is this???
http://humboldt32.googlepages.com/wtf.JPG

That above.. led to a Apache web server..
Apache/ProXad [Jul 18 2006 14:37:10] Server at ircss.free.fr Port 80

Looks like they might have also a "IRC" server running..

What you probally have there is a IRC bot passing commands, to and from a IRC channel.. to whoever owns "it".. :nod: probally came with that sober virus..

That above.. led to a Apache web server..
Apache/ProXad [Jul 18 2006 14:37:10] Server at ircss.free.fr Port 80

Looks like they might have also a "IRC" server running..

What you probally have there is a IRC bot passing commands, to and from a IRC channel.. to whoever owns "it".. :nod: probally came with that sober virus..

Definately.They are using your internet (i guess you are on adsl or cable) for DCC bots to spread pirated Games and Movies to the public.Dont be suprised if you get some nasty email from your ISP or RIAA.

It looks like the connection is broken now, just cleaning up the mess.



What errors are you getting at this point still?

I was reading through the thread and the first thing I noticed was the trojan with the HijackThis log here:

O4 - HKCU\..\Run: [_Windows] C:\WINDOWS\WinSecurity\services.exe

I would suggest doing the following:

Prior to doing anything XP users MUST disable System Restore!!! You can re enable it after you are clean.

1. Download, install and run CrapCleaner (http://www.ccleaner.com) to remove any temporary and junk files.

2. Download Ad-Aware SE 1.06 (http://www.majorgeeks.com/download506.html) and set it up as shown HERE (http://www.drtweak.com/index.php?topic=40.0).

3. Download SpyBot Search & Destroy 1.4 (http://www.safer-networking.org/index.php?page=download) and set it up as shown HERE (http://www.drtweak.com/index.php?topic=41.0).

4. Download SUPERAntiSpyware (http://www.superantispyware.com), update and do a full system scan.

5. Download Ewido Anti-Malware 4.0 (http://www.ewido.net/en/download), update and do a full system scan.

6. Download and run CWShredder (http://www.trendmicro.com/cwshredder).

7. Do a FREE online virus scan from BitDefender Online Scan (http://www.bitdefender.com/) and remove all that it finds.

8. If you aren't currently using a firewall or anti-virus profram then I suggest you install Comodo Firewall (http://www.personalfirewall.comodo.com/) and Active Virus Shield (http://www.activevirusshield.com/antivirus/freeav/index.adp?) - (setup instructions HERE (http://www.drtweak.com/index.php?topic=157.0)), both are FREE and offer excellent protection.

9. It it also a good idea to run the Winsock Fix (http://www.snapfiles.com/get/winsockxpfix.html) to repair your TCP/IP stack. (you will have to redo any tweaks for your connection if this is used)

10. If after doing ALL of the above and you are still having problems please scan with HijackThis 1.99.1 (http://www.majorgeeks.com/download3155.html) as shown HERE (http://www.drtweak.com/index.php?topic=58.0) and post a log here in this forum for us to look at.

11. Download SpywareBlaster 3.5.1 (http://www.javacoolsoftware.com/spywareblaster.html) and set it up as shown HERE (http://www.drtweak.com/index.php?topic=42.0) to help stay spyware free.

12. Make sure you have ALL of the latest Windows Updates.


I would highly recommend uninstalling Avast.... as you can see it missed quite a few things) and installing Active Virus Shield, if you decide to do that it will detect VNC as a remote access program (trojan) so I would use UltraVNC instead, it's not detected and even better in my opnion.

:)

Good catch mnosteele.

Humboldt, if you install Active Virus Shield it will act funky with Folding running, so I would just disable Avast and not remove it. Then when your done with AVS, turn Avast back on.

Thanks guys.

McAfee Stinger found the sober worm and "fixed" it, but this morning got a call from my mother that the FireDaemon error is still coming up.

Quite a pain in the ass to deal with as by the time I get home at 7:30 pm west coast it's 3 hours later there. I need to VNC connect with her system, take the screenshots or whatever, email them to myself, open them from here, etc...:D

Thanks for the new tips mnosteele, will try all that tonight:nod:

Thanks guys.

McAfee Stinger found the sober worm and "fixed" it, but this morning got a call from my mother that the FireDaemon error is still coming up.

Quite a pain in the ass to deal with as by the time I get home at 7:30 pm west coast it's 3 hours later there. I need to VNC connect with her system, take the screenshots or whatever, email them to myself, open them from here, etc...:D

Thanks for the new tips mnosteele, will try all that tonight:nod:

:thumb:

good grief.

working my way through mnosteele's list.

Found ALL KINDS of trojans and backdoors and rats. lol

sdbots and something called a deepthroat 3.0 (some reference to trini's mother I guess) and more rounds of sober worm, at least 2 other unidentified RA programs

and a backdoor.servu.4004 E

Sounds like there was a party there!

Humbolt, you may also need to download Sysinternal's Autoruns (http://www.sysinternals.com/Utilities/Autoruns.html) to find the problem and remove it, this is a VERY thorough startup manager, kind of like HijackThis on steroids.

:thumb:

thanks for the tip, I'll give that one a try too.

Seemed like everything else you suggested helped a lot, but that each new program scan found a new virus:D

I did get a call from my mother this morning though saying that she's no longer getting the fire daemon error message:thumb:

I did get a call from my mother this morning though saying that she's no longer getting the fire daemon error message:thumb:

Awesome, now she's proud of her son.

:thumb:

thanks for the tip, I'll give that one a try too.

Seemed like everything else you suggested helped a lot, but that each new program scan found a new virus:D


Remember the days when ONE program would handle most? Sigh...twill never be again so I fear. :(

something called a deepthroat 3.0 (some reference to trini's mother I guess)

:rotfl:

Too late for me to catch her up on the east coast right now to rescan everything and see how clean it is , but I'll be able to do that after work tomorrow.

Thanks again for all the help, much appreciated:nod:

Remember the days when ONE program would handle most? Sigh...twill never be again so I fear. :(

No, but on the other hand I guess it's nice having this gaunlet of software to catch the little bastards:D I'm really impressed with how well they worked.