DelphiFAQ Home Search:
General :: Windows :: Processes
Do you wonder what that long list of processes in your task manager comes from? Are all those programs running there really needed or are they a virus, adware, spyware.. recording all your keystrokes and then sending your passwords to a remote server? Read the articles below and learn about some of those processes.

Articles:

This list is sorted by recent document popularity (not total page views).
New documents will first appear at the bottom.

Featured Article

What is FireDaemon.exe - harmless or a trojan?

Yesterday I came to my PC which runs 24x7 and found that explorer was not running.
My immediate thought that someone had broken into my PC messed with it and as a side effect, this person killed Explorer.

I looked in the task manager and found a strange task FireDaemon running. I found contradicting information on the web about this file. Some pages (around 4 of the 5 that I visited) say it is a legitimate tool that enables you to run a regular application as a service.
Only one web site said it was a back door (trojan horse).
I believe that the version of FireDaemon that I list below, is indeed a trojan horse.
It is called TR/Servuftp.B

I could not shut FireDaemon.exe down through the task manager.
I looked for FireDaemon on my disk and found it in
C:\WINNT\system32\spool\PRINTERS

There were a bunch of other files that do not belong there. In fact, I believe that this whole folder should be empty.

I took a snapshot of this Windows installation a while ago and burned it on a CDROM.
I am writing this 9/12/2006 and this snapshot was actually taken on 2/10/2001.
Yes, 5 years and 7 months ago. But I have not installed much software since then.
Certainly no new hardware and most definitely no printers.
The folder was empty back then.

My conclusion was that I had to delete the files in this folder.

All except these 4 files were deleted in the first attempt: FireDaemon.exe BugSlayerUtil.dll libeay32.dll events.exe I terminated FireDaemon.exe using a process tool (pv.exe). Then I could delete it. I terminated events.exe (also using pv.exe) and then I could delete events.exe and the two DLLs.

I ran a virus scanner which found no problems now.

I still think someone may have had access to my machine and changed the admin password. I took a look in the list of users and found an account that I had not seen before (see posted picture below - user 'ctouu'.) I deleted that account. I don't remember why I would need an account ASPNET and deleted that one as well ;-)

C:\WINNT\system32\spool\PRINTERS>dir
  Volume in drive C has no label.
  Volume Serial Number is 046A-15F1
 
  Directory of C:\WINNT\system32\spool\PRINTERS
 
 09/01/2003  05:23a                   0 hexxed.txt
 02/10/2001  05:30p      <DIR>          ..
 02/10/2001  05:30p      <DIR>          .
 01/19/2004  04:09a                  15 hacked.bat
 10/22/2003  07:30p                  54 rmtxp.bat
 07/27/2004  02:29p                  75 make.bat
 05/25/2003  03:12a                 135 sleep.com
 05/26/2003  04:22a                 275 chgdir.dll
 09/11/2006  03:38p                 296 a3d.hlp~
 01/16/2005  11:34p                 327 osinstall.bat
 09/11/2006  03:38p                 348 a3d.hlp
 09/12/2006  05:53p                 616 ServUStartUpLog.txt
 01/30/2002  05:03p                 963 Servucert.key
 01/30/2002  05:03p                 973 Servucert.crt
 05/20/2006  09:43p               1,291 Wm.txt
 09/12/2006  05:53p               1,306 servudaemon.ini
 09/13/2002  04:01p               2,267 FireDaemon.dtd
 10/16/2004  05:27p               4,608 cygcrypt-0.dll
 03/11/1999  09:23p              10,752 BugSlayerUtil.dll
 12/26/2004  11:06p              13,729 hex.exe
 04/07/2003  12:26a              30,640 cygregex.dll
 11/30/2001  02:13p              36,864 TzoLibr.dll
 10/12/2002  08:55p              40,960 FireDaemon.exe
 03/14/2001  09:33p              62,464 ServUPerfCount.dll
 09/30/2003  12:58p              67,584 ssleay32.dll
 05/24/2003  04:23a             118,784 SvcAdmin.dll
 08/05/2003  05:53a             128,784 Imagehlp.dll
 10/16/2004  05:27p             442,249 cygwin1.dll
 01/15/2002  08:48a             675,840 libeay32.dll
 03/01/2004  01:46p             769,024 events.exe
 11/02/2001  09:23p             938,062 libxml2.dll
               29 File(s)      3,349,285 bytes
                2 Dir(s)   2,461,302,784 bytes free
 
 C:\WINNT\system32\spool\PRINTERS>del.
 C:\WINNT\system32\spool\PRINTERS\*, Are you sure (Y/N)? y
 

Generated 12:02:12 on May 26, 2018