Firedaemon service possibly a virus?

I am running an Exchange 5.5 server sp4.  The server has slowed quite a bit recently so I started looking into event logs etc...   I have a process "winsys" that dies & restarts every couple of seconds.  It looks like "firedaemon" is running this service.  Firedaemon is also running drvisys, printer, runbatch, system, & winserv.  I looked that the properties of Firedaemon.exe & it was created a couple of months ago.  I did not alter the file or install it.  The other strange thing is normally firedaemon is installed as a program. (c:\programs\firedaemon)  I found the exe in c:\winnt\java\etc\etc\firedaemon.exe.  Does anyone have any ideas??

Thanks in advance!!!
8lackd0gAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

subsoniqCommented:
http://www.firedaemon.com/

it's a tool to run things as a service, the company I used to work at used it a few times and it seemed pretty useful.
0
JasonBighamCommented:
Nope

http://www.firedaemon.com/

Using MRTG by chance?
0
8lackd0gAuthor Commented:
I currently use Firedaemon on some machines out on the floor.  I have not installed the program on my Exchange Server.  I am not using the MRTG.  I cannot even get the gui to start for the firedaemon program.  The .exe for firedaemon is located in c:\winnt\java\etc\etc folder.  Normally the firedaemon program is located in c:\programs\firedaemon.  I do not have that directory.  I scanned my system32 folder & it found a backoor.trojan in a folder named "rocket".  I used my laptop with NAV to scan the system32 folder.  The Exchange server is running Trend ScanMail.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

JasonBighamCommented:
If it don't belong, get rid of it.

If you can't uninstall, this will work:
SRVINSTW.EXE

0
subsoniqCommented:
ouch, looks like someone back doored your exchange server.  I would highly suggest building a new exchange server and moving mailboxes/public folders/functions to it and killing this one, but I'm especially paranoid about such things and would never trust that server again.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
8lackd0gAuthor Commented:
I was not running a firewall until recently.  I started here a short time ago. Every time that a new virus came out, we got it until I put up the firewall.  I would like to keep this 5.5 beast running until end of life comes this December.  I thought that it might be a virus but I cannot find anything similar to this one.  I just stopped every service that is tied to firedaemon & email is still working properly. How can I find out what these services are used for?  Do you see any that would need to be running?  Normally if it is something that is required to run, NT should have it taken care of it right?  Firedaemon is typically used for 3rd party programs.  My processor on the Exchange seems to be cooling off now finally....
0
subsoniqCommented:
Now your getting into the world of computer forensics and incident response, you should go to the Windows Security section of experts-exchange

http://www.experts-exchange.com/Security/Win_Security/
0
JasonBighamCommented:
"I started here a short time ago"

That means your previous guy could have installed Firedaemon.

 But if this box was wide open for a  long time... who knows. Does it look like it's been turned into a "warez" server (low disc space)... ftp services would have to have been comprimised (if running)
0
8lackd0gAuthor Commented:
The "last modified" tag on firedaemon.exe was after the previous IT had left.  I had a low disk space problem a while back but that was caused by the backup not flushing the committed logs for a couple of days.  Is there a way to transfer this thread to Win_Security or do I need to start a new one?
0
JasonBighamCommented:
new
0
8lackd0gAuthor Commented:
How do I end this thread?
0
subsoniqCommented:
assign points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.