I have a user with a Win2K machine, no Admin password, no antivirus. Our sysadmins shut off her port due to extremely high volumes of network traffic emanating from her machine. She has W32.Magister, Backdoor.trojan, and hacktool as determined by Symantec Antivirus. There is nothing loading in the run key of HKey/LocalMachine/Software/Microsoft/Windows/CurrentVersion. There is nothing loading in the startup folder. There is nothing suspicious in the .ini files. There are no shares except for the Win2K ones. But after cleaning the viruses, the system’s CPU usage is pegged at 100%, with ~60% used by Winsock.exe, and ~40% used by services.exe. This is without a network connection. There is a process running called FireDaemon which I can’t turn off. I have researched FireDaemon, but it is inconclusive as to whether a hacker may have placed it on the machine to run their process. Any ideas? The user would really hate to have to wipe it and star over again.
