While searching for the file "explorer.exe" on XP (due to it having a
high CPU usage), I found a copy in the folder
C:\winnt\system32\drivers. In this folder, I also found the following
files:

FireDaemon.exe
hexplore.exe
explore.exe
remote.ini
script1.ini
sec.bat
winini.bat

explore.exe had the name mIRC associated with it; doing a search for
it turned up the name of a trojan. Needless to say, this all looked
pretty suspicious. However, searching my registry turned up none of
the registry entries associated with this virus. And I run anti-virus
and anti-trojan software regularly, so am surprised nothing was
detected.

I found mIrc in the "Add/Remove Programs" dialog box, and I recall
installing IRC software a year or two back. (I removed it once found).
Is it possible this was a trojan, or does the legit mIrc install files
to the above folder, and therefore can be confused with the trojan?

Should I be worried, and if so, what should I look for, and can anyone
recommend a good anti-trojan program? (I moved from the now-default
Anti-Trojan 5.5.x to the new a(2)).

Would appreciate if anyone knowledgable about mIRC could reply,

Thanks,

P.

To be on the safe side, i'd make a visit to www.trendmicro.com for a free virus scan. Its quick and easy, and should find anything you might want to know of. It's always nice to have a second opinion anyways.

"can anyone recommend a good anti-trojan program?"
http://www.simplysup.com/tremover

To answer your question... No, mIRC does not install files in your \system32\drivers directory, or anywhere but the designated program folder. This is definitely a sneaky installation. Also search your harddrive for the file "mirc.ini" which can often locate a sneaky install.

Since you are using an NT flavor of Windows, you should benifit from the freeware program TCPView, available at www.sysinternals.com. This program will list all processes that are making or attempting to make an internet connection. If your little "drone" (irc trojan) is active and connecting to IRC, this will tell you.

Good luck.

- Raccoon

here is my advice is doing netstat and find the irc server that trojan is connected to.

if your connected to that irc server be sure to note that. if its public irc network like dalnet or efnet be sure to go to #help and inform an ircop. to find an ircop just do /stats p or /who o 0 ircops always have masked hosts like 'Oper' or Net-Admin. the ircops should remove the offending 'trojan bots' channel. there usually login and remove commands. the stuff are always visible and can be read easily if you know mirc scripting well. you could understand how mirc trojans works. if you got login to the trojans. you could do !remove or !- exit or !- quit

you also should set a strong password on your NT accounts winxp is similar to win2000. winxp do have NT accounts.
just delete files from your drivers dirs.

anti-trojan programs wont help anything because people who write trojans changes files all of the time. they even used AV's and anti-trojans programs to check their files.

mouse um going to an irc server and informing the ircop is not always the best idea. You see half the ircop out there do the rooting. They do it so ppl will join there server to make them look big. Thats with the smaller IRC netowrks anyway.

Best thing to do is remove it suck it up. then put on a firewall and set passwords for windows not common ones. do not use logins such as administrator or god or passwords such as 1234 or qwerty. last get a anti-virus not nortons. nortons will not pick the irc trojan. AVG 7 does.

i know those files
they are use for an xdcc bot called iroffer 1 of the most used fileserver bot that is
with other words you where hacked and use as an xdcc bot
some virus scanner will see it as a trojan but it isnt a trojan

to prevent this from happening again do as rockhond said
use a firewall and use not easy to crask passwords

Heh, well one man's xdcc bot is another man's trojan. :tongue:

Kind of looks like your machine got owned, those type of files are uploaded to directories for harmfull use, and they usually go undetected, i would also do a good port scan on yourself, see if anything is open that shouldn't be.