[disa]

Recently I was having trouble accessing the internet. It was running very slowly or not at all. I'm using AOL (free hours) for the moment but I use IE to browse. Sometimes though IE won't show anything (page not found) while the AOL browser will. I didn't think it was AOL trying to stop me from using IE so I ran a virus scan (AVG) and was given a bill of clean health. The other day though out of the blue a DOS prompt popped up while I was surfing trusted websites that I know don't put stuff on your computer. The DOS prompt was trying to run some firedaemon program. I immediately closed the window and got 3 error prompts ('Do you want to send an error message to microsoft...etc'), 2 for firedaemon.exe and one for avirus.exe. I immediately ran another virus scan but it didn't show anything. I looked up the programs online and found firedaemon.exe related to backdoor hack programs so I got a firewall program and immediately saw a number of things trying to access my computer when I log online. I thought things might be a little better now since the internet was running ok in IE, but this morning IE stopped working again. Also when I reboot/restart my computer firedaemon.exe and avirus.exe try to boot themselves and fail giving the same error messages as the first time.

I have the most recent critical updates for Windows XP. I have run Housecall and it says I have no viruses, as does AVG. Here is my HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 4:14:37 PM, on 8/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\dllcache\userlist.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\dllcache\runbatch.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\qkvrvor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\qkvrvor.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Virus Cleaner] C:\WINDOWS\System32\avirus.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Microsoft Update Machine] qkvrvor.exe
O4 - HKLM\..\RunServices: [Virus Cleaner] C:\WINDOWS\System32\avirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] qkvrvor.exe
O4 - HKCU\..\Run: [Virus Cleaner] C:\WINDOWS\System32\avirus.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] qkvrvor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093099748153
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A6602D0-17F3-4F4C-8217-853E2F6EE84D}: NameServer = 192.168.0.1

I really don't want to have to reformat my computer over this if possible. I'm on a poor 56k connection atm and some of the programs I have would take literally days to recollect all their updates. Thank you in advance for all your help.

[Advertisements]

have you ran ad-aware or spybot?

[Hemal]

have you ran ad-aware or spybot?

[disa]

I've run AdAware and it only finds general spycookies that I pick up from GameFAQs. It hasn't found anything else.

[disa]

Any ideas on what could be wrong? I don't mean to sound pushy, but I'm just concerned that I will have to do a full drive wipe

[admin]

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O4 - HKLM\..\Run: [Microsoft Update Machine] qkvrvor.exe
O4 - HKLM\..\RunServices: [Virus Cleaner] C:\WINDOWS\System32\avirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] qkvrvor.exe
O4 - HKCU\..\Run: [Virus Cleaner] C:\WINDOWS\System32\avirus.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] qkvrvor.exe

(optional, but will improve system perfomance)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\System32\qkvrvor.exe
C:\WINDOWS\System32\avirus.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

[disa]

Logfile of HijackThis v1.98.2
Scan saved at 11:55:07 AM, on 8/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\America Online 9.0a\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A6602D0-17F3-4F4C-8217-853E2F6EE84D}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5746BDF-CB49-435E-B886-C23316F1EF5C}: NameServer = 205.188.146.146


After doing that, the avirus.exe stopped giving errors at startup, but firedaemon.exe still spit out a couple of errors.

I looked around online for more info on firedaemon.exe and since I know I didn't install it, I dug around on my computer (took some time) and found it. Nearby it were some interesting files about set up for some kind of irc ftp client. Dunno where it came from but I guess that is what was slowing down my computer connection. I've deleted firedaemon.exe but I haven't touched the other files yet as I'm not sure as to what is safe to get rid of. Since deleting firedaemon.exe, it hasn't resurfaced or given errors on startup.

Any suggestions on what I should do about the irc ftp files (servu) I found would be appreciated along with other filenames I should look for in coordinance with them.

[ditto]

What are these irc files? The IRC that I am thinking of is Internet Relay Chat where many spyware and viruses can come from. Perhaps if you have us the directory of where the files are located. For example C:\ProgramFiles\... and so on.

[disa]

Just so things are clear first, I personally don't use irc. This stuff was something someone put on my computer through whatever backdoor trojan this all originated. The odd irc files along with firedaemon.exe, etc all came from C:\WINDOWS\system32\dllcache

Some of the odd files that have stood out to me were:
1396 (a folder containing tar.exe)
svchost.dll
xdcc.config
ServUDaemon.ini
ServUStartUpLog.txt
winmgnt.dll
winmgnt.dll~
cygcrypt-0.dll
cygwin1.dll
TzoLibr.dll

I'm sure there are others, but those are just the ones that show up as being last modified before I put up the firewall. I know a lot of these files pretend to be legit files, so is there any way for me to find out exactly what all shouldn't be there without checking each item one by one?

[admin]

C:\WINDOWS\system32\dllcache

This is a very common location for trojans to be installed.

Please run a free online virus scan here:
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

[disa]

Neither Housecall nor TheCleaner could find anything on my system. I looked at the AVG history to see where it last found any virus issues but none have ever come from that directory.

[admin]

Your log doesn't show any signs of an active infection, and all scans come up clear.

The only files I'd be concerned about are these:
ServUDaemon.ini
ServUStartUpLog.txt
TzoLibr.dll
I'd go ahead and delete them.

Click the Start button, and select Run
Enter this command line:
regsvr32 /u C:\WINDOWS\servuperfcount.dll

Also, search for these and delete if found:
my.asm
serv-u.hlp
servudaemon.exe
servuperfcount.dll
windll16.exe
servuperfcount.dll

[disa]

I deleted the files you listed. However, I couldn't find any that you listed in the second set there. Is it safe for me to delete any of the other files I listed such as the tar.exe? I looked at the svchost.dll in notepad and it just seems to be a log file of attempts to reach whatever irc ftp it was configured at. Thank you for your help and patience ^_^

[admin]

it safe for me to delete any of the other files I listed such as the tar.exe? I looked at the svchost.dll in notepad

Seems the trojan is gone, but these don't appear to be legitamate files and they should be safe to delete. I'd suggest backing them up to a floppy drive, just in case.

[disa]

Thank you again for all your help ^_^