I started up my computer this morning and for some reason, a program c:\windows\system32\nvsvcd.exe generated an error on startup and asked me whether I wanted to send an error report or not to Microsoft. I chose not to send and then went on the Internet to check what the hell NVSVCD.EXE was. To my surprise, it is the Trojan.IRCBot-FP malware.

I have avast home edition installed with the latest definitions. I scanned this file by right-clicking on the program and selecting scan nvsvcd.exe. Avast didn’t warn me that it was bad.

I have since deleted the file.

My question is whether or not Avast detects trojans or not and whether this file is indeed a trojan or just a legitimate file?

Thanks.

Windows XP SP 2
ZoneAlarm

Hi ckl_88,

If Avast Antivirus or AvastBoot Scan detects IRCBot.SS during the scan, it will automatically offer you the option of deleting it. Do this by following the program’s instructions.

Finally, restore the original configuration of your computer by following the instructions below:

* Delete the entry IRCBot.SS has created in the Windows Registry:

  HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  nvsvcd = %sysdir%\smss.exe/w
  where %sysdir% is the Windows system directory.
* Restart the computer.
* In order to make sure that IRCBot.SS is completely eliminated from your computer, carry out a full scan of your computer using Booit Scan in Safe Mode.

Also conside this possibility, and use this scan:
http://virusinfo.prevx.com/pxparall.asp?PXC=800725435951

polonus

Thanks. I followed those instructions but no virus/trojan was found during the scans… probably because I deleted the file.

However, your instructions on removing the registry entry to prevent it from starting up on boot did not exist. I found that kind of odd because the program was starting up during the boot process and fortunately for me, it crashed.

I also ran adaware and spybot and they didn’t find anything other than tracking cookies.

Are there any free programs out there that I can download to specifically looks for trojans/rootkits etc?

Thanks.

Ewido works well in conjunction with Avast http://www.ewido.net/en/

Hi ckl :

 Concerning rootkits ; best to check out the info at :

http://www.castlecops.com/f233-Rootkit_Revelations.html

Hi ckl_88,

Do not fear, if you had that you should see CPU action while apparently nothing is going on visible for you, or you see actions from inside out through the firewall unexplained by a process.
More clearly said the rootkit should reveal its presence in some way.

polonus

Thanks for all the suggestions.

My CPU activity when idle is around 0-4%. My processor is a Athlon X2 3800+ with 1 gig ram.

I downloaded TCPVIEW to check the inbound and outbound connections and didn’t find anything out of the ordinary.

Did you run avast at boot time?
Did you run ewido?
Did you run any on-line scanning?

I ran the avast boot time scanner and it didn’t find any other problems. I didn’t download the ewido, but I did do an online scan using Panda’s online scanner. It didn’t pick up anything further as well.

I guess I’m in the clear now?

Thanks.

Watch out for alerts on Panda’s unencrypted virus signatures (that it dumps in a sub folder, \system32\Active Scan folder) when you next do an avast scan. There are other on-line scans that don’t do this, On-line Virus Scanners and other useful Links Security-Ops.eu.tt