Yesterday I came to my PC which runs 24x7 and found that explorer was not running.
My immediate thought that someone had broken into my PC messed with it and as a side effect, this person killed Explorer.

I looked in the task manager and found a strange task FireDaemon running. I found contradicting information on the web about this file. Some pages (around 4 of the 5 that I visited) say it is a legitimate tool that enables you to run a regular application as a service.
Only one web site said it was a back door (trojan horse).
I believe that the version of FireDaemon that I list below, is indeed a trojan horse.
It is called TR/Servuftp.B

I could not shut FireDaemon.exe down through the task manager.
I looked for FireDaemon on my disk and found it in
C:\WINNT\system32\spool\PRINTERS

There were a bunch of other files that do not belong there. In fact, I believe that this whole folder should be empty.

I took a snapshot of this Windows installation a while ago and burned it on a CDROM.
I am writing this 9/12/2006 and this snapshot was actually taken on 2/10/2001.
Yes, 5 years and 7 months ago. But I have not installed much software since then.
Certainly no new hardware and most definitely no printers.
The folder was empty back then.

My conclusion was that I had to delete the files in this folder.

All except these 4 files were deleted in the first attempt: FireDaemon.exe BugSlayerUtil.dll libeay32.dll events.exe I terminated FireDaemon.exe using a process tool (pv.exe). Then I could delete it. I terminated events.exe (also using pv.exe) and then I could delete events.exe and the two DLLs.

I ran a virus scanner which found no problems now.

I still think someone may have had access to my machine and changed the admin password. I took a look in the list of users and found an account that I had not seen before (see posted picture below - user 'ctouu'.) I deleted that account. I don't remember why I would need an account ASPNET and deleted that one as well ;-)

C:\WINNT\system32\spool\PRINTERS>dir
 Volume in drive C has no label.
 Volume Serial Number is 046A-15F1

 Directory of C:\WINNT\system32\spool\PRINTERS

09/01/2003  05:23a                   0 hexxed.txt
02/10/2001  05:30p      <DIR>          ..
02/10/2001  05:30p      <DIR>          .
01/19/2004  04:09a                  15 hacked.bat
10/22/2003  07:30p                  54 rmtxp.bat
07/27/2004  02:29p                  75 make.bat
05/25/2003  03:12a                 135 sleep.com
05/26/2003  04:22a                 275 chgdir.dll
09/11/2006  03:38p                 296 a3d.hlp~
01/16/2005  11:34p                 327 osinstall.bat
09/11/2006  03:38p                 348 a3d.hlp
09/12/2006  05:53p                 616 ServUStartUpLog.txt
01/30/2002  05:03p                 963 Servucert.key
01/30/2002  05:03p                 973 Servucert.crt
05/20/2006  09:43p               1,291 Wm.txt
09/12/2006  05:53p               1,306 servudaemon.ini
09/13/2002  04:01p               2,267 FireDaemon.dtd
10/16/2004  05:27p               4,608 cygcrypt-0.dll
03/11/1999  09:23p              10,752 BugSlayerUtil.dll
12/26/2004  11:06p              13,729 hex.exe
04/07/2003  12:26a              30,640 cygregex.dll
11/30/2001  02:13p              36,864 TzoLibr.dll
10/12/2002  08:55p              40,960 FireDaemon.exe
03/14/2001  09:33p              62,464 ServUPerfCount.dll
09/30/2003  12:58p              67,584 ssleay32.dll
05/24/2003  04:23a             118,784 SvcAdmin.dll
08/05/2003  05:53a             128,784 Imagehlp.dll
10/16/2004  05:27p             442,249 cygwin1.dll
01/15/2002  08:48a             675,840 libeay32.dll
03/01/2004  01:46p             769,024 events.exe
11/02/2001  09:23p             938,062 libxml2.dll
              29 File(s)      3,349,285 bytes
               2 Dir(s)   2,461,302,784 bytes free

C:\WINNT\system32\spool\PRINTERS>del.
C:\WINNT\system32\spool\PRINTERS\*, Are you sure (Y/N)? y