I've just discovered that my systems (PC and laptop) are infected with this nasty. I'm currently following the rather long and convoluted instructions to remove this trojan horse, the first attempt (which took most of the day) proving not to have been successful.

My question here is: how nasty is this virus? AVG misses it unless you specifically go for a System file sweep, but (as every other person who's asked for help online says), it does not get rid oof it.

My main concern is to know whether it is just (just!!!) a tracker, or whether it is something more. For instance, should I be concerned that it might also contain a keystroke tracker? If so, some ***** has had access to my banking details for some time now.

I've had a similar one MTOW, an IRC.backdoor.sdbot anyway . It is pretty nasty, basically allows someone to control your computer through IRC. Generally its used to launch DOS attacks or similar.

It was a while back but I finally nailed it in safe mode by sifting through recently modified files. None of the anti-virus packages I used picked it up. It would launch from system32/dllcache though if you deleted that then it would re-appear a couple of boots later. I'm afraid I can't remember where I found the 'mothership' virus if you like, in all it took me over a month I reckon.

MTOW - sorry for your serious infection - I've been dealing with several friend's computers (unprotected by anti-spyware and suitable AV software) during the last few months and the chances are that if you have a solid infection, you will be better off saving all your data to disc and then reformating the computer using your manufacturers disks. Often some form of restoration can be achieved by using the removal methods suggested, but in the end (with virulent trojans like this one) your WIN XP will end up looking (and working) like a swiss cheese! They also usually send themselves to all your friends if you use MS Outlook!

Remember also that nearly all trojans and their relatives in the Virus world will also infect your System Restore file - so if you are going to have a go removing it ensure that you switch OFF System restore first (SETTINGS/CONTROL PANEL/SYSTEM/SYS RESTORE) or the nasty will reinfect your system immediately after it next reboots!

It might indeed be possible (if you are lucky) to use Norton Internet Security (spyware edition 2005) TO 'PRE-SCAN' your hard drive before/during installation of said AV software. No guarantees that this will get everything though or leave your computer usable at its former speed.

Safest bet is to make (regular) hard copies of your data to disc and reformat your hard drive and then when you start up again, with your re-installed WIN XP SP 1 or 2, AND BEFORE doing anything else, fully install Norton IS/AV (or whichever AV prog you choose) - using pre-scan if available during installation process, reboot, update your Av software and then scan the beast again before you do anything else. Next, reset system restore and then create a RESTORE POINT (good to do regularly during your restoration work so that you can backtrack at anytime to the last stage if there is a cock-up). Next, update WINDOWS to the latest Service Pack (2) and essential updates (WINDOWS UPDATE on the main menu). On completion, reboot and create another SYS RESTORE point. I would also recommend you then install MICROSOFT's own ANTISPYWARE BETA from their website (www.microsoft.com - search SPYWARE BETA) before doing anything else as this programme will innoculate your newly restored system and protect it to a large degree from nasties creeping back in. You then have the choice of loading your own commercial anti-spyware programmes (WEBROOT SPYSWEEPER and SPYWARE DOCTOR are very good) or get freeware like SPYBOT and AD-AWARE which you can find doing a google search. WWW.CNET.COM (downloads tab) is also a very good place to find all available freeware and commercial software with gradings and recommendations for use. If you haven't a commercial firewall programme you can also download ZONEALARM - which in it's free version will keep an eye on incoming/outgoing traffic (especially if you are on broadband/ADSL) and can be used to halt all traffic in and out if you are away fro a while. The ZONE ALARM PRO (cash required) is good at the whole range of anti-spyware etc protections.

Lastly - I would NOT activate your Antivirus software until you are 100% happy with your computer and have reached the end of the grace period - as otherwise you may waste the limited number of activations per AV disc iif it all goes to custard again!

If you have an account with either Mcafee or Norton (mcafee.com/SYMANTEC.COM) you can also scan your computer directly from their websites to try and find the nasties and remove them. REMEMBER to turn off your system restore beforehand though, unless you have reformatted and reloaded your WIN XP!

Hope this helps - good luck!

Thanks to all for the replies. I've gone through the horribly time-consuming procedure the Geeks Forum recommends, and although AVG no longer finds a virus on my system, if I do a Systems Files scan, the nasty virus box appears along with a message about a change to the MBR.

Can anyone explain whether this is (as I suspect it is) a problem?

I'd really like an hour or two alone with the *** cretins who create these damn viruses, preferably with a can of petrol, a vise, a blunt, rusty razor blade and a match.

Go through your system32 and system32/dllcache folders looking for recently modified files. Anything that has been modified in the last month should be sent to virusscan.jotti.org for testing under lots of different AV software.

Even if you nail 1 copy don't sop till all recently modified files have been tested. As I recall I had 3 copies on my HD, i think it was the one in //dllcache that I didn't find till much later.

Only three of the AV programs on Jotti's picked up the strain of SdBot that infected my computer. My own copy of AVG didn't but AVG did on Jotti's, though that server runs on Unix.

Searching for solutions on the web was difficult because the SdBot was set to ping some poor sods website, hence nicking all of my bandwidth.

Gave up and did clean installs on two PCs. All was well for 24 hours, but now, on both computers, when I do a Systems Files scan with AVG, I get three "change" warnings, (all on countdown clocks):

C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\ntoskrnl.dll

However, after that, AVG says 'no virus found'.