i think the name of this virus is Backdoor.IRC.RPCBot

i'm told it does this:

1. Creates the folder, C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS, and copies Bot.rar into this folder.

2. Runs WinOLE.exe as a service. WinOLE.exe is a patched mIRC client program, and hooks the IRC file extensions in HKEY_LOCAL_MACHIN\Software\Classes, which call WinOLE.exe when chat files are opened.

3. Runs the file, Dhcpp.exe, which is a TFTP server.

4. Runs the file, Nctl.exe, which is an FTP server.

5. Runs the file, Events.exe, which is an IRC proxying server.

6. Sets the following values:

"BaseDirectory"="C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS"
"TftpPort"="00000045"
"Hide"="00000001"
"WinSize"="00000000"
"Negociate"="00000000"
"DirText"="00000000"
"ShowProgressBar"="00000000"
"Timeout"="00000003"
"MaxRetransmit"="00000006"
"SecurityLevel"="00000000"
"UnixStrings"="00000000"
"LocalIP"=""
"Beep"="00000000"
"VirtualRoot"="00000000"
"Services"="00000003"
"TftpLogFile"=""
"SaveSyslogFile"=""

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\TFTPD32

7. Sets the value:

"DisableWebDAV"="00000001"

in the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

8. Sets the values:

"EnableDCOM"="N"
"EnableRemoteConnect"="N"

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

9. Connects to specified IRC servers and joins a channel to listen for commands from the Trojan's creator.

One such command is to exploit the DCOM RPC vulnerability: The Trojan connects to some randomly generated IP addresses to find computers that are listening at TCP port 135. Once the computer is found, it sends specially formed data, which exploits the DCOM RPC vulnerability, to that computer.

If the Trojan is successful, it may create a folder:

C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS

and TFTP its components, bot.rar, unrar.bat, and unrar.exe, to the computer, and then runs itself there.

I have no idea what half of this means, can anyone me with that and how to get rid of it.

i've got the recycler file, new folders are appearing all over the place
like this sort of transparent like one that i get a denied access message to when i try to open it called "system volume information"
and i got these "desktop.ini" files turning up all over the place

no virus scanner has picked it up i got avg free, spybot s&d and ad aware

also how to i get xp into ms dos

any help would be much appreiated

agobot removal instructions. these should help you, Backdoor.IRC.RPCBot.exe is a part of this spyware.

appologise for being an idiot but does
"Kill the following processes"
mean delete the files and i also can't find most of them even with search

and where are DLLs so i can delete them

just noticed in C:\Documents and Settings i have networkService, LocalService and DefaultUser

i don't think they were there before, it was just the folders with the names of the users, are they part of the virus

ignore response2 and 3
is there a fast way to fnd files in the registers