IRC/SdBot Trojan won't go away

Almost every day my NOD32 informs me as follows:
------------------
18.08.05 9:30:21 AMON file C:\WINNT\winlogon.pif IRC/SdBot trojan deleted USER-B9F73EB2C6\Eric Event occurred at an attempt to access the file by the application: C:\WINNT\Explorer.EXE.
-------------------
It then informs me that the file can be deleted, so I delete it. Next day it's back again.
I run Windows 2000.
I found a suspicious entry in the name of "winlogon.pif" in the registry at :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, but did not wish to delete this without advice.

Can anyone guide me on how to get rid of this nuisance? I have already set my firewall to prevent winlogon.pif from accessing the internet, but cannot get rid of it

 

Hi rbcapricorn, welcome to Wilders.

Can you please ensure the Nod32 scanner is set according to this post, then reboot your computer into "Safe Mode" and run a scan with Nod32.

Let us know how you go...

Cheers

 

Thanks for the help.
I went through all the settings and changed what was required. To be perfectly honest I got a bit lost on the command line options in the scan scheduling, but as I have all the options marked as required and have set this for all scans, I don't think I'm missing anything.
I then did a scan after rebooting into safe mode and came up with many infected files which were then deleted.
I then did a system backup and ran Registry 1st Aid. I have attached the relevant parts of the log.
I wanted to attach the log of the scan but for some reason it doesn't appear in the logs. Is this because I ran it in safe mode?
Now all that remains is to wait and see if the intruder pops up again.

Again, thanks.

 

Get rid of winlogon.pif will certainly help get rid of sdbot. It can be a real pain in the a*s!

 

My pleasure.

You might like to take a run through that entire thread and tweak Nod32 up.

If you get stuck on anything let us know and we will walk you through it...

Cheers

 

Only thing that had me a bit puzzled was the way you configured the scheduled scan.
What I had done was instead of choosing "execution of an external application", I chose "on demand scanner" and then set it to run in the Control Centre profile, which had already been set up for maximum security and to operate for all the options.
Basically, I think I achieved the same effect.
Am I wrong or missing something?
I got a bit lost on all the switch options in the Command Line.

By the way, your guide pages are excellent. Keep up the good work (and I thought that on the Gold Coast people were so busy sunbathing and diving that they didn't have time for anything else...)

 

That’s another way of doing a scan.

No, many ways to skin a cat (or make soup with it aye Marja )

You can copy and paste the switches that I use in, it will give you the nastiest scan available

Oh I just walked back from the beach to answer you post, hmmmm where is my pina colada and sunscreen