Ok, here's what I've found so far....

Tcpview listed this
system.exe:2096 TCP my.ip.client.dsl.net:1039 218.22.2.153:6667 ESTABLISHED

System.exe was located in c:\winnt\system32

The only info I could find on this was here
http://www.sophos.com/virusinfo/anal...ushtro122.html

however the server.exe that it says is put in the winnt directory isn't there.

Anyway, I've stopped the process and removed the registry key that went with it, the connection did go away. So I'm guessing it wasn't the one sophos is talking about, might have just changed the name of an irc client or something not sure. Anyway, I'll prolly get a sniffer and start it up on a test server just to see what it's doing.

Thanks for your help
Greg