recovering from hack/trojan

From: L H (manklub_at_hotmail.com)
Date: 04/24/04 

Date: Sat, 24 Apr 2004 10:53:59 -0700

Hi.

For the past 6 months, we have been struggling with a
compromised network. There were many indicators that we
were being monitored, such as the webcam coming on
spontaneously, the audio would stop coming over the
speakers, but diagnostics said that it was working. At
one point I even got a splash screen that said "YOU ARE
BEING WATCHED". Codecs for streaming audio and video
appeared that were not removable. (ie: the Uninstall or
Remove button was disabled.) The firewalls were having
rules installed, and hidden remote access adapters and
protocols would appear in command-line utilities such as
netsh and netstat but were not removable. Group policies
keep getting applied to our computers, which start out
benign, but eventually lock us out of our computers
entirely. By the time we start being denied access to our
own network and internet connections, we also lose
property sheets to many files, objects and folders. Other
indicators or symptoms are that the contents of
installation CDs change, and the hard drives never show
more than 2 Gigabytes of used space. Evidently, the
drives get redirected to virtual drives. The Distributed
Transaction Tracking, Remote Registry, COM+, WBEM and DCOM
services, among others, get reenabled shortly after we
disable them. If (and we have been doing this at least 2
times a week per machine for 6 months) we reformat and
reinstall (flashing the bios as a precaution), and use new
Workgroup names, the old workgroup name comes back,
eventually. Firewalls get changes or disabled, virus
scanners don't detect anything and run way too quickly, in
my opinion.

The following program groups show up almost every time,
soon after an install: (I will try to build a tree) Keep
in mind, we DO NOT INSTALL IIS! There is also older
versions of Windows Media (4.2, i think), IE5 and 4 and
FrontPage installed.

Folder PATH listing
-C:\Program Files
---Common Files
³ ---InstallShield
³ ³ ---Engine
³ ³ ³ ÀÄÄÄ6
³ ³ ³ ---Intel 32
³ ³ ---IScript
³ ---Microsoft Shared
³ ³ ---DAO
³ ³ ---Microsoft Plus!
³ ³ ³ ---1033
³ ³ ³ ---LaunchAppContent
³ ³ ³ ---1033
³ ³ ---MSInfo
³ ³ ---Speech
³ ³ ³ ---1033
³ ³ ---Stationery
³ ³ ---TextConv
³ ³ ---Triedit
³ ³ ---VGX
³ ³ ---Web Folders
³ ³ ---web server extensions
³ ³ ---40
³ ³ ---admcgi
³ ³ ³ ---scripts
³ ³ ---admisapi
³ ³ ³ ---scripts
³ ³ ---bin
³ ³ ³ ---1033
³ ³ ---bots
³ ³ ³ ---vinavbar
³ ³ ---isapi
³ ³ ³ ---_vti_adm
³ ³ ³ ---_vti_aut
³ ³ ---servsupp
³ ³ ---_vti_bin
³ ³ ---_vti_adm
³ ³ ---_vti_aut
³ ---MSSoap
³ ³ ---Binaries
³ ³ ---Resources
³ ³ ---1033
³ ---ODBC
³ ³ ---Data Sources
³ ---Services
³ ---SpeechEngines
³ ³ ---Microsoft
³ ³ ---Lexicon
³ ³ ³ ---1033
³ ³ ---SR
³ ³ ³ ---1033
³ ³ ---TTS
³ ³ ---1033
³ ---System
³ ---ado
³ ---msadc
³ ---Ole DB
---ComPlus Applications
---Internet Explorer
³ ---Connection Wizard
³ ---PLUGINS
³ ---SIGNUP
³ ---Yahoo
---Messenger
---microsoft frontpage
³ ---version3.0
³ ---bin
---MSN Gaming Zone
³ ---Windows
---NetMeeting
---Online Services
---Outlook Express
---Windows Media Player
³ ---Skins
³ ---Visualizations
---Windows NT
³ ---Accessories
³ ---Pinball
---xerox
³ ---nwwia

There are many other things going on, such as IPX netbui,
etc... file systems have changed from NTFS to FAT32,
FAT12 and FAT16. Wowexec shows up running in taskmanager
and filenames go from lower to upper case. Microsoft help
desk personnel told us that all of this was impossible,
yet for some reason Microsoft has now released service
packs that address these issues, and others that I have
not enumerated here. the service packs however do not
appear to get the backdoors or trojans or hackers or
whatever out of our compromised machines. Reformatting
and reinstalling and changing hardware including mobos,
cpus, etc. seems to do no good, nor does staying off the
internet. we get something called "Microsoft Raw Channel
Protocol" installed and bound to network adapters with a
characterisitc of "NCF_hidden". we have dlls and inf
files that have suspicious misspellings and terminology in
them, and deleting and/or disabling and/or uninstalling
the suspicious items casue "session manager" blue screens
or the system file monitor restores them.

I have lots more but this will sum it up -- HELP!