Witango-Talk: hacked (OT)

[Brad Robertson]

Sorry for the OT subject, but I am at such a lost of ideas...  Someone or somegroup has taken over a client's server, whether it's backoraffice or some kind of remote management tool, they have complete control of the mouse, keyboard, and system when they login and they running all kinds of services, changed the mailserver software a couple times, and installed a bunch of apps.  I have caught them on the box a couple times by sitting on PCAnywhere and waiting for them to start working, and they are very ballsie, I have to fight for mouse control.  The box is running WinNT 4.0 SP6a, IE 6, and all current patches.  Norton is up to date and only has found the KLEZ virus but nothing else.  The following are some apps I found and removed but they are still getting on;     ncx99.exe tftp.exe root.exe winlogin.exe hidewidows.exe printhack.exe Analogx   Norton Quarratined the following; temp.exe spool.exe install.exe SQLExec.exe   SQL Exploit Monitor (can't find exe file) but saw them using it..     These files were in many locations and I think I got them all, but they are still getting into the box and I have no clue what to do next.       =========================================================== Confidentiality Notice This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged, or confidential or that is otherwise legally protected from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. ===========================================================