NP Tech help: Anyone a Windows XP security guru??

[Suited_Jock]

Basically my dads PC has been hacked through an LSA exploit.

They have created various different user accounts on his machine
They have installed a dialler which has overridden the ADSL connection
They have disabled the firewall and are allowing connections through every port under the sun.

When i ran netstat there were over 200 addresses either connected or waiting to connect (is it spreading a worm?)
There is a log file in the root of the C:\ with various connects to irc.test.net

They had full access to it as when i switched on the firewall to try and figure out wtf is going it was instantly switched back off again.

Im a systems administrator by trade but really dont have that much knowledge or exposure to the home security side and windows exploits..

Obviously its disconnected from the web now and its about to be reimaged tonight but I want to gather information should this PC be performing illegal operations and he is to get the blame for it.

It was running windows firewall with Avast home edition as the AV being automatically updated.

I need to find out what it is being used for?
How I can trace and report this?

[RichEO]

The met website says to report to your local police http://www.met.police.uk/computercrime/index.htm This will probably make things easier if it turns out the PC was used for something particularly illegal, but I doubt they will investigate anything unless you know it has been used to commit a crime.

Maybe your ISP will be able to give you some information on what traffic your IP has been involved with.

As far as I know any of the tools to monitor/track the traffic would need to be installed while the connections are taking place, so unless your planning on reconnecting the infected PC to the net then there isn't much you can do. And I assume its long since formatted now!


Rich.