PC hacked.. before formatting i need some info

[suited_jock]

Basically my dads PC has been hacked through an LSA exploit.

They have created various different user accounts on his machine
They have installed a dialler which has overridden the ADSL connection
They have disabled the firewall and are allowing connections through every port under the sun.

When i ran netstat there were over 200 addresses either connected or waiting to connect (is it spreading a worm?)
There is a log file in the root of the C:\ with various connects to irc.test.net

They had full access to it as when i switched on the firewall to try and figure out wtf is going it was instantly switched back off again.

Im a systems administrator by trade but really dont have that much knowledge or exposure to the home security side and windows exploits..

Obviously its disconnected from the web now and its about to be reimaged tonight but I want to gather information should this PC be performing illegal operations and he is to get the blame for it.

It was running windows firewall with Avast home edition as the AV being automatically updated.

I need to find out what it is being used for?
How I can trace and report this?

[goldtoes]

I don't know how you are going to go about finding where the traffic was going since the firewall was disabled. I guess you could let it keep running and monitor the traffic then.

Couple things I would do differently though: I would call your ISP and report it to them so they know and can put it on file. Because they will be the first contact if someone is investigating you. Also, if there was a lot of traffic coming from your machine flooding all ports, there's a chance your ISP might be throwing up flags already.

I also wouldn't format the hard drive but instead keep it intact and just buy a new one to replace it. This way if anything ever happens and the blame falls back on you, you can pull out the hard drive and use it as evidence.

[LuckyTxGuy]

I was about to say the exact same thing about your ISP and not formatting the drive. The one thing that would concern me is if the hackers had put any illegal data on the drive such as child porn. Having the drive/data intact might be helpful to prove your innocence if something came up down the road. I would definitely alert the ISP though and make sure they note all this in your file. It could be important down the road.

However, in all reality, there are millions of computers out there that are compromised and probably being used for the exact same thing, so it's probably not as big of a deal (legally) as one might think.

[goldtoes]

[ QUOTE ]
However, in all reality, there are millions of computers out there that are compromised and probably being used for the exact same thing, so it's probably not as big of a deal (legally) as one might think.

[/ QUOTE ]

agree