I'm not a Hacker I'm a programmer. I work for a small web company and recently we been attacked by somebody.
We think it a Root kits viruses which infected our servers. We can find how do they infect our servers. And simply removing them using antivirus software is not working to good.
They are modifying some of our source files. [.js or asp] also upload a files to the server. [.asa].
We think we rule out the SQL injection we had some prevention in code for that and some of our severs had ftp ports completely closed on  our firewall

Here are the 3 Trojan/Viruses that are on our servers. They all seem to do the same things.

http://www.paretologic.com/resources/definitions.aspx?lid=EN&remove=Backdoor%20HuPigeon%20YII%20Trojan  HuPigeon YII
http://www.paretologic.com/resources/definitions.aspx?lid=EN&remove=BHO%20N%20Trojan   BHO N Trojan
http://www.paretologic.com/resources/definitions.aspx?lid=EN&remove=Trojan%20Feutel-AM Trojan Feutel-AM

I will take any recomendations and would really appreciate your help.

I agree with Morpehus.

If you do want to pursue things legally, you should quickly hire a firm experienced in incident response and forensics, as it sounds from your post, your company does not have this in house capability.  And is this is the case, you should stop your attempts at any removal as you may be destroying evidence.

As Morpheus mentioned, I think your best bet is to completely rebuild the system from scratch being sure to apply all necessary security patches for the OS AND any applications running before allowing access again from the interent.  Careful with restoring anything from backups as it may be difficult to dtermine when exactly the machine was compromised and you may be restoring infected files.

you mentioned that ftp is not allowed from your server to the internet.  However, from the quick googling i did on these trojans, at least one of them has the ability to connect over http to a malicious server on the internet.  I would think you need to allow inbound http and established replies, but there is probably no reason to allow outbound http from the server, if there is a reason, you should limit it to only the IPs required.

Also based on my quick googling, it looks like the malware you mentioned does not have a propagation mechanism in and of itself.   You might want to look at if an administrator or someone else recently downloaded and installed something from the interent, this may have been the initial infection point.  Of course, someone could have written something to exploit a vulnerability and dump these trojans so its hard to say, but still something to look at.

Wow, fun week for me to be gone.  vg12, PM me on this if you need more help.  I've spent more time in this arena than I care to remember.  In the short run, the advice you've people have posted here is a very good start.  The basic logic is that if the availability of those systems are more important to your business than tracking down someone to punish, then nuke the hard drive and drop a fresh OS onto the system.  Be very, very careful using backups to reinstall unless you can pinpoint when you were infected and can get a backup from before that point.  Also, don't trust the data on your system.  Just because you put a shiny new OS onto the box doesn't mean you are safe to copy data files or third party apps from the infected system.  I've seen people do that a million times.  When you are trying to figure out where this stuff came from, don't forget to look outside the infected system.  Check firewall and router logs that would show traffic to that box.  More often than not that will give you hints as to how they got onto your system, and they are more trustworthy than the logs on the compromised system.  Your first issue should be to identify the infection source, and it is usually going to fall into 3 areas:  infected file executed on the system, a host based attack aimed at the OS, or an application level attack.  If it was an infected file of some type, you are going to have to try and find evidence in the system logs.  You might also find evidence in your router or firewall logs of the tools trying to "call home" after the infection occurred.  If it was a host based attack your efforts will fall evenly between system and network logs.  This is where you'll see someone or something launching attacks against specific to a certain OS.  Application level attacks are similar in that they might go to certain ports, but the big focus here should be anything over your http ports (80, 8080, etc).  This is where you will usually see people throwing "the kitchen sink" at the web applications.  It is pretty common to see hundreds of attacks within a couple of minutes, usually SQL/CRLS/LDAP/etc injections and cross site scripting as well as IIS and Apache attacks.  All that being said, the safest thing to do is nuke that hard drive, install a new OS, and rebuild your data.

Well, that helps narrow it down.  Few more questions:
-How exposed is this system?  Boundary router?  Internal VLAN?  Behind a firewall that allows access to port 80?  Is that SMTP traffic internal only?
-What are you running on this system?  Is it a web server?  Mail sever?   Backend/frontend for a distributed app? 
-Was someone working off of the system?  Could they have received a file via email or download that might have been infected? 
-Can you give us an idea what logs are available?  System logs as well as network devices? 
-Are you seeing any efforts from the infected system to reach outside of your network?  Are you seeing any efforts from the infected system to reach out and propagate itself by infecting other systems?

Did you run Nmap to see what ports were open? There may have been services that you didn't realize were running.

Do you allow rdp for remote admin tasks? Do you allow it for all of your admins? You may be certain that you do not surf the web on it, but are your absolutely sure no one else does?

Don

That's a good idea and restricting mobile media should always be in place, but if it actually dropped something onto your system then you can't trust the time stamps you are going to pull back.  A bunch of the new malware suites are doing time stomps on infected files and the registry keys that record when pieces of media were inserted.  This really screws up your forensics analysis and makes it difficult to put a timeline on what the hell happened to your box.  Plus, it makes your job really, really hard if you try to turn anything into evidence.

you sure it wasnt SQL Injection? do you allow file uploads to the web server? how about RFI in the web app? lots of ways of in.  all the apps to include third party stuff up to date?

from a IH perspective have extra accounts been created, are the connecting back in? what does netstat say for listening ports? what do the web server logs say? you should see the SQL attack in there.