if i may ask, what do you guys do when you notice a backdoor action on your machine, you netstat and see unknown established connections, you find the rootkit and cannot see it, you also look into hiddens files and folders and yet cannot see the backdoor, what do you do?

thanks for your response, i was doing a research on ircd and bots, i opened a link and my browser was infected and said hiddenwebcamviewer.exe was successfully installed, i ran into a trojan..lol, i did netstat and saw a strange connection, did whois on the ip and aol was the service provider, then i check view hidden files and folders in CP and look at my windows and system32 dir, found nothing, ran m y AV and anti malware, still found nothing with it either..guess it was well packed and crypted, i still run netstat and finds strange connection, just giving me headache.
i hope you understand

Ketchup is right.  I do a lot of this for a living and I can honestly say that once you are "rooted" it is REALLY difficult to know that you have a clean system again.  Truly skilled attackers will often leave two backdoors, one much more obvious than the other so they can get back in to critical systems.  If this is just your home machine, then maybe just one backdoor, maybe not.

No joke, if it were me I'd back up my data and rebuild the machine from the ground up.  Just too much bad stuff is possible to leave an attacker on my machine.

If you must have your machine without rebuilding, look at the system from the outside in.  Backdoors have to communicate with the outside world.  They either are called in to or they call out themselves.  Putting a machine where you can listen inbetween the compromised machine and the internet and capturing packets will tell you if it is calling out.  As for calling in, in most simple examples the attacker configures a backdoor that listens on a port.  As ketchup said, fire up nmap and try to connect to every port.  If you see it as open, but a netstat shows it closed, there's your listener.  How to get rid of it is a whole different topic.

Good luck.

I think you're on the right track.  One thing I recall from my first exposure to incident response:  once you're compromised, that machine can't be trusted to tell you ANYTHING until you fdisk, reformat and reinstall from original readonly media.    Therefore, I totally disagree with any endorsement of any anti-malware cleanup software.  There's no way to know you got "everything" with such tools, particularly with polymorphic payloads that so easily evade signature based detection, or don't leave any traces behind anyway. 

One very passive thing you can do to see what's going on (if it's a home machine) is disconnect all devices but the suspect machine, slap a hub between your cable model or dsl router  and your router/switch, hang a backtrack box (without starting networking and dhcp) off of it,  don't assign an IP to the ethernet interface, and passive listen to the traffic going out of your network with wireshark.    If you can add snort into the mix to analyze things for you on the fly, so much the better.

The problem with netstat on the box... is you don't know if netstat itself has been trojaned to hide connections that are occurring.  Running a statically linked binary off a cd may be better, but if the kernel is sufficiently owned, it may lie to the binary, etc.   It's a bit of a house of cards with respect to trust. 

Good luck, and I hope your efforts are both educational and turn up that it's all much ado about nothing!

To add to Otter's observation:

It will only get worse.  We're on the verge of computer crime being profitable enough to target specific models of machines for BIOS level malware.  How we'll be detecting those is anyone's guess.

Otter is correct about not trusting netstat.  Even with a known good netstat binary, kernel hooks can hide established network connections.  He's right that you can't trust anything on that machine.

I'd definitely second (3rd, 4th, ...?) the call for a rebuild. It's the only way to guarantee a clean system.

But I'd also go with Ketchup's suggest of booting from a Linux distro, might not help you ensure 100% that a system is clean, but it's usually fun to have a play around and do some learning with the infection before rebuilding. If nothing else it's just fun (but I may be a tad on the sad side....)

If you are dual booting backtrack, you are in good shape.  You can mount your NTFS Windows drive with the following steps:

1. find out what drive label you are using and and get a list of partitions on it.  Just run the mount command and it will tell you what's mounted where.   Let's assume that your drive is /dev/sda.

2. run fdisk -l /dev/sda to get a listing of partitions on the drive.   Let's assume that your windows partition is /dev/sda1

3.  Make a directory in the /mnt/ folder for your partion: mkdir /mnt/sda1.  then run the mount command to mount your drive (read only):  mount /dev/sda1 /mnt/sda1 -t ntfs-3g -o ro.   Note that you may get an error about the NTFS system being dirty.  In that case, just add -o force.

The next thing I would do is run the trust find command to look for files that were modified since the when you think you got infected.  Let's say that you go infected two days ago, your find command would look like this:  find /mnt/sda1 -mtime -2 > filestoinvestigate.txt.   The minus 2 indicates 2*24 hours or less from now.

You will get quite a bit of files here.  I would begin by concentrating on the ones found in the WINDOWS folder and subfolders, ones in the temporary folders, ones in the User Profile root directory, and ones in the Common Files folder.   There are other locations to look, but this is a good start. 

This should get you started at pin-pointing the files that could belong to the rootkit. 

One other thing you can try is read up on Autopsy, which is included on Backtrack.  I haven't used it much, but I know it has some nice timeline features that could help you with this.    You can add your entire drive to to Autopsy and it will parse the file system.   I find it a bit cumbersome though. 

It may or may not help, but you could also try running sigverif in windows to see if any of the main windows files are showing as being unsigned (which means they were modified). It might not be too helpful, but it's worth a shot.