I have seen over 10 systems in my department that have Netdde32, Netropa NHK Server, and Dameware installed as windows services. I have used netstat -a -o and it shows a foreign IP address using these services. I ran a trace on the address and it was coming from out-of-state. I know Dameware is a remote connection program. These services seem to install an icon on the taskbar, prevent the network card from getting an IP address from the DHCP server. I have no idea how the system was comprised. Does anyone know what these services do? Netdde32 seems to work on port 2255. I have renamed the administrator account, changed its password and blocked the ports affected. I removed or disabled the windows services. I removed any exe that were created during the hacking period. There are no events in the event log, but anyone can remove them. Does anyone recommend anything else? I know I should format these systems. Thanks Andrew McCormack [log in to unmask] <mailto:[log in to unmask]>