> 1) Make a good backup of the hacked system for data archival and forensic > analysis. > 2) Take the affected system off-line. > 3) Check all other systems in your company as they are definitely at high > risk. > 4) Completely re-format and re-install any and all hacked boxes. > 5) Change all passwords everywhere and make sure they are not recycled. > I think you have steps 1 and 2 reversed. take it offline THEN make the backups etc etc. the infected systems disks should be mounted r/o on another secure system for doing said backups.