Hi!

I've got a really big problem here and I beg you to help me!
My Norton Personal Firewall 2002 is alerting me that ftp.exe is trying to access the internet at several occasions. I have ofcourse blocked these attempts each and every time.
This is a draft from the FW log:

Date: 2003-01-12 Time: 12:05:40
This one time, the user has chosen to "block" communications. Details:
Outbound TCP connection
Remote address,service is (208.189.69.67,ftp(21))
Process name is "C:\WINDOWS\system32\ftp.exe"

This is just one of several different IP-adresses it has been trying to connect to. I've checked these adresses and in most cases I seem to end up in someones filesystem at c: In one case I ended up in what seems to be a Hacker-group's ftp-server. This adress was: 130.108.148.87,6367. Another adress that pops up frequently is white.nigger.la.
I have scanned my computer with:
Norton AV 2002 with all the latest updates = found nothing.
Panda online-scanning = nothing
Trojan Remover = nothing
SpyBot, search&destroy = nothing
Adaware = nothing
StartupList = nothing suspicious
Searched my registry for "white.nigger.la" = nothing
I've also tried searching the net for information on similar problems = nothing
Posted on different forums = no solution (chek my thread at computing.net: http://www.computing.net/security/wwwboard/forum/3932.html)
E-mailed symantec = no reply

It certainly seems that I'm infected with something that allows someone to use my computer as a ftp-server and/or uploading additional trojan files of some sort.
Why doesn't any software locate it?

The only solution I see at this point is to format my whole system, which I'd rather not.

Additional information:
Specs:
Win XP Servicepack 1 + all available updates.
MSI KT3 Ultra2
AMD 2000XP
768 MB DDR RAM
ASUS V8420
3COM 3C905B-TX
Software I'm running that access the internet in some way:
MS SQL Server (Always running)
IIS WebServer (Always running, all security patches installed)
ICQ (Always running)
IRC (mIRC) (Always running)
Messenger (Always running)
Outlook Express (Always running, E-mail scanning in/outgoing enabled)
IE 6 (Every day)
SourceOffSite (from time to time)
VNC-client (from time to time)
FlashFXP-client (from time to time)
Visual Studio .NET (Every day)
KerberosFTP (Seldom)
DirectConnect (from time to time)
Battlefield 1942 (from time to time)
Half-Life Counterstrike (from time to time)
AllSeeingEye (from time to time)
GameVoice (from time to time)

I'm very worried and I would be forever greatful if anyone came up with a solution.
Please help!

Try the trojan scan at the PC Flank website. If it is positive try a trial trojan program that is highly rated by them.

Go to www.spywareinfo.com and on their downloads page, get HijackThis. Download and run it. Then post the log that it generates on the forum there. They will analyse it for you and try to locate the culprit.

Good luck.

Also did you try deleting the file ftp.exe?

Use the search for files and folders, and turn on the show hidden files.

IF those virus scanners can't locate a trojan, I don't think there is one. Are you sure that the Unicode Hole is amongst those IIS patches? If it is, I'd look at the SQL. I've been hearing that interest in strohacking via an exploit in certain SQL-servers is gaining popularity as the IIS Unicode Exploit is well known and usually all patched up. If it's an exploit, formatting won't help as you will probably re-install the program which has the security flaw(s) afterwards...