You would need to do a few things first as a protection and then 2nd is the remediation.
Download the following tools which may help to clean your environment (free and trials)
a) Active Ports
b) GFI Languard
c) ADAudit Plus
Install Active Ports on the server in question.
Install GFI Languard and ADAudit Plus on a laptop that you would use
1) Schedule a maintenance window (any time after business hours)
2) On the firewall disable (NOT DELETE) all rules
Run Active Ports to see what ports are listening and it will show the application associated. This will give you an idea if the program is a legit program at all. If not, remove it.
From laptop, run GFI Languard not just on your server but the rest of your environment. It may show you some security holes. Run ADAudit Plus against your domain controller which will help see a audit trail and gives you “eyes” on who has “DOMAIN ADMIN” rights that shouldn’t. Besides “administrator” and a 2nd account for you (admin.yourfirstname.yourlastname), no one else should. I would disable accounts that have not been used in let’s say 30 days. Obtain a list of all active employees/volunteers to match against AD. The ones that dont’ match, disable for now. You can delete them later.
Change password to administrator (as long as you have another domain admin account available as a backup and for your use only) You should rarely use the “administrator” account.
On the firewall, review the logs to see if you see any “active” connections outbound that normally should not be “active”. You may find an old pc in a dark closet with the freeware version of “logmein” which may be used to get inside the network as well.
Once you do the above steps, you should get a better picture of your environment.
Once you are done with the above, you can re-enable the firewall rules.
The Administrator account is completely disabled. That was one of the first things I did after the first time I found him in the system. I changed the password first, then disabled the account. I have also already gone through and disabled all users who haven’t logged on in a while.
I’m glad you mentioned LogMeIn, since I had not considered this. There are two ladies (the CFO and Office Manager) who use LogMeIn to access their PC’s from home. Odds are, the old IT guy helped them setup these accounts and has the passwords, so I’ll definitely check into that. I’ll also follow the rest of your instructions later tonight and let you know what I find.
I appreciate the detailed answer. I’m actually meeting with a police officer and the DA tomorrow to answer some questions, as the CEO of the company has filed charges against him. I forgot to mention in my original post, be we now know that he has managed to gain physical access to the office by slipping in behind the cleaning crew at night, so part of my concern is that he has installed something on one of the machines to try and get in from inside the network.
I’ll let you know how it turns out. Thanks.