HACK: "packs" Directory under \system32\drivers\etc

First, let me say: no warranties, etc. This is just a list of what I did to resolve the issues.

I found a ‘packs’ directory in C:\windows\system32\drivers\etc; my laptop had been hacked by an application that loads an FTP server. Normally, I’d follow this directory path to access the HOSTS files (which I was doing when I discovered this little bugger). I found this before any files were uploaded, so I cannot speak to content, but I suspect it to be a warez distibution site.

You might also find errors and references to "FireDaemon.exe". This supposed to be a friendly program, allowing EXEs to run as services, but its footprint is evidence of the hack. If your system has been hacked, you’ll see references to it on the \packs path in your registry.

Removal:
There are a variety of other files in the \packs path, start by deleting all you can, including the subdirectories. Some files cannot be removed as they’re in use. The leftovers include:

• cygwin1.dll (legitimate POSIX Emulation DLL, but being used in a bad way).
• dll32.exe (rundll32.exe is the real version; this looks familiar, but is a shell).
• ldcd.dll (unknown).
• svchost.exe (references "FTP Serv-U Daemon"; I suspect it has been renamed. McAfee tells us this popular FTP software has been exploited: http://vil.mcafeesecurity.com/vil/content/v_99901.htm).
• cygregex.to_be_deleted (this gets created as you’re removing files, so something else is working).
• ccdx.dll (unknown).
• ig.dll (trojan downloader file).

To remove these pests:

• Delete all registry entries referencing the path.
• Open Windows Task Manager.
• Kill process dll32.exe in task manager.
• Navigate to C:\WINDOWS\Prefetch and remove references to DLL32.EXE-{numbers}.pf
• With dll32.exe killed, you can now delete all but the false svchost.exe.
• Return to Windows Task Manager and sort processes alphabetically.
• Click on the first svchost.exe process that is running as ‘local service’ and click ‘end process’.
• Try to delete the bogus svchost.exe file. Repeat the above step and this step until you can delete the file.

It’s not over yet. This hack also put a number of package delivery/deployment files in C:\WINDOWS\system32\drivers\etc. Delete them:

• osql.exe (legitimate command line SQL tool).
• unrar.exe (legitimate rar format file unpacker).
• xp.rar (the package delivered by the hack).
• xp.txt (command file to pull down the components).

Then:

• Reboot to safe mode.
• Confirm the directory hasn’t been recreated.
• Search the registry for the \packs file path to ensure it hasn’t been recreated.
• Check the registry: HKLM\Software\Windows\CurrentVersion\Run for any anamolies.
• Reboot to normal mode.
• Re-apply Windows XP Service Pack 2 (this should replace any legitimate file versions).

No warranty; use these steps at your own risk. Please add comments to the veracity of this solution, or additional steps you had to go through to remove the hack.