greeted by a file transfer

["Geek, Security" <securitygeek () HUSHMAIL COM>]

I think I've been hacked, and would like some advice on how to proceed.

This morning my computer popped up with a file transfer box, without my
taking any direct action initiate the transfer, and I recognized the site
to which the transfer was headed as a hostile site. Here are the details...

Win2k Advanced Server with SP1 and some security patches (it's been a couple
of months since I've applied patches). Office 2k installed (unknown patch
level). Yes, I know this is bad, and I suspect I have learned a good lesson
here. Other programs that were running when this happened were SETIq, the
SETI at Home client, Eudora and Outlook Express.

I was logged on as the administrator and I had just downloaded the latest
version of SETIq and attempted to install it. After I launched the setup.exe
file, nothing happened. I check the Task Manager and noted setup.exe and
wow.exe were listed. I ended the setup.exe process and Win2k prompted that
the 16bit subsystem was unstable and asked if I wanted to reset the 16 bit
subsystem. I confirmed.

I then noticed that there were two instances of mmc.exe open. I had been
using the MMC the night before, but had closed all MMC windows before going
to bed. I ended process on both of them, and immediately after I killed
the second one, Word for Windows popped up with a gray background (no open
document) and with a box that said "Transferring file to 'http:\\www.<hostilesite>.org".
Then a logon dialog popped up.

I sat there with a stupid look on my face for about five seconds. Then I
shut down all open programs, gracefully shut down the system, and pulled
the Internet connection. I left home with the system powered off.

I am running a LinkSys router that doubles as a firewall. I haven't verified
that it is still configured as I last left it, but I know that it was not
set to forward traffic from unestablished sessions to any internal hosts.
I had set it to block all outbound traffic on ports 69, 135 through 139
and 445.

I'd like to know if this sounds like an incident to the list, if so what
exploits would cause Word to launch in this manner and attempt to transfer
a file, and how should I go about investigating this? This is not a critical
system, and I can afford to be patient with this. I can (and will likely)
format and reinstall from CD once this is all settled.

Thanks.