LOF. That sounds so familure; the whole, I help you, I get screwed over for doing something I shouldn't be doing. I too was looked at after a computer would die, it even got to the point where I got blamed for someones start menu being messed up, or icons rearranged on someones desktop. Like common, the movies out today, are making people thing hacking/cracking is just a guy at a computer w\ a 3d console ie: Hackers. That was the funniest movie I've possibly ever seen. Anyhow, the whole SubSeven thing will go around for a while. Try doing mass scans on 10.*.*.* for nodes listening on port 27374, or whichever port they set it up to listen on. Assuming they're not skilled "crackers", you can just research the raw commands which operate SubSeven, write a drone to log IP addresses and timestamp all commands issued.

However, If you cannot catch them in the act, forensics would be leet0 to have. Setup all the infected computers to log keystrokes, the removal of the trojans would be stupid. You want them to feel safe, and secure -- as you go in for the kill. Additionally, constant monitoring of all the computers infected would be prime. They're obviously gonna be cool, and connect to them. Make sure you get screenshots of that stuf. The outcome of this can be funny.