Or downloading shareware/freeware files, or free screen savers, or any number
of files. I am fairly certain that you use internet exploiter, as do most
people, in which case the machine could have been 0wned simply by visiting a
malicious web site.
To start you can do a search on any files created or modified during the time
that you were on vacation. You don't need any special tools to do this, just do
a search from you start menu, or your windows explorer. Do an advanced search
and set the dates for you vacation time.
If your antivirus isn't working you can try an online av scanner at symantec,
or housecall.trendmicro.com. If you need to check specific files on your
system, there is a great online scanner that uses multiple av vendor scanning
engines at www.virustotal.com
For system analysis there are many great tools from systeminternals.com. I
would use http://www.sysinternals.com/Utilities/Autoruns.html to check which
programs are configured to startup during boot time. I would definitly use
http://www.sysinternals.com/Utilities/ProcessExplorer.html to see what
processes are currently loaded and find out what registry keys they are using,
files and dlls they are using, and a feature I like the best, you can see what
sephamores and mutexes they are mapped to.
I would agree that you have to question the integrity of your system now that
it has been comprimised. Depending on the level of comprimise, you may have to
start-anew. I would most certainly suggest some type of system integrity
checker in the future. There is a nice little program for windows that offers
tripwire like functionality at a fairly reasonable price. You can find it here:
http://www.winalysis.com/
The road to forensics can be a bumpy one, where many people learn from
mistakes, but that is how we get better! Hope that helps!
Regards,
John Fellers
