On Thu, 06 Apr 2006 08:17:30 MDT, lucretias said:
I would disagree with all of Susan's assumptions. Why should you rebuild
if your simply infected?
Tell me - are you willing to bet being totally 0wned again if you guess
wrong on "simply infected"?
How someone could also determine you have a rootkit installed with no
analysis and the shakey details you posted I'm not certain either.
Again, even the shaky details we have, indicate a situation with a high
likelyhood of a rootkit being present. Proceeding as if one is present
is much safer than assuming that there isn't one.
Assuming it was bad surfing is also a bad assumption. It's highly likely
that the infection was either from email or a downloaded and installed piece
of software.
My money goes on a drive-by fruiting that used one of the currently known
unpatched IE vulnerabilities. Anybody who goes to the length of installing
fingerprint scanners will most likely have drilled into the kids: "No
clicky-click the 'oooh shiny'!! Or *else*".
A simple clean up would do the trick.
Then clean the infections. I have yet to meet an infection I couldn't
clean.
You willing to bet the machine's security on "the A/V id'ed it as W32-foobar,
and Symantec says it alters 5 registry keys, so it can't possibly be a variant
that alters 6"? Or maybe it's not W32-foobar *at all* - but some unknown
malware that includes deactivated chunks of W32-foobar just to delude you
into thinking that since you removed all the pieces of W32-foobar, that the
machine is in fact clean?
You might want to consider whether "I have yet to meet an infection that I
didn't convince myself was fully cleaned" is being more truthful. Did you
dig out and sanitize 100% of every infection? or just 100% of what you found?
pgpPGMKJwqQ58.pgp
Description: PGP signature
