Re: They got me!!!

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 4/5/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<sbradcpa () pacbell net> wrote:
> Before you do the proper thing and flatten it and reinstall from trusted
> sources..ask yourself your real intrusion points.... if the computer was
> merely "on", "people" should be able to get on the box without
>
> a.  a backdoor implanted on their first probably by your teenagers
> surfing and downloading free software

You should verify this is the way they got in, you can do that by
checking their browsing history and reviewing the event log for newly
installed applications.

Also, if you have the file that is infected, you can check the
creation date, then search for other files modified in that time.

Verify that your files havent been touched. Scan your critical
docs/apps to see what the last accessed time is and compare that to
the timestamp on the backdoor.

The problem with forensics is that you have to have a plan in hand
when you start the investigation. Performing a full scan with symantec
will change the last accessed time, and you probably already deleted
the backdoor, so it may be really hard to find out what was done to
your system.

If this is true, you should take only txt files and wipe and reload
the machine. Also try NOD32 rather than symantec for AV. It is a lot
harder to beat.

-JP