Or downloading shareware/freeware files, or free screen savers, or any number of files. I am fairly certain that you use internet exploiter, as do most people, in which case the machine could have been 0wned simply by visiting a malicious web site.
To start you can do a search on any files created or modified during the time that you were on vacation. You don't need any special tools to do this, just do a search from you start menu, or your windows explorer. Do an advanced search and set the dates for you vacation time. If your antivirus isn't working you can try an online av scanner at symantec, or housecall.trendmicro.com. If you need to check specific files on your system, there is a great online scanner that uses multiple av vendor scanning engines at www.virustotal.com For system analysis there are many great tools from systeminternals.com. I would use http://www.sysinternals.com/Utilities/Autoruns.html to check which programs are configured to startup during boot time. I would definitly use http://www.sysinternals.com/Utilities/ProcessExplorer.html to see what processes are currently loaded and find out what registry keys they are using, files and dlls they are using, and a feature I like the best, you can see what sephamores and mutexes they are mapped to. I would agree that you have to question the integrity of your system now that it has been comprimised. Depending on the level of comprimise, you may have to start-anew. I would most certainly suggest some type of system integrity checker in the future. There is a nice little program for windows that offers tripwire like functionality at a fairly reasonable price. You can find it here: http://www.winalysis.com/ The road to forensics can be a bumpy one, where many people learn from mistakes, but that is how we get better! Hope that helps! Regards, John Fellers
