-
I'v taken appart a fair few rootkits, and they are by no means simple, thought most of them these days tend to use the NET command to overwrite certain boot hooks to allow the rootkit to be run at start as a network service instead of the standard windows messenger forexample, which shuts down on execution if you have MSN so most people won't notice the difference.
rootkits have a nasty way of being composed of several smaller components, all of which are 'ligitimate' as far as any antivirus program is concerned, often made from freeely available software components which in and of themselves are not harmful.
I normaly find it easier to simply wipe the machine rather than try to save it when it comes to rootkits, there are simply too many undocumented versions out there..
-
Assuming that this problem can be rectified without a reinstall, after patching the OS and getting an up-to-date antivirus (AVG at www.grisoft.com is a good one), I'd also have your parents use a restricted account instead of running under the typical 'administrator' account. Also, I'd get real familiar with gpedit.msc as you can restrict everything under the sun just about.
