Posted 03 August 2010 - 10:40 PM
For the most part, I'm pretty good with virus/malicious content removal, but this one is kind of stumping me for some reason.
My parents and younger sister at home use a desktop that runs Windows XP 32. They called me about a few problems they were having which they first noticed when iMesh appeared on their desktops. When a simple software uninstall via Control Panel didn't work, they called me to go a little further.
I used Ad-Aware from Lavasoft and the Sysclean engine from Trendmicro to point out files to me. Everything that I found included some stuff from gaming sites that they use which were probably detected due to the additional promotional deals the programs also push through. The main areas of interest were iMesh, Zwangi, Zango, a few random Trojans like Wimad, pak!cobra, and a fraud security program that used the library 2927340765.dll.
When this fraud security program started popping up and when iMesh started to pull its garbage, they noticed that they were no longer able to connect to the internet. I figured this was just due to some of the malicious content that was on the computer, so after a complete overhaul of all of the files, folders, registry keys and values, the computer seems completely clean according to logs from Ad-Aware, Sysclean, and Hijack This. I did all of this in Safe Mode, killed all of the programs that startup when Windows is executed, and killed all of the startup values in HKEY_LOCAL_MACHINE > Microsoft > Windows > Current Version > Run and Run Once.
Upon restarting, everything seems completely clean (and like I said, rescan logs confirmed this), but both my mother's user account and my sister's user account are able to connect to things that require an internet connection (such as AIM Messenger), but unable to view any web page they enter. They are brought to "Page Not Found" no matter what URL it is. It won't even allow me to open up the IP address to their home network connection router.
The weird thing is, all new users created, including my account from years back, are completely fine and are able to access any URL entered. Anyone have any thoughts or suggestions on how I could fix this on their accounts? I could always save their documents and what-not and create a new account for them, but I'd rather the challenge of beating whatever it is that's blocking connection (which, by the way, is being blocked on Mozilla, IE, and Chrome -- I'm assuming all other browsers would be blocked, too).
Thanks for the help and suggestions!