Check the Settings for the browsers, perhaps they were forced to use a proxy that was listening on the loopback?
Check your DNS settings with ipconfig /all as well. Look at what is set to run at startup via the registry. Chances are that the exe's will resides in C:\Windows\system32 and may look innocent. Grab a list of the names and google to find out more info. You could spend a lot more time looking through the system but all in all you should assume that the machine needs to be wiped and reloaded. Does the user *need* admin rights? HTH, Harry -- Harry Hoffman Integrated Portable Solutions, LLC 877.846.5927 ext 1000 http://www.ip-solutions.net/ [EMAIL PROTECTED] wrote: > While setting a port for Symantec to query XP Pro workstations for virus > updates, I noticed two machines that had firewall rules (exceptions in WinXP > firewall parlance) that were in unreadable charcaters, such as an asian font > set that couldn't be displayed. The rule name was in blocks or in other > unreadable characters. The user of these two workstations is notorious for > downloading asian TV shows over bit torrent, and visiting anime and other > asian sites. > > I deleted the two firewall rules (DOH! I should have just disabled them) and > now IE and Mozilla browsers do not work at all. I can ping out of these two > machines, and as long as I use an IP address, these machines can ping > anywhere in the Internet. However, if any call to DNS is requires, either > with a browser or ICMP, it fails. > > Has anyone had a similar experience or seen this kind of behavior. My fear > is that one of the "special Korean download programs" that this user admits > installing has altered the browser or -- even worse - the XP TCP/IP stack > with hooks into a trojan or spyware product. I tried disabling the firewall > to allow all traffic in and out, but to no effect. No DNS functionality. My > packet traces are inconclusive and my IDS is not alerting on anything in or > out of these two work stations. > > Any ideas? At this point I know I am going to have to reload, but from a > forensic stand point, I am curious if any one else has seen this kind of > beavior before. > > Thanks. > > ------------------------------------------------------------------------------ > This List Sponsored by: Black Hat > > Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. > World renowned security experts reveal tomorrow's threats today. Free of > vendor pitches, the Briefings are designed to be pragmatic regardless of your > security environment. Featuring 36 hands-on training courses and 10 > conference > tracks, networking opportunities with over 2,500 delegates from 40+ nations. > > http://www.blackhat.com > ------------------------------------------------------------------------------ > ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
