A client has an XP Home machine that got infected with what looks like multiple worms/malware. I've managed to kill all the active processes but the following problems remain:

- Something has hooked itself into the network connection, specifically DNS such that DNS lookups no longer work. All other TCP/IP network functions seem OK (ping of remote sites [by IP address only]) etc.

- Group Policy entries have been modified:
- Windows Firewall has been disabled
- User cannot delete the only defined network connection, and no new ones can be created
- User is prevented from changing any of the above

I can probably do some sort of System Restore/Windows Repair/brute-force overwrite of Windows networking files to fix issue #1. However, I'm more concerned about issue #2. Windows XP Home does not include the Group Policy Editor (XP Pro does); it looks as though manual registry editing is required to restore some settings to normal. However, I'm concerned that certain keys are not appearing at all - they might be hidden by a Group Policy setting (classic chicken & egg situation).

It's really unfortunate that XP Home has Group Policy settings available and that they are modifiable by malware, but there does not seem to be any way to reconfigure the values or set them back to a default.

Has anyone else seen anything like this and can offer ideas on how to proceed?

The malware files I eliminated were:

dhcpserv.exe
pipe.exe
ramasst.exe

***********
UPDATE

It turns out that ramasst.exe is part of a corrupted DVD burner application, not malware.

dhcpserv.exe --> WORM_RBOT.AQT (Trend)
pipe.exe --> WORM_MYTOB.KS (Trend)

Fixing the disabled firewall issue: this link was helpful for installing the Group Policy Editor on XP Home. As it turns out, that didn't help much. What eventually fixed it was completely deleting a Registry branch: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall. Windows rebuilds this to the default settings on restart.

The network connection was corrupted. To fix it:
1. Uninstall the network adapter in Device Manager and shut down the computer normally.
2. Remove the network adapter. If it's a built-in mobo LAN adapter, restart the computer, go into the BIOS setup and disable it there
3. Boot the computer normally with the LAN adapter disabled.
4. Shut down normally.
5. Reinstall (or re-enable) the network adapter.
6. On the next boot, Windows should automatically detect and reinstall the adapter, which hopefully should now work properly (as it did for me).