Technofyed

Along my adventures of cleaning up virus infected machines, I often times run into an issue that makes the customer very very angry with me. The issue being that I said the turnaround time is usually next day. However, every once in a while I hit the wall. I run into some obscure configuration, some Windows component gets foobar'ed. Something goes horribly, horribly wrong.

I run the shop that assures you we don't format. We work it through. In a worst case scenario, I'll do a 'repair install' to replace the core components of Windows. But that comes with the cost of me sweating bullets hoping nothing goes wrong. So in this situation I decided to rough it through, ask the customer for some patience, & tackled the issue... into the unknown.

Operating System : Windows XP Professional service pack 3.

Service pack 3? Crud! All of my tools are for Service Pack 2! & from the looks of it, it was a fresh install of SP3, because I couldn't back it up with any of the methods provided by Microsoft. So lets get to the nitty gritty. The problem, the solution, the adventure.

Customer drops off her PC, it's having 'adult advertisement' issues. Kids have been downloading nasty films & free music from Lime Wire. So right away I'm thinking that her DNS has been hijacked.

I scanned the hard drive in our Linux virus cleaning box. Removed a couple of infected files. We'll say less than 20. Put the hard drive back into her system, boot, & the 1st thing I notice is that the desktop doesn't come up for quite some time. I can click on start, but CNTRL + ESC offers me nothing. I can start -> run -> cmd & get a command prompt, but typing config & hitting enter does nothing. Eventually it comes back to me & I can start looking at her network settings. The IP address is set to auto, but her DNS is set to 96 something. Most likely AT&T DNS servers. I go to install HijackThis from off our network, but the link doesn't work. So I throw ipconfig at the command prompt & I get slapped in the face. Unable to query host name. WTF is this?

So I issue the usual TCP/IP resets :

[il]netsh winsock reset catalog[/il]
[il]netsh ip reset reset.log[/il]

Nothing, no ip address. So I manually set the ip address. More slaps in teh face.

So doing some extensive research (& getting quite pissed off reading how the previous solutions worked for everyone else) I come accross this solution. Uninstall TCP/IP.

Start -> Control -> Network -> Right click on local network -> properites -> general (tab) -> scroll to TCP/IP -> uninstall.

WTF, uninstall is greyed out. ARG!

Seems that not such a brick wall. Check it out (at your own risk!)

start -> run -> notepad C:\windows\inf\nettcpip.inf

Look for the following :

;=======================
; TCP/IP Primary Install
;=======================

[MS_TCPIP.PrimaryInstall]
; TCPIP has properties to display
Characteristics = 0xA0 ; NCF_HAS_UI | NCF_NOT_USER_REMOVABLE
AddReg = Registry.MS_TCPIP.PrimaryInstall, Registry.MS_TCPIP,

0xA0 is our target. Edit this to 0X80, alt -> file -> save, & we now have ourselves an unsigned driver. Go back to the TCP/IP properties on the general tab, click install & lets install this modified inf file. Look'it there, uninstall is now available. So lets uninstall this borked up TCP/IP stack.

Start -> Control -> Network -> Right click on local network -> properites -> general (tab) -> scroll to TCP/IP -> uninstall.

A little regedit action to finish the job (that the above netsh commands couldn't handle)

Start -> run -> regedit
HKLM -> SYSTEM -> Current Control Set -> Services
In this list lets trash (or rename if you are not so daring ) winsock & winsock2

Then lets reverse the process.

Start -> run -> notepad C:\windows\inf\nettcpip.inf

Look for the following :

;=======================
; TCP/IP Primary Install
;=======================

[MS_TCPIP.PrimaryInstall]
; TCPIP has properties to display
Characteristics = 0x80 ; NCF_HAS_UI | NCF_NOT_USER_REMOVABLE
AddReg = Registry.MS_TCPIP.PrimaryInstall, Registry.MS_TCPIP,

Change 0xE0 back to 0xA0, alt -> file -> save

Start -> Control -> Network -> Right click on local network -> properites -> general (tab) -> install -> have disk -> C:\windows\inf\nettcpip.inf

reboot.

Crud, same damn thing. Oh well, at least I know I've a fresh install of TCP/IP

The solution wound up being a little bit of reading, seeing that IPSEC wasn't starting. IPSEC is a dependant of the Windows Firewall, which also wasn't starting. My guess is, most likely this was the target of the virus, inject the DNS, take out the firewall, & the client is powerless to do anything but view forced ads.

The service for IPSEC complained that a file was missing. Nice, 'A' file. Ah well, lets check the registry :

Start -> run -> regedit
HKLM -> SYSTEM -> Current Control Set -> Services -> IPSEC -> ImagePath

This shows us : system32\DRIVERS\ipsec.sys

Guess what's missing. That file.

So I downloaded SP3 from Microsoft, & double clicked it, watching for the temp directory it creates. Enter that directory & you'll find \i386\ipsec.sy_

Unpack this file back to C:\windows\system32\drivers\ with a little :

expand ipsec.sy_ ipsec.sys

using full path names, the provided directions just have them both in local path

& after a breath taking reboot, the desktop loaded like it should, quick fast & in a hurry, & a test nslookup ebay.com told me (& the customer) that everything is going to be alright.

Hope this helps, because I had a hell of time getting this far
-#2pencil-

I think you're allowed to boast for that one. Nice fix. It hasn't given any more problems since?

Customer picked it up Wednesday & was extremely happy. She was certain I was going to format it without asking her 1st. I did not get a call from her today & I would have expected once if she was upset.

Good job! You get repped for that one.

I never said good job on fixing this so good job.

That's a huge long road around lol

Windows has made the children of today lazy

All you do is

Netsh winsock reset
Netsh winsock catalog reset
Netsh init ip reset
Netsh flush dns
Netsh firewall reset

Done. Simple

Just resetting the tcp/ip stack didn't work. I tried that (multiple times). I needed to re-unpack the ipsec.sys file from the service pack 3 upgrade.

Believe me, if it was as simple as reseting the windows tcp/ip this would not have taken me three days, nor would I have posted about it.

Hey no2, looks like you helped this guy: http://forums.techguy.org/networking/100...milar.html

Sweet. How did you find that?

I was looking through Google Analytics logs and saw a number of visits coming from that URL. Looking through your stats is a good way to keep tabs on where we are, how we've grown, and, most importantly, how we can capitalize on certain opportunities and use them to grow.

I told you I posted this for content reasons ...

& I believe that Klinc can enjoy himself a slice of humble pie as well, because this just goes to show that simply resetting it does not fix the situation.

And I'm glad you posted it!

I guess it depends on the issue.

i registered just to thank no2pencil!

been stuck on this problem for days.

this was the fix!

the suggestions posted by Klinc did not work btw. i tried those first.

i run xp sp3. i was not experiencing this problem before i updated to java 7 a few days ago. i got the update from http://www.gamepoint.com. they require the latest java to run certain games. i don't know if that was the cause of all this.

not long after the java update, ping.exe began running in the background.

i ended the process, but ping.exe kept coming back.

uh-oh. safe mode time.

i run malwarebytes, avast, and avira on the highest settings possible whenever i have a problem like this. they usually do the trick. the only other time i needed more help was for TDSS.

the three scanners each found and removed a few instances of malware.

restart back to normal mode.

"Firefox can't find the server at http://www.google.com."

crap.

system restore was no help. i tried going back months. whenever i really need it to work, the roll-back points always fail. i don't know if that is related to the nature of serious infections or if system restore is just garbage.

a few abnormalities i noticed:
1. even though i had no internet availability, the network cable and wireless networking would appear in the system tray to be working properly after restart, but if i did a disconnect/reconnect, they would fail.
2. the system tray would react when i unplugged the network cable, but NOT if i plugged it back in.

the reconnect was failing with a "windows was unable to find a certificate" error. i was able to fix that with the help of:

http://helpdeskgeek.com/how-to/windows-w...e-network/

but then i encountered a "waiting for network to be ready" error, which led me nowhere in particular.

i was ready to try reinstalling my network hardware. sigh.

i decided that before i would reinstall my existing network devices, i would pull out an old belkin usb wireless network adapter and install it as a control group.

installed it. same problem. whoa. something was fundamentally wrong with my networking capability.

i went back to the clue that always stuck out.

all the network troubleshooting guides mentioned ipconfig

ipconfig worked fine on my other pc that was connecting to the network with no problems.

but my trouble pc was giving me an "Unable to query host name" error in response to ipconfig.

soooo...google search:

ipconfig "Unable to query host name"

got me here

thanks again!

I'm glad no2pencil's solution helped you! Thank you for sharing your story.

In the future, I would recommend getting updates for software directly from the website of the software author.

If you have any more problems, feel free to post them. Welcome to the site.

Google ipconfig hates me.

I saw that.

Hey, I'm glad that this topic served you well!

I am also glad that you posted the entire troubleshooting adventure

It was a fun read, & even more so because you came to the solution!

No2pencil is #1 in my book! Holy Cow. I had the same issue and it worked!

If you ever make it to the Houston area, I will buy you a BBQ lunch!

Thanks!

Haha! Duly noted.

& I mean that, from what I see on the travel channel, you guys KNOW your BBQ!

I wanted to thank you no2 for helping me out today! I work at a small computer repair shop and today I had a Windows XP SP3 machine who appeared to have a corrupt tcpip stack. I followed the same procedures you initially did (minus the flag-changing for allowing uninstalling tcpip) and was frustrated that it wasn't working.

Your mention of the IPSEC service being down led me to checking if it was up on this computer, and it wasn't. I went to HKLM / CCS / Services, and the entire entry for IPSEC was missing. I exported it from another XPSP3 machine I happened to have running, imported it, restarted, and whaddya know it worked.

If it weren't for this thread I would have never thought or known that could be the problem.

Cheers!
Joe