Unable to query host name. ipconfig hates me.

[no2pencil]

Along my adventures of cleaning up virus infected machines, I often times run into an issue that makes the customer very very angry with me. The issue being that I said the turnaround time is usually next day. However, every once in a while I hit the wall. I run into some obscure configuration, some Windows component gets foobar'ed. Something goes horribly, horribly wrong.

I run the shop that assures you we don't format. We work it through. In a worst case scenario, I'll do a 'repair install' to replace the core components of Windows. But that comes with the cost of me sweating bullets hoping nothing goes wrong. So in this situation I decided to rough it through, ask the customer for some patience, & tackled the issue... into the unknown.

Operating System : Windows XP Professional service pack 3.

Service pack 3? Crud! All of my tools are for Service Pack 2! & from the looks of it, it was a fresh install of SP3, because I couldn't back it up with any of the methods provided by Microsoft. So lets get to the nitty gritty. The problem, the solution, the adventure.

Customer drops off her PC, it's having 'adult advertisement' issues. Kids have been downloading nasty films & free music from Lime Wire. So right away I'm thinking that her DNS has been hijacked.

I scanned the hard drive in our Linux virus cleaning box. Removed a couple of infected files. We'll say less than 20. Put the hard drive back into her system, boot, & the 1st thing I notice is that the desktop doesn't come up for quite some time. I can click on start, but CNTRL + ESC offers me nothing. I can start -> run -> cmd & get a command prompt, but typing config & hitting enter does nothing. Eventually it comes back to me & I can start looking at her network settings. The IP address is set to auto, but her DNS is set to 96 something. Most likely AT&T DNS servers. I go to install HijackThis from off our network, but the link doesn't work. So I throw ipconfig at the command prompt & I get slapped in the face. Unable to query host name. WTF is this?

So I issue the usual TCP/IP resets :

[il]netsh winsock reset catalog[/il]
[il]netsh ip reset reset.log[/il]

Nothing, no ip address. So I manually set the ip address. More slaps in teh face.

So doing some extensive research (& getting quite pissed off reading how the previous solutions worked for everyone else) I come accross this solution. Uninstall TCP/IP.

Start -> Control -> Network -> Right click on local network -> properites -> general (tab) -> scroll to TCP/IP -> uninstall.

WTF, uninstall is greyed out. ARG!

Seems that not such a brick wall. Check it out (at your own risk!)

start -> run -> notepad C:\windows\inf\nettcpip.inf

Look for the following :

;=======================
; TCP/IP Primary Install
;=======================

[MS_TCPIP.PrimaryInstall]
; TCPIP has properties to display
Characteristics = 0xA0 ; NCF_HAS_UI | NCF_NOT_USER_REMOVABLE
AddReg = Registry.MS_TCPIP.PrimaryInstall, Registry.MS_TCPIP,

0xA0 is our target. Edit this to 0X80, alt -> file -> save, & we now have ourselves an unsigned driver. Go back to the TCP/IP properties on the general tab, click install & lets install this modified inf file. Look'it there, uninstall is now available. So lets uninstall this borked up TCP/IP stack.

Start -> Control -> Network -> Right click on local network -> properites -> general (tab) -> scroll to TCP/IP -> uninstall.

A little regedit action to finish the job (that the above netsh commands couldn't handle)

Start -> run -> regedit
HKLM -> SYSTEM -> Current Control Set -> Services
In this list lets trash (or rename if you are not so daring ) winsock & winsock2

Then lets reverse the process.

Start -> run -> notepad C:\windows\inf\nettcpip.inf

Look for the following :

;=======================
; TCP/IP Primary Install
;=======================

[MS_TCPIP.PrimaryInstall]
; TCPIP has properties to display
Characteristics = 0x80 ; NCF_HAS_UI | NCF_NOT_USER_REMOVABLE
AddReg = Registry.MS_TCPIP.PrimaryInstall, Registry.MS_TCPIP,

Change 0xE0 back to 0xA0, alt -> file -> save

Start -> Control -> Network -> Right click on local network -> properites -> general (tab) -> install -> have disk -> C:\windows\inf\nettcpip.inf

reboot.

Crud, same damn thing. Oh well, at least I know I've a fresh install of TCP/IP

The solution wound up being a little bit of reading, seeing that IPSEC wasn't starting. IPSEC is a dependant of the Windows Firewall, which also wasn't starting. My guess is, most likely this was the target of the virus, inject the DNS, take out the firewall, & the client is powerless to do anything but view forced ads.

The service for IPSEC complained that a file was missing. Nice, 'A' file. Ah well, lets check the registry :

Start -> run -> regedit
HKLM -> SYSTEM -> Current Control Set -> Services -> IPSEC -> ImagePath

This shows us : system32\DRIVERS\ipsec.sys

Guess what's missing. That file.

So I downloaded SP3 from Microsoft, & double clicked it, watching for the temp directory it creates. Enter that directory & you'll find \i386\ipsec.sy_

Unpack this file back to C:\windows\system32\drivers\ with a little :

expand ipsec.sy_ ipsec.sys

using full path names, the provided directions just have them both in local path

& after a breath taking reboot, the desktop loaded like it should, quick fast & in a hurry, & a test nslookup ebay.com told me (& the customer) that everything is going to be alright.

Hope this helps, because I had a hell of time getting this far
-#2pencil-

[RWenger]

I think you're allowed to boast for that one. Nice fix. It hasn't given any more problems since?

[no2pencil]

Customer picked it up Wednesday & was extremely happy. She was certain I was going to format it without asking her 1st. I did not get a call from her today & I would have expected once if she was upset.

[RWenger]

Good job! You get repped for that one.

[townsbg]

I never said good job on fixing this so good job.