Archive for November, 2011

Unable to query host name with ipconfig and no internet

I was browsing multiple sites over Internet and clicked on miserably known links. I would have clicked on some unknown links in between. After a while, the browser got closed automatically. It had given me some message clearly. But thinking of nothing happened.

Next day morning, I had opened the system but it is running pretty slowly and could scan my system using McAfee. This had thrown a bigger message to me that your system is infected by Virus.

You could guess what would have happened and how much bigger damage would it be. ūüė¶ ¬†VIRUS, VIRUS and the Dangerous….¬†!B&threatid=2147646431

The result is my system (Windows XP) got infected with virus (Backdoor:Win32/Smadow.gen!B, Trojan:Win32/FakeSysdef) and the damage is huge. Also Microsoft had stopped support on Windows XP couple of months ago.

Tension, tension, tension as this system has got lots of data and applications.

The damage is summarized below:

  1. Removed McAfee specific dll (OC****.dll), hence can’t scan my system.
  2. System is pretty slow.
  3. Am sure it would have impacted some system dlls but not sure what are they?
  4. Don’t even know what other damage it had done.

What did I do to recover the damage?

  1. Uninstalled McAfee Enterprise (all features) but McAfee Agent. It is not uninstalling with an error message that there are applications running by using Agent. This doesn’t impact anything to move forward to install another Anti-Virus Software.
  2. ¬†Installed McAfee again to see whether it can proceed anyways. I’m failed get McAfee working on my machine with multiple tries. – Spent 5-6 hours on this to understand why it is not installing again.
  3. Lost hopes on McAfee and started thinking of get another anti-virus software.
  4. After an hour or two, I remembered the suggestion from my office TSS guy. The suggestion is ‘Install Microsoft Security Essentials’ and that too it is free for use by Microsoft.
  5. I have downloaded Security Essentials from Microsoft site from another laptop. Once it is installed and ran that for FULL scan, it took around 4-5 hours.
  6. There were couple of Blackdoors/trojans on the system and the recommendation is to remove those files as they are badly impact the system.
  7. Backdoor:Win32/Smadow.gen!B – This has infected to Windows\System32\drivers\ipsec.dll (would have impacted to tcpip.sys also) and couple of .sys files from System Volume Information folder. With this, network connectivity would never happen. But no way to avoid that as it is infected file.
  8. The entries (ipsec and tcpip) would have been deleted from the registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\.
  9. When you do ‘ipconfig’ from command prompt.
    An Internal error occurred:The request is not supported.
    Please contact Microsoft Product Support Services
    Additional Information: Unable to query host name
  10. Trojan:Win32/FakeSysdefIt has deleted couple of files from Application data folder.
  11. I need to reinstall Windows XP SP3 as well once again.
After this, lots of trails to get the system up but not happened. I did lot many workarounds suggested by lot many folks over Internet.
  1. Uninstalled Ethernet drivers. Restarted the machine, no luck.
  2. Reinstalled Windows XP SP3. Restarted the machine, no luck.
  3. Compared with other XP laptop and understood that it has also removed tcpip.sys from Windows\System32\drivers folder. tcpip.sys is very important protocol and impacts the network in the system.
    To Correct this:-

    1. Option1 – Tried installing Microsoft Fixit from¬† This didn’t help. Then went to the below steps.
    2. Go to Control Panel
    3. Open Network connections
    4. Select ‘Internet protocol (TCP/IP)’ and uninstall. By the way, you cannot unstall as the uninstall button would be disabled here. Use the Windows Enabler tool (either from¬†or¬† Usage document would be available along with the tool.
    5. Quick brief on that, you just need to run Windows Enabler.exe, the icon sits in the System tray.
    6. After opening the network properties dialog and select the ‘Internet protocol (TCP/IP).
    7. Click on the icon from system tray and then click on ‘Uninstall’ disabled button, the tool enables button.
    8. Clik on Uninstall button. This would ask for restart of the system. After restart, it had brought back all the keys in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tcpip\
    9. Now, you are good that the network connectivity happens.
    10. Connect your ethernet cable to the system and could observe that the lights were blinking.
  4. To get the ipsec.sys file..
    To Correct this:-

    1. Copy ipsec.sys file from a virus-free windows XP machine. The file would be available in Windows\System32\drivers\ folder.
    2. Restart the machine.
    3. After restart, it had brought back all the keys in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSec.
    4. Now, run ipconfig and HURRAY, the IP details has come back.

Huh, tried to connect to the internet, yes, the system is getting the IP address and also connecting to Internet.

I re-ran the Anti-virus and the system is cleaned up as per the Security Essentials anti-virus. The whole process took me 3 days to get my system back to previous known status and immediately posting this for the persons like you if have an issue like this.

Now, I can happily have a nice nap. Have a good time.

~ Gangadhar Kotu