Ah, another learning experience…
Customer can’t connect to the internet… it suddenly stopped 2 days ago (and the PC seems to be running slower since then).
I quickly pinpoint that the PC cannot get its dhcp information from the modem.
In fact, it behaves like the ethernet port has developed a fault (an ipconfig returns: an internal error occurred… Unable to query host name).
I can see the system is running bigpond internet security (BIS)… a quick look shows that it protects against viruses, spyware, spam, etc etc. It looks like a norton wannabe.
So, since an infection shouldn’t be a problem, I decide to boot from my bartPE CD… but it won’t boot.
I look at the bios, make sure the CD needs to boot before the HDD, but it still won’t boot (it boots from the HDD instead).
While in XP, it cannot read the contents of the CD…
Hmmm, do I have a faulty CD drive and a faulty ethernet port? … possible, but unlikely.
I try plugging in an ethernet card, but that also doesn’t work.
I decide to take the PC back to the office and carefully check it out.
I find the CD drive is faulty (a spare one works just fine).
I get annoyed with the slow PC, so I uninstall Bigpond internet security (BIS), and install antivir and windows defender… I’ll update them once I’m connected to the net.
I boot bartPE, and it has no problem connecting to the internet over the ethernet port.
I try running LSPfix and winsockfix, but I start getting weird errors when running ipconfig (An error occurred while renewing interface local area network: An operation was attempted on something that is not a socket).
I take a look at the xp services, and many are disabled (bits, firewall, Computer browser, Application layer gateway service, ipsec services, logical disk manager). Trying to start them gives a few errors:
- 1068 (The dependency service or group failed to start)
- error 10044: the support for the specified socket type does not exist in this address family
- error 10047: An address is incompatible with the requested protocol was used
- error code -2147014852
I try “netsh winsock reset catalog” but it replies with: Unable to reset the winsock catalog. The system cannot find the file specified.
I also try “netsh int ip reset reset.log
I try copying tcpip.sys and ndis.sys from another system: ahh, this works better: ipconfig shows ethernet has a 169 ip address range… not quite what I wanted, but better than before.
I run “sfc /scannow”… and I can finally connect to the internet (yay!).
I update antivir and defender, and antivir immediately complains about: a5vdmow5yog.exe, cryptextq.dll, browselect.exe
So the system was infected! and Bigpond I.S. didn’t even hint at there being a problem… Once again: a free antivirus beats a payed-for one…
But as expected, antivir cannot delete the infected files… soon after that, the internet connection drops out again… but I’m not worried now.
I remove the hard drive, scan it from the office PC (and remove the nasties), plug the HDD back to its home PC, and the network is fine (after I reset winsock again using “netsh winsock reset catalog”).
I put my usual suite of internet protection software, and return the PC to the customer.
He is happy to have the PC back (I had the PC for about 1 week). I explain what I found, and he is understandably concerned about the infection.
He becomes even more concerned when I explain how spyware operates. He does internet banking, so, as usual, I urge him to change his password once I leave.
He does admit that his confidence in internet banking has been shaken. Partly because the idea of something monitoring your keystrokes is unsettling, and partly because he paid for protection which seemed to be ineffective.
And I’ve learned to not assume a security program will do what it should.