12/7/04

Spyware/Adware Removal Disables Windows98 Machine

I am writing this brief "incident report" because when I was trying to find information about this problem, searching on the Internet turned up nothing useful. I am hoping to help someone else with this same problem when he or she searches for "Win98" and "TCP/IP problem" or "No TCP/IP" or even "loss of network." And to the "Why Windows 98 in 2004?" question, is the obvious answer: an old but adequate computer.

The symptoms. IP networking stopped. I mean just stopped. The system was using a wireless NIC for access to our home network and the Internet. When that happened I figured that that was the problem. I pulled out my notebook PC and the wireless worked fine. The wireless software on the W98 machine says it was connecting, but I could not get to the WAP (via web page for administration). This should have been a hint to me. Lower level networking worked, but I could not make a TCP/IP connection.

I moved the computer to where I could use twisted pair Ethernet. I found that I could see systems in the "Network Neighborhood." I could get to shares on my Linux box. I could print from my XP machine to the printer on the troubled W98 computer. (This met the need of the moment for my wife who needed to use an XP application but print to her printer, a printer that could not be used on my system.) I could PING and TRACERT in an MSDOS window, but could not TELNET or RSH to the system I could PING. The problem persisted. I talked to my friend, Rick, who could lay hands on a computer and heal it (no, really... ask Marcus) but he wasn't close enough to touch it. He did, of course, put me onto the right path.

What worked.With my Windows 98 SE CD at the ready just in case, I went to the Control Panel, Network, and removed all adapters and all network bindings. (Actually, I removed all adapters except one I wasn't using anyway. This proved to be a mistake. Remove all of them!) Then I went to the Device Manager in System and made sure the network adapters were removed. You want the system to remove all IP networking from the kernel. Then I rebooted.

It found the first network adapter. I walked through the installation of the newly (re)found hardware. I was able to just say "ignore file" each time it looked for a software module it needed for the network hardware because those files were all still on the computer, but if you are uncertain keep pointing the system to the CD to find the files. It will tell you if the file it already has is newer than the one on the CD. Use the newer one. Reminder: You may have to configure network properties for these devices and reboot.

Success. After rebooting for the first adapter, then the second, the system came all the way up, and the first thing displayed was a notification that there were critical updates to install. BINGO! TCP/IP was working -- the system had contacted the Internet.

What made this mess? I think it was "malware" of some sort. Rick said a few times, "It almost sounds like it is a firewall issue. But, I had disabled the PC-firewall for testing, and the network firewall was not coming into play. TCP/IP failed to work from this machine to others on my own network using IP addresses instead of hostnames. But, Rick was right as always. I think -- and this is conjecture on my part -- some spyware program had shimmed itself in the IP stream to be able to "help" the system's user. At some point I killed off the process and stopped it from starting up. Since it had modified the IP stack, without it TCP/IP did not work. When I removed all network components and reinstalled them, all of that was rebuilt. After installing all critical updates I installed a malware cleaning program and got rid of a whole bunch of adware and spyware. It is working well now.

No comments: