[cramit02]

Afternoon Geeks2Go, my name is Ted and I have a network issue.

I'm working on a company PC that just recently decided that it didn't want to connect to the internet any more. I don't know how long ago exactly or what actually happened, the field sent this is to me for repair and I don't want to break down and format it just yet.

The machine is loaded with Windows XP SP3 and various anti-malware/spyware/etc tools. I do not have a restore disc at my disposal at the moment, but will when I get off work.

I start IE, it doesn't connect. I run the diagnostic and it comes back with "Not all base service provider entries could be found in the winsock catalog. A reset is needed." I let it run it's repair, it restarts the machine and boots back up. I click on IE and the same issue. I go into my Network connections and see that it's connected. I go into the Connection properties and see 0 (zero) data transfer. I look for the current IP/Subnet/etc info and none is listed. I try to repair the connection and it comes back with "Failed to query TCP/IP settings of the connection". Ok, exit out. Start > Run > ipconfig. The window pops up for a brief second before disappearing. It only displays 3 lines that I had to PrntScrn to see: "An internal error occurred: The request is not supported. Please contact Microsoft Product Support Services for further help. Additional information: Unable to query host name." -- I uninstalled and reinstalled the ethernet card driver to see if that would have an effect, no go.

I've run MBAM, SUPERantiSpyware, TFC and AVG (before I uninstalled it) as a precaution... cookies and 450mb of junk only. I wondered if I could repair the network settings outside of Windows so I tried the Active BootDisk, it didn't see the ethernet card. I tried Hiren's Boot and it not only saw the ethernet card but it connected directly to the internet.

I'm not sure about what exactly is going on but that's where I'm at... Why is Hiren able to connect so easily? Any and all help would be greatly appreciated.

Thanks for your time,

Ted

[Ztruker]

Hi Ted, welcome to GeeksToGo.

Give WinSockXPFix a try, see if that fixes it for you: WinSockXPFix

If that doesn't do it, try Dial-A-Fix

I know there is a big, pink warning on the page but I've used this dozens of times without any problem. Just click the double green check mark icon at the bottom then click GO. Let it complete, reboot and see what happens.

For safety, backup the My Documents folder first.

[cramit02]

Thanks for replying Ztruker,

I ran winsockxpfix.exe, forced restart, no change. Followed up with Dial-A-Fix, restarted, no change.

I have also noted that this machine has a 2-4minute startup period between Windows Login screen to useable applications. For example I can open Windows Explorer but it takes 2-4min to populate any file information (flashlight is searching). Unsure as to what is causing that either. I do have my XP SP3 disc available to me and have backed up various files and drivers. I was going to run thru the recovery process and see if that changed anything but will wait for your input.

Thanks again,

Ted

[cramit02]

ISSUE RESOLVED.

Thanks for your assistance Ztruker.

I suspected that this machine had been run thru the anti-virus/malware/adware gauntlet before it got to me when I saw logs (ComboFix, HijackThis, etc) that our field tech's really have absolutely no reason to use. Apparently this machine had Microsoft Security Essentials on it at some point and MSE determined that the IPSEC.sys file was infected. MSE deleted the file from Windows\System32\drivers and without it apparently the internet is shot. -- I went ahead and copied the IPSEC.sys file over from another computer to the field-machine and restarted. Upon restart the Windows Login to Application use 2-4min delay was eliminated and the internet was restored.

Lots of pilfering the internet and various no-go solutions burnt through, I'm just happy it didn't result in slicking the machine.

Thanks again for your help and patience, let me know if you'd like any more details for future reference. Enjoy the weekend,

Ted

[Ztruker]

That is some good detective work. Hope I can remember as something to look at for future problems. How did you find out MSE deleted the file? Was it recorded in a log somewhere? If so, where.

Thanks for letting me know.

[cramit02]

Microsoft Antimalware log found in: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Support -- 2 Log files produced: "MPDetection-02212012-093641.log" and "MPLog-02212012-093641.log"; both show IPSec.sys as infected with TrojanDropper:Win32/Sirefef.B, MPLog reports the file being "cleaned/removed successfully". -- Sirefef.B infects/replaces a random system file. I can see why MSE deleted it but... it should have recognized and noted that it was a system file and maybe actually repaired it?

All of this only came around when I was snooping through the device manager again trying to id what was wrong (if anything) with the ethernet card. I couldn't find anything there so went a bit deeper by showing the hidden devices, looking into the "Non-Plug and Play Drivers" showed that IP Network Address Translator, IPSEC driver, and TCP/IP Protocol Driver were all absent or not working properly. I googled the heck out of these devices and came to [ http://jdsportsonlin...-the-issue.html ] it matched my issues and the attempted repairs along the way. I looked into my System32\drivers folder and sure enough ipsec.sys was missing. The machine was oddly loaded with anti-* software prior to me getting it with things that our field techs have no reason to use so I went ahead and searched for all logs that seemed out of place. Whoever had this machine before me went thru it with ComboFix, MBAM, SUPERantiSpyware, MSE, AVG, RKill, TDSSkiller, etc. None of them came back with any result aside from the MSE logs which did in fact detect and remove the file. The suggestion I got from the website above was to simply copy over the file from the working computer to the field computer (a 10sec job) and all would be well. I did, rebooted and BAM. Internet access along with 0 "Non-Plug and Play Driver" issues and a regular boot-up time.

Whoever was scanning (or was directing the scanning) should've given the infected list a once-over I think but they definately threw all they could think of at it...

If you'd like any more information (or copies of the logs) let me know. I'll be shipping this pc back out to the field after I run it through my own process of sorts.

Have a good one,

Ted

[Lappith]

Ted, thanks for the solution. I have been stuck with his problem for a while now and nothing has worked. I realized that my ipsec.sys file was missing, but after finding it in another location I copied it over into my system32/drivers file. After rebooting, I don't get a TCP/IP error message, but instead my connection won't stop trying to acquire a network address. Any ideas what is wrong?

Also, in my device manager I still have an error with AFD and Netbios over Tcpip.

[cramit02]

Really I can't help you on this forum as I'm not a registered Tech, apologies. Do you have a thread started already describing the issue and what you've tried to do to resolve it so far? If so I can look at it from there and throw out my 2 cents. I'd ask for all of that information here in this thread but that may confuse the Tech currently assisting with my particular issue.

If you don't want to start a new thread you can shoot me a private message with all of your XP information, symptoms and attempted fixes but again I'm not certified to help and without having the machine in front of me (or remote access) I'll essentially just be throwing out ideas. I'm a visual guy, I need to be able to see the errors as they occur to trace them backwards to point of origin. I am looking into the symptoms you've provided so far but honestly I'd need more details. If I find anything I'll shoot you a message.

Ted