Solved tcp/ip problem means no internet.

May 17, 2012 at 09:29:38
Specs: XP Home, 2.5/1gig
After a malware attack that's definitely all gone I have a problem with the internet. The network connection says it's connected but there's no ip address and obviously no actual internet connection. I've uninstalled & reinstalled the network adapter, gone through all of the netsh fixes, winsock repair tools etc. all to no avail, all the settings are as they should be. The error that continually comes up is "failed to query tcp/ip settings of the connection" and I've been through as many fixes as I can find including uninstalling and reinstalling tcp/ip as described HERE but still no joy,

I really don't want to have to do a repair/reinstall so any other suggestions would be welcome.

"I've always been mad, I know I've been mad, like the most of us..." Pink Floyd


See More: tcp/ip problem means no internet.

Report •


✔ Best Answer
May 18, 2012 at 01:54:43
Problem sorted. The issue was with another missing driver file - ipsec.sys. No idea why sfc didn't pick up that this was missing and it was just by going back through event viewer and seeing what info could get from that. Copied from i386 folder & all happily connecting now.

"I've always been mad, I know I've been mad, like the most of us..." Pink Floyd



#1
May 17, 2012 at 09:50:44
any system restore points to before the infection available?

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#2
May 17, 2012 at 09:58:40
No, all System Restore points gone as part of the cleanup. I've also just noticed that I cannot open the Management Console - wanted to see if all services were running - and I get a 'sorry for the inconvenience' message. I'm beginning to think this runs a lot deeper than I originally thought.

"I've always been mad, I know I've been mad, like the most of us..." Pink Floyd


Report •

#3
May 17, 2012 at 12:23:47
If you refuse to fix it the right way then I can suggest a most complex way.

Create a virtual machine with the exact setup as you think you should have. Then compare file by file in a bit by bit test to see what has failed.

Hang up and live.


Report •

Related Solutions

#4
May 17, 2012 at 13:11:27
Thanks, but I sense a note of sarcasm in your reply ;-). I was hoping not to get the standard 'geek-squad' response of 'reinstall, reinstall' when it would be nice to find out if there is a repair that works without having to do that. The bit-by-bit suggestion probably wouldn't work anyway as it's almost certainly a combination of issues, but I have a few other ideas from other sites & forums that I'll be looking at tomorrow. Shall post back when I'm successful.

"I've always been mad, I know I've been mad, like the most of us..." Pink Floyd


Report •

#5
May 17, 2012 at 14:49:10
Have you tried the system file checker? open a run box and type SFC /SCANNOW
Have you tried the Winsock repair tool? http://majorgeeks.com/WinSock_XP_Fi...

Report •

#6
May 17, 2012 at 19:19:13
"Have you tried the system file checker? open a run box and type SFC /SCANNOW"

That won't work unless the source that it checks against, either a Windows XP CD, or a pre-installed source (the \i386 folder and it's contents) on a brand name system computer in which case you don't need the Windows CD, has the same SPx updates version as the Windows installation does, which should be the SP3 updates.
SFC won't accept the source as a valid source otherwise, and you can't easily quit running SFC once it has started running.
....

"The network connection says it's connected but there's no ip address and obviously no actual internet connection."'

The network connection working e.g. at 100 mbps, or 1 gbps, or 54 mbps, indicates ONLY that the network connection is working between Windows and the network adapter on the same computer.

Are you trying to connect to the internet ....

- wirelessly ?,
- or via a wired (network cable) connection ?

- via a dial-up modem ?
- or via a standalone high speed modem ?,
- or via a standalone router connected to a standalone high speed modem ?,
- or via a combo router / high speed modem ?


Report •

#7
May 17, 2012 at 23:13:18
Yes, I've run SFC a couple of times using both the i386 folder and also, just out of interest, using a slipstreamed XP disk, and used all of the standard repair tools that would normally do the job (including 'Complete Internet Repair Tool' which I've used in the past and can usually recommend).

The internet connection itself is fine, it's wired to a Virgin cable modem/router and as well as the other PCs on the system working fine I've checked the actual connection by plugging a laptop in using the same cable/port.

The system originally only had SP2 installed, so I've updated to SP3 (using the full download burnt to disk) in the hope that it would repair any missing/corrupted files, but still no joy.

"I've always been mad, I know I've been mad, like the most of us..." Pink Floyd


Report •

#8
May 18, 2012 at 01:54:43
✔ Best Answer
Problem sorted. The issue was with another missing driver file - ipsec.sys. No idea why sfc didn't pick up that this was missing and it was just by going back through event viewer and seeing what info could get from that. Copied from i386 folder & all happily connecting now.

"I've always been mad, I know I've been mad, like the most of us..." Pink Floyd


Report •

#9
May 18, 2012 at 08:06:00
I have seen thousands of issues with malware and such. In almost every case the system was left in an unknown state such as was yours.

I still prefer to fix it by "nuking it from high orbit. It is the only way to be sure."

Hang up and live.


Report •

#10
May 18, 2012 at 09:07:58
"Problem sorted. The issue was with another missing driver file - ipsec.sys."

So you fixed the problem of not having an internet connection on the subject computer ?
If so, we're glad to hear you solved the problem !

"No idea why sfc didn't pick up that this was missing ..."

SFC /SCANNOW checks for missing or corrupted "essential" system files, and replaces the ones it finds are missing or corrupted . What it considers to be "essential" Microsoft doesn't specify.
It certainly does NOT check for all system files that came with whatever version of XP, without any Windows SP updates, or with Windows SPx updates.
I have used SFC /SCANNOW many times, and usually using it does NOT fix the problem I was having in XP.

When you use it in 2000 or XP, there is no log file you can look at after SFC has run, but there is one when you run it in Vista and Windows 7.

ipsec.sys file information
http://www.file.net/process/ipsec.s...

"File ipsec.sys is a trustworthy file from Microsoft."

Etc.


Apparently, sometimes ipsec.sys has been infected by malware.

E.g.

Trojan Horse Agent_r.BCA
http://forums.avg.com/ca-en/avg-for...

If an anti-malware program detects that a file is infected but it can't remove the infection from a file such that the original file is restored to what it should be, it either deletes the file, or it moves it to a "virus vault" or similar. If Windows doesn't automatically replace it after Restarting Windows (which it can do for a small number of files), then that file is no longer in Windows
.......

Do you still have this problem ?

" I've also just noticed that I cannot open the Management Console - wanted to see if all services were running - and I get a 'sorry for the inconvenience' message..."

If yes, which console ?
Computer Management ?
Administrative Tools ?

Did you notice that AFTER you had installed the SP3 updates, but not BEFORE you had installed them ?
.......

One of the most frequent reasons for having problems AFTER having installed SP3 updates is this....

NOTE that sometimes the resident module(s) of anti-malware programs - a part that runs all the time scanning for suspicious activity - will interfere with the proper installation of third party software, or major Microsoft updates that cannot be installed automatically by Automatic Update, the software will not install properly, and you may get no indication of that at all while installing the software.
To avoid that possibility, you should always DISABLE the resident module(s) of anti-malware programs, BEFORE you install third party software (software other than most Microsoft Updates, etc., that did not come with Windows ), especially when it's a major or complicated software package.
E.g. if you are using the free or paid version of AVG, you should disable the Resident Shield in AVG's 's settings in Windows (in AVG 2012 that's done under the title AntiVirus). In Norton (Symantec) products, there may be several things you need to disable, or set so they don't load for a specific short amount of time.
If you don't know how to do that, tell us which anti-malware software you are using.
When you are sure the software has installed correctly, re-enable the resident module(s).

Further info...

How to disable your security applications
http://www.techsupportforum.com/for...

If you DID NOT do that, un-install the SP3 updates (if you left the files intact that are necessary to be able to do that, you will be able to un-install them in Add or Remove Programs), disable your resident modules, and install the SP3 updates again.

Side notes
It's a good idea to un-install IE 7 or 8 BEFORE you install the SP3 updates, and then install IE 8 AFTER you have installed them. If something goes wrong with IE 7 or 8 that requires that it must be un-installed, you will NOT be able to do that after the SP3 updates have been installed, if IE 7 or 8 was still installed when you installed the SP3 updates.
.......

Running a Repair installation of Windows procedure, for XP, often called a Repair install, will NOT delete the data that you have added to the same partition Windows itself was installed on
Running it has fixed a lot more problems for me than running SFC /SCANNOW has, however, running it can't fix all problems either.
It's worth trying running it because it takes less time to run the Setup originally did. You will know, usually in less than a hour, whether running it has fixed your problem

See response 10:
http://www.computing.net/answers/wi...

Scroll down to:

"- If that doesn't help, you can try running a Repair installation of Windows"

Also - if you have the mboard's bios Setup set to have the SATA drive controllers in SATA or AHCI (or SATA RAID) mode....

See this (the same applies for the Repair installation or Windows procedure).....

Installing XP and SATA drive controllers, SATA drives; the SATA drive controller bios settings.

See response 2:
http://www.computing.net/answers/ha...


Report •

#11
May 18, 2012 at 09:42:44
Thanks for your in-depth response. Yes, I agree that the malware must have infected the ipsec.sys file and if it is a common fault then this thread will hopefully help others in the same situation in the future. I used Kaspersky and Malwarebytes on the cleanup & I didn't see it in the list of files that were cleaned so I'll leave that as a bit of a mystery.

The problem with the Management Console was cured after installing SP3, it was only the 'services' module that was affected, starting it brought up a blank window in front of it - the actual list of services could be seen behind and closing the blank window closed Services as well, then the 'send error report appeared. Annoying but, as I say, cured & there are no other issues to report.

There were no security programs running at all (hence the problem in the first place, the user was under the impression they had TalkTalk's own security!!.........) They have now got a full, proper security suite.

The system only had an IDE drive but it also had 4 user accounts with quite a lot of data in each, hence my unwillingness to do a repair install unless absolutely necessary and, as I say, the fact that it was only one file that was screwing up the internet access is a useful one to bear in mind.

"I've always been mad, I know I've been mad, like the most of us..." Pink Floyd


Report •

#12
May 18, 2012 at 12:13:35
Thanks for the thanks.

It can be difficult to find the info about which files were infected - what they are infected with is usually what anti-malware software shows you prominently. You may not be able to get to the file at the end of the location.

Malwarebytes makes a log file for every time you use it to remove malware. You may find if you search that for: ipsec.sys that's in there.

Similar may apply for the Kaspersky software.

If the problem could have been fixed by running the Repair installation of Windows procedure, it would probably have fixed the problem for all the users no matter how many users the Windows installation has, and it takes less than an hour to try.


Report •

#13
May 18, 2012 at 12:22:09
Regular backups protect important data.

This was the original problem for us.
"I really don't want to have to do a repair/reinstall so any other suggestions would be welcome."

Hang up and live.


Report •

Ask Question