G
Gallon_Jug
All have NetBT ENABLED
C
Chuck
Bruce,
We may yet get to doing CDiag, but it will have to be run on all 4 computers,
and when all 4 are online. Is it a total of just 4 computers, or are there any
others that are occasionally involved? Interpreting CDiag from just 3 computers
I've done from time to time, and that is a task. Doing 4 will be real fun.
When you're ready to do CDiag on all computers during the same session, let me
know. I'll need a comprehensive list of computer name and IP address, from
"ipconfig /all", and it has to be absolutely accurate.
Somehow we have to solve the "There are 2 domains in domain WCSBZ" bit, for
that, I believe, shows a segmented workgroup. I'm not sure if CDiag will help
us isolate that.
<http://nitecruzr.blogspot.com/2005/08/browsing-across-subnets.html>
http://nitecruzr.blogspot.com/2005/08/browsing-across-subnets.html
Was that ChicagoTech, the website you're mentioning, the guy who tried to ping
the various computers?
I can't promise to find the problem for sure, but both of us will learn a bit
before giving up, and way more than 3 days. Good luck with the MS white paper.
It's intense. Post when you're ready.
C
Chuck
OK. Dang, that's such an easy solution too.
C
Chuck
You absolutely have to have at least 1 computer running the browser, and you
generally use 2 if you have more than 2 computers total. But for now, just use
1 computer, and make sure that one computer (Neobat?) is online to the others 7
x 24 x 52.
If you're going to force 1 computer, fine. It's better though to have the
browser running on 2, and let them elect one by themselves as master browser.
That way, if the master browser goes down for any reason, the backup will take
up the job.
But first we gotta figure out why Dell8400 shows "Browsing is NOT active on
domain.", yet Neobat shows "Browsing is active on domain. Master browser name
is: NEOBAT".
G
Gallon_Jug
This may or may not be relevant. When the CNET Wireless router was
initially set up it was by default set as a DHCP server, but since I
have assigned static IP addresses for each machine so they would not
change. The odd thing is that when the router was set as a DHCP server
the DATA computer would show up on the DHCP Client List on the router
with two IP addresses the static one assigned to the local area
connection and one that DID not match the static address.
There are two network cards in the DATA computer. The one on the
mother board stopped working so I installed another and it has worked
fine. The network card on the motherboard has been uninstalled and
disabled. The network problems may be related to replacing the wired
router with the wireless router, but again the system worked well for
4-5 months w/o a problem after that change.
I even took the DATA computer off-line assuming that some how this was
the guilty unit and replaced it with the DELL-8400 as file and print
server but the network problems continued.
initially set up it was by default set as a DHCP server, but since I
have assigned static IP addresses for each machine so they would not
change. The odd thing is that when the router was set as a DHCP server
the DATA computer would show up on the DHCP Client List on the router
with two IP addresses the static one assigned to the local area
connection and one that DID not match the static address.
There are two network cards in the DATA computer. The one on the
mother board stopped working so I installed another and it has worked
fine. The network card on the motherboard has been uninstalled and
disabled. The network problems may be related to replacing the wired
router with the wireless router, but again the system worked well for
4-5 months w/o a problem after that change.
I even took the DATA computer off-line assuming that some how this was
the guilty unit and replaced it with the DELL-8400 as file and print
server but the network problems continued.
G
Gallon_Jug
I assume that it is not possible to simply reset ALL computers to a
"default" like a fresh WINXP Pro w/SP2 set up pre-networking setup and
start the networking setup as if it had never been set up?
"default" like a fresh WINXP Pro w/SP2 set up pre-networking setup and
start the networking setup as if it had never been set up?
G
Gallon_Jug
Good morning Chuck,
OK the plot thickens as they say.
Connectivity depends on what order computers are cold booted to begin
with. As I understand it from your informative pages the Master
Browser will frequently be the first machine started on a network.
I powered off all computers before we went for the morning run and on
return started up DATA, then CMM, then NEOBAT. Dell8400 was not started
and left off as was the notebook.
Now Browstat status for DATA it is listed as MASTER Browser, and all 3
active computers show up in the workgroup WCSBZ on DATA. DATA can now
connect to CMM but not NEOBAT. CMM Browstat shows browsing is active
and 1 master and back up found on DATA and can now connect to the
mapped network drive on DATA and can access the shared printer.
NEOBAT booted last now indicates BROWSING is NOT ACTIVE on NETWORK, and
it can not connect to other computer and they can not connect to
NEOBAT.
NEOBAT does show up in the network workgroup in Explorer from the other
two computers and they show up on NEOBAT, but none are available for
NEOBAT.
I have now booted the Dell8400 and browstat status shows browsing is
active but Master name connot be determined Using \\DATA could not
connect registry error =53. Backup server retrieved from DATA unable
to retrieve server list from DATA :53.
So this is not specific to NEOBAT?
I will begin removing the Panda security and see what happens. Can I
do this with 2 computers and simply have them off of the router nad
only connected via the network switch and test browsing and
connectivity? I can easily connect the other two CMM & NEOBAT directly
to the Router and they will not be part of the network testing.
Or do I need to shut down the entire system to test this?
Cheers from the jungles of Belize
OK the plot thickens as they say.
Connectivity depends on what order computers are cold booted to begin
with. As I understand it from your informative pages the Master
Browser will frequently be the first machine started on a network.
I powered off all computers before we went for the morning run and on
return started up DATA, then CMM, then NEOBAT. Dell8400 was not started
and left off as was the notebook.
Now Browstat status for DATA it is listed as MASTER Browser, and all 3
active computers show up in the workgroup WCSBZ on DATA. DATA can now
connect to CMM but not NEOBAT. CMM Browstat shows browsing is active
and 1 master and back up found on DATA and can now connect to the
mapped network drive on DATA and can access the shared printer.
NEOBAT booted last now indicates BROWSING is NOT ACTIVE on NETWORK, and
it can not connect to other computer and they can not connect to
NEOBAT.
NEOBAT does show up in the network workgroup in Explorer from the other
two computers and they show up on NEOBAT, but none are available for
NEOBAT.
I have now booted the Dell8400 and browstat status shows browsing is
active but Master name connot be determined Using \\DATA could not
connect registry error =53. Backup server retrieved from DATA unable
to retrieve server list from DATA :53.
So this is not specific to NEOBAT?
I will begin removing the Panda security and see what happens. Can I
do this with 2 computers and simply have them off of the router nad
only connected via the network switch and test browsing and
connectivity? I can easily connect the other two CMM & NEOBAT directly
to the Router and they will not be part of the network testing.
Or do I need to shut down the entire system to test this?
Cheers from the jungles of Belize
C
Chuck
Bruce,
It's always possible. Depending upon the problem, this may be successful, or
may not be. And if the computers are something that you depend upon, you may be
able to conduct your business until this is done, or this could be a major
headache.
If the problem is something that is resolved by a reset, anyway.
Your earlier problem report mentioned "laptops". Are there more, besides
Dell_D510? Or is your network a total of 4 computers? I'd really like to
define the scope of your problem first.
C
Chuck
Bruce,
If you're going to test the problem with PIS un installed, you'll have to do
this with each computer ON the router, and connected as normal. As I said
earlier, the value of a personal firewall is to protect the individual computers
from each other. You're going to have to risk it, because with your changing
problem, doing any testing with the computers isolated from each other in any
way is a waste of time. You've got too many variables here, don't add more.
I want to research the router. What is the exact make and model?
How many computers do you have running the browser service? Didn't we discuss
shutting down the browser on all but 2?
And as I asked earlier, how many computers in total are we looking at?
Just in case I haven't shared yet, my approach to solving a problem like yours
is slow and methodical. First, define the scope of the problem, including all
of the computers involved. Next, analyse the problem. Then, make 1 change, and
observe the problem again. You have to make 1 change at a time. Changing the
boot order is a good change. Un installing PIS, and disconnecting computers
from the router (after changing the boot order) wouldn't necessarily be good.
<http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html>
http://nitecruzr.blogspot.com/2005/08/solving-network-problems-tutorial.html
When you have multiple computers running the browser, changing the boot order
can be expected to change the symptoms. With no other problems on the network,
a clean restart of all computers should simply elect a new master browser, and
all computers should be fine. No matter if you have 1 computer, 2 computers, or
all computers running the browser, as long as you start the day by powering each
computer up, one computer should be elected master browser and all should be
well.
But you have this scenario where one or more computers shows "could not connect
registry error = 53", and "Browsing is NOT active on domain.". This indicates
problems. As you bring your computers up in a different order, and get a
different master browser, do the computers displaying these errors change?
I have to wonder if the router isn't part of the problem. Googling for "CNET
wireless router" gets me a lot of CNET wireless router reviews. No mentions of
any network hardware branded "CNET". What is the exact make and model of this
router? Be as precise and complete as possible please.
G
Gallon_Jug
Thanks Chuck,
Here is a list of the entire system with status. All 24/7 are hard
wired to network switch.
User IP MAC Status
DATA 192.168.0.2 00-50-DA-C9-AD-32 24/7
NEOBAT 192.168.0.4 00-12-3F-3B-29-A3 24/7
CMM-8200 192.168.0.3 00-08-A1-22-B8-66 24/7
DELL-510 192.168.0.7 00-13-CE-11-52-93 WIFI as needed
DELL 8400 192.168.0.5 00-11-11-3D-F2-29 24/7
Miguelito 192.168.0.6 00-14-A5-10-2B-EC WIFI as needed
Bliss 192.168.0.14 00-13-CE-2B-44-15 WIFI as needed
Using a CNET network switch connected to a CNet Wireless G router Model
CWR- 854. The settings on the router are for NO DHCP and all are set
as fixed IP addresses.
I have everythng back on the system and connected again. I understand
the need to test with everythgn in normal connections as the target
keeps moving when I reconnect/boot etc. Hard to nail it down. I just
assumed form some other sites knowing how each computer was behaving
may have helped isoloate the problem to a specific one.
As a research scientist I understand looking at only one variable at a
time to determine cause and effect. So no problem on a slow methodical
plod. I have spent about a month off and on reading all of your varied
sections for error 53, 5 need for clean set up etc. and I have made
some changes like set all node types to Broadcast etc.
I will have to wait until Saturday when we are not working and need to
be connected for email etc. to take down the internet security. The
router does not stop hacking attempts as Panda had stopped many since
our ISP uses a fixed IP address. Not to mention a continual stream of
spy/adware crap from visitng web sites.
I am patient and if you are willing to work with me on this even though
I am very frusterated these days with a network that ran smoothly for
some 8 years and WHAM is all screwed up.
Thanks again
Bruce
Here is a list of the entire system with status. All 24/7 are hard
wired to network switch.
User IP MAC Status
DATA 192.168.0.2 00-50-DA-C9-AD-32 24/7
NEOBAT 192.168.0.4 00-12-3F-3B-29-A3 24/7
CMM-8200 192.168.0.3 00-08-A1-22-B8-66 24/7
DELL-510 192.168.0.7 00-13-CE-11-52-93 WIFI as needed
DELL 8400 192.168.0.5 00-11-11-3D-F2-29 24/7
Miguelito 192.168.0.6 00-14-A5-10-2B-EC WIFI as needed
Bliss 192.168.0.14 00-13-CE-2B-44-15 WIFI as needed
Using a CNET network switch connected to a CNet Wireless G router Model
CWR- 854. The settings on the router are for NO DHCP and all are set
as fixed IP addresses.
I have everythng back on the system and connected again. I understand
the need to test with everythgn in normal connections as the target
keeps moving when I reconnect/boot etc. Hard to nail it down. I just
assumed form some other sites knowing how each computer was behaving
may have helped isoloate the problem to a specific one.
As a research scientist I understand looking at only one variable at a
time to determine cause and effect. So no problem on a slow methodical
plod. I have spent about a month off and on reading all of your varied
sections for error 53, 5 need for clean set up etc. and I have made
some changes like set all node types to Broadcast etc.
I will have to wait until Saturday when we are not working and need to
be connected for email etc. to take down the internet security. The
router does not stop hacking attempts as Panda had stopped many since
our ISP uses a fixed IP address. Not to mention a continual stream of
spy/adware crap from visitng web sites.
I am patient and if you are willing to work with me on this even though
I am very frusterated these days with a network that ran smoothly for
some 8 years and WHAM is all screwed up.
Thanks again
Bruce
C
Chuck
OK, the CWR-854 is a standard NAT router with a WAP. Are you using the NAT
feature (Internet service with one public IP address)? If so, your computers
ARE safe without PIS. NAT protects you from outside hacking.
<http://www.cnet.com.tw/product/cwr-854.htm>
http://www.cnet.com.tw/product/cwr-854.htm
Having the chart listing all of the computers is a great start.
You show Dell-510. Is that "Dell_D510"? The latter, from looking at "ipconfig
/all" shows only an Intel 2200BG WiFi connection - no Ethernet is apparent.
What is the CNET switch (model number please)? Why is it needed? Does the
switch connect to the LAN side of the CWR-854? The CWR-854 has its own 4 port
switch. You have a total of 4 wired computers, don't you?
Well, I think we can both learn from this, if we're both patient and persistent.
We'll both research your problem. You have the fun part, because you are there
in front of it.
What you call hacking, I call "network level" attacks. There is very little
classical hacking going on, most attacks are merely infected computers,
attacking from the outside, and trying to infect your computers. These are
essentially worms, which are similar to viruses in that they spread virally.
<http://nitecruzr.blogspot.com/2005/07/hacking-redefined.html>
http://nitecruzr.blogspot.com/2005/07/hacking-redefined.html
By any chance, are you using the DMZ in the router? If you are, let's discuss
that first.
Maybe we both need to examine your security needs. Firewalls stop network level
threats, the sort of thing that will attack your computers from the fixed IP
address provided by your ISP.
Firewalls don't typically stop application threats, like adware and spyware.
Those you need to stop with layered security. One component in layered
security, which I refer to casually but is actually NOT a casual matter, is
common sense, and discretion.
<http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html
Now "kitchen sink" ware like NIS, MIS, and PIS, contains both firewall and anti
malware (anti adware / antispyware) components, and IMHO, neither at any
significant level. Modern malware is too resilient and versatile to be caught,
at any acceptable level, by "kitchen sink" ware (called that because it contains
"everything but the kitchen sink").
That's why I recommend layered security (including education of the folks who
access the Internet). Read about malware.
<http://nitecruzr.blogspot.com/2005/07/hacking-redefined.html>
http://nitecruzr.blogspot.com/2005/07/hacking-redefined.html
That said, I assure you that, if you keep your computers behind a NAT router,
you can un install PIS long enough to diagnose your Windows Networking issues,
IF you use the Internet wisely (or not at all) while PIS is un installed. As I
describe in my article, most adware / spyware (what was caught by PIS) is
trojans, acquired by Internet browsing.
To put it simply, if you have an ongoing problem with adware / spyware, you need
to do a little user education.
G
Gallon_Jug
Chuck,
Yes the router has 4 ports, was not enough when I add a the HP 4500N
Color printer and I did have 2 additional desktops for students for
awhile but retired tohose to the scrape heap. All machines can access
the 4500n w/o problem.
I mis-spoke (typed) the NW switch is actually a Nexxt NOT Cnet 8 port
10/100.
The Cnet was fried when I lost our dedicated Dell server and 2 desktops
form lightning strike.
For testing I can simply plug all for desktops into the router as we do
not use the HP Color that often and by pass the switch entirely.
Bruce
Yes the router has 4 ports, was not enough when I add a the HP 4500N
Color printer and I did have 2 additional desktops for students for
awhile but retired tohose to the scrape heap. All machines can access
the 4500n w/o problem.
I mis-spoke (typed) the NW switch is actually a Nexxt NOT Cnet 8 port
10/100.
The Cnet was fried when I lost our dedicated Dell server and 2 desktops
form lightning strike.
For testing I can simply plug all for desktops into the router as we do
not use the HP Color that often and by pass the switch entirely.
Bruce
G
Gallon_Jug
To answer other questions
No not using the NAT with public access to the system here. All web
pages we us are housed at a university in VIrginia and no need to have
them here.
NO DMZ is designated in Router. So no open ports or IP addresses.
When some visitors to our office access e.g., AOL mail there is always
a bushel basket of crap that needs to be cleaned up afterward and pops
up with PIS.
No not using the NAT with public access to the system here. All web
pages we us are housed at a university in VIrginia and no need to have
them here.
NO DMZ is designated in Router. So no open ports or IP addresses.
When some visitors to our office access e.g., AOL mail there is always
a bushel basket of crap that needs to be cleaned up afterward and pops
up with PIS.
C
Chuck
Bruce,
It's always possible that any network device could be part of the problem. If
you're going to test the switch (by connecting the computers to the router)
don't make any software changes - just move the computers from the switch to the
router. Do this with all computers powered off, so when you start them up, the
browser situation is predictable.
Were either CMM-8200, Miguelito, or Bliss connected (Ethernet or WiFi) when you
ran the browstats? Are all Ethernet connections made to the switch, or do you
connect any to the router? We have to figure out the two domains that were seen
by Data and Neobat.
OK, your perceived spyware threat was from visitor activity, and the problem is,
simply, that you're using the same product (PIS) to protect against network
level threats (hacks, generally blocked by a firewall) and against data level
threats (adware / spyware trojans, generally blocked by anti malware).
This is another good reason for practicing layered security. You should be able
to un install the firewall software (which contains components that are known to
interfere with Windows Networking), without eliminating your anti malware
software (which does not contain components that are known to cause such
problems).
So knowing your limitations, I'll simply trust that you can un install PIS, if
necessary, from all computers. And while you do this, simply make sure the
users don't access AOHell mail (which is indeed a significant data level threat)
or do other high risk surfing activity.
What security are you running on the WLAN?
<http://nitecruzr.blogspot.com/2005/05/setting-up-wifi-lan-please-protect.html>
http://nitecruzr.blogspot.com/2005/05/setting-up-wifi-lan-please-protect.html
And what's the model number on the switch?
G
Gallon_Jug
Were either CMM-8200, Miguelito, or Bliss connected (Ethernet or WiFi) when you
lap tops that the local school teachers have and they connect to the
Inet via the WIFI and do not connect to the network. CMM-8200 is my
wife's machine and it was on when I ran the Browstat. Odd when I
booted only NEOBAT and CMM-8200 and both were teh ONLY browser service
running I checked CMM and it said browsing was not active. Went into
Services and found that the browser had stopped. It woudl not
resatrt... woudl start then sto. Set to Automatic and re-start if
stopped. No clue why that was happening.
echo attacks.
We are litterly in the jungles of Belize so there is no "War Driving"
possibilities and I have added teh FIXED IP and MAC addresses to the
two teachers computers and no one else can really access it with
theDHCP server option turned off. So no WIFI security at all.
NW223NXT01 on bottom.
Bruce
All connections Ethernet were via switch. Miguelito and Bliss are two
lap tops that the local school teachers have and they connect to the
Inet via the WIFI and do not connect to the network. CMM-8200 is my
wife's machine and it was on when I ran the Browstat. Odd when I
booted only NEOBAT and CMM-8200 and both were teh ONLY browser service
running I checked CMM and it said browsing was not active. Went into
Services and found that the browser had stopped. It woudl not
resatrt... woudl start then sto. Set to Automatic and re-start if
stopped. No clue why that was happening.
Nada! The routher does have a box checked for Denial of service for
echo attacks.
We are litterly in the jungles of Belize so there is no "War Driving"
possibilities and I have added teh FIXED IP and MAC addresses to the
two teachers computers and no one else can really access it with
theDHCP server option turned off. So no WIFI security at all.
Switch only has Nexxt Solutions 8 port 10/100M switch on top with a P/N
NW223NXT01 on bottom.
Bruce
C
Chuck
OK, Bruce, that might be a clue. I thought CMM sounded familiar - you just
didn't include it in the later diagnostics. CMM is the one that had NetBEUI
(did you successfully remove it?).
Let's try something different. Get PSTools (free, and small) from SysInternals.
<http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#PSTools>
http://nitecruzr.blogspot.com/2005/05/essential-tools-for-desktop-and.html#PSTools
PSService is a useful tool here. Use "psservice find (service)", and list where
each of these services are running. For instance "psservice find browser".
browser
lmhosts
remoteregistry
server
sharedaccess
workstation
Those service names represent the following essential services, in that order:
Browser
TCP/IP NetBIOS Helper
Remote Registry
Server
Windows Firewall / ICF
Workstation
OK, we'll not worry there. That's not a worry I lack, so I always make sure,
when dealing with any WiFi LAN.
Noted. Let's see what happens when you connect the computers to the router.
G
Gallon_Jug
Morning Chuck,
Ok the removal of the network switch did not change a thing. :-(.
Seemed like too easy of a fix in any case. Yes NetBeui was removed from
CMM machine at first realization it was still there.
I have the utilities downloaded and will run on each machine. First
time I tried it for findimhosts from NEOBAT this was the result.
Checking \\CMM...Unable to open Service Control Manager database on
\\\CMM:
Checking \\DATA...Unable to open Service Control Manager database on
\\\DATA:
Checking \\NEOBAT... No active service named imhosts found.
for find browser the report is RPC server is unavailable
Same with other find (services).
I will take down PIS on all machines and continue as instructed.
Should I try running the psservice form other machines as well?
Bruce
Ok the removal of the network switch did not change a thing. :-(.
Seemed like too easy of a fix in any case. Yes NetBeui was removed from
CMM machine at first realization it was still there.
I have the utilities downloaded and will run on each machine. First
time I tried it for findimhosts from NEOBAT this was the result.
Checking \\CMM...Unable to open Service Control Manager database on
\\\CMM:
Checking \\DATA...Unable to open Service Control Manager database on
\\\DATA:
Checking \\NEOBAT... No active service named imhosts found.
for find browser the report is RPC server is unavailable
Same with other find (services).
I will take down PIS on all machines and continue as instructed.
Should I try running the psservice form other machines as well?
Bruce
G
Gallon_Jug
Chuck,
Maybe the root of the problem(s)?
I looked at the activity reports by Panda Firewall activity before
removing it from the DATA machine and noted that by defualt this is
being blocked.
Connection Attempt Firewall protection
BLOCKED
Application : C:\WIndows\system32\svchost.exe
I searched the Inet and found that often this service is highjacked by
worms, trojans etc. but may be OK to allw to run if not aprt of some
malware. I think this is necessary to run no true?
I can enable this service on all machines easily as there are line by
line permisisons and/or excusions for the firewall.
Bruce
Maybe the root of the problem(s)?
I looked at the activity reports by Panda Firewall activity before
removing it from the DATA machine and noted that by defualt this is
being blocked.
Connection Attempt Firewall protection
BLOCKED
Application : C:\WIndows\system32\svchost.exe
I searched the Inet and found that often this service is highjacked by
worms, trojans etc. but may be OK to allw to run if not aprt of some
malware. I think this is necessary to run no true?
I can enable this service on all machines easily as there are line by
line permisisons and/or excusions for the firewall.
Bruce
G
Gallon_Jug
FYI I have enabled this service on all machines before removing the PIS
to try to see if it now works.
to try to see if it now works.
C
Chuck
That's the idea, Bruce. You have to configure a personal firewall to trust the
other computers. Aka RTFM.
BTW, the service that you were looking for is "lmhosts" NOT "imhosts". It stands
for "LAN Manager Hosts". LAN Manager was the original Microsoft networking
product, back when they had Windows For Workgroups.
Configure properly, then repeat the tests.
I actually setup a batch file for myself. You may want to do the same, because
until you get everything working, I'll ask you to rerun this test repeatedly, to
update the inventory of what is working and what isn't. That's the only way I
can keep an idea in my mind whether we are making progress.
psservice find browser >c:\psservice.txt
psservice find lmhosts >>c:\psservice.txt
psservice find remoteregistry >>c:\psservice.txt
psservice find server >>c:\psservice.txt
psservice find sharedaccess >>c:\psservice.txt
psservice find workstation >>c:\psservice.txt
notepad c:\psservice.txt
Of course to use psservice like this, you have to put it into a folder that's in
the Path.
<http://nitecruzr.blogspot.com/2005/06/command-window.html>
http://nitecruzr.blogspot.com/2005/06/command-window.html
<http://nitecruzr.blogspot.com/2005/05/using-path-and-making-custom-program.html>
http://nitecruzr.blogspot.com/2005/05/using-path-and-making-custom-program.html