Networking - Strange Situation!!!

[Matthew]

I have an XP Pro machine connected to a Linksys
Router/Switch which in turn connects to a cable modem.
After varying times (few hours to a day) I lose
connectivity via all software that uses an internet
connection (IE, Outlook, Windows Messenger, AIM,
Newsreader) but the networking icon shows a live, enabled
connection and I can still ping the router and beyond. I
don't lose all programs at once, in fact a few times, I've
lost IE and Outlook but the messengers stayed up until I
disconnected them. I have to log off then log back on
again to reconnect via the software. There is a laptop on
the network that does not lose connection.

Given the above, it can't be the router (plus I called
Linksys) and I've determined that it's not the cable or
the onboard LAN. It's got to be something in Windows like
a setting or a corruption somehwere.

Any ideas? I'm about to drop a magnet on the hard drive
and start clean.

Thanks.

 

[Paul Russell]

So connectivity loss is intermittant? If so what happens when you ping when
the connection loss occurs. Also what errors are you seeing in the apps
themselves?

 

[Matthew]

Yes. The connection drop is sporadic, but when it's down
it's down - I have to logoff Windows. I can ping fine
with good speed and no loss. The errors are the standard
messages when a connection can't be made - IE gives me
the "page not found" error; Outlook gives the
Send/Receive failed message, etc. Nothing exotic that
would hint at what is wrong.

Thanks for the response.

 

[Doug]

I have this very same problem. I have the same set up as
listed (Linksys, cable modem, XP (latest autoupdate))
I have to reboot to clear the problem. I have looked at
my reports from McAfee and find that McAfee determines my
IP address to be 127.0.0.1 and then the router address
about one second later then goodby. I have watched this
for quite a few days and it is always the same.
IDEAS?

 

[Matthew]

Talking to a friend last night, he suggested it might have
to do with the routing table. I've tried using the 'route
ADD' command in DOS but can't seem to get the syntax right
even though I follow the description in the help menu. If
you know about this you might want to give it a try.

 

[Matt DuBois [MSFT]]

You can ping beyond the router to the internet. . .but are you pinging by
name or IP address? If you do ipconfig /all when it is working, and again
when it is broken, are there any differences between the two? When it isn't
working, does doing ipconfig /release followed by ipconfig /renew cause any
error messages or affect the problem at all?

Do you have any firewalls installed? Keep in mind that some antivirus
companies include a firewall by default. Have you recently uninstalled any
firewalls or antivirus products? If so, how? Some of them can break your
connectivity in strange ways because they don't uninstall correctly all the
time.

 

[Matthew]

I can ping by IP and name without an error while I'm up
and when the connection is broken. Release/Renew doesn't
cause any errors either, nor does it fix the problem.
I've never had anti-virus or firewall installed on this
system.

Thanks for the reply.

 

[Matt DuBois [MSFT]]

Okay, a few more questions then now that some of the easy stuff is
eliminated. You have at least one laptop and one desktop on the network.
Do you have any other machines? If so, do the ones that do break all always
break at once or do they break at different times?

Also, do this on one of the computers that breaks:
Start->Run->msinfo32
Expand "Components" then "Network" and click on Protocol.
In the right hand pane, scroll through the list (it may be long). Do you
see anything whose "name" does not start with "MSAFD" or "RSVP", or whose
name contains the phrase "over MSAFD" or "over RSVP"? If so, click in that
pane, go to Edit->Select All then Edit->copy and post back with the list.

 

[Matthew]

Sorry for the delay - tests to study for and programs to
write! Thanks for sticking with me.

There is exactly one desktop and one laptop connected to
the hub. Mine (the desktop) is the only one that has a
problem. I checked MSINFO32 and all the names begin
with "MSAFD" or "RSVP".

Thanks again.

 

[Matt DuBois [MSFT]]

Thats okay, I had a bit of a busy week last week myself. Next suggestion:
Have you run a spyware/add removal tool against your system yet? The
combination of the fact that a logout is sufficient to restore connectivity
and your symptoms suggest a program that runs in your session and interacts
at a lower level with Winsock (ping doesn't use winsock so that is why it
still works). You may see something useful if you compare the output of
"tasklist" when you are having problems versus when you are not. It would
also be good to check in task manager and see if there is anything consuming
CPU time excessively when you are having the problem. Finally, to go back
to a question I asked a little earlier, if you do "ipconfig /flushdns" and
then try to ping by name, does it still work? That will flush the local DNS
resolver cache to make sure its really trying to resolve the name and not
just using the cached lookup.

 

[Matthew]

I ran Ad-aware over the weekend. It picked up 57 items -
54 of which were cookies and 3 items from the registry
like Gator - but to no avail. As for tasklist and
flushdns, I'll check them during the next crash which
will be in the middle of the night sometime. I'll get
back to you tomorrow.

Thanks.

 

[Matthew]

OK. Here's the latest.

I did flushdns and I was still able to ping by name.
Also, checking tasklist and task manager before and
during the disconnect yielding nothing. The largest
processes were svchost, explorer, inetinfo and aim but
they didn't change much between the two "states."

Finally, I think I mentioned in the other message that I
ran Adaware which found a few registry items and a bunch
of cookies but it didn't affect my problem.

Thank you.

 

[Matt DuBois [MSFT]]

That is pretty bizarre. I have two things I'd like you to try to see if we
can narrow things down a little bit more:

1) You say logging out is sufficient to correct the problem and a reboot
isn't necessary, which implies something running under your user account.
So, when the problem happens, use Task Manager to kill off processes. Maybe
two or three at a time to save time and narrow it down to those. After
killing each one (or each batch), check your access and see if it is working
again. Sort by the User Name column on the Processes page in Task Manager
and start with just the processes running under your user account.

2) Just for fun, get the name of your POP3 server from your email client
and pre-resolve the IP address of it while everything is working right.
When it breaks, do the ipconfig /flushdns and then try to resolve the name
again. Make sure you get the same IP address back as you got when
everything was working. Then, try to telnet to port 110 of both your POP3
server name and IP address (telnet name/ip 110). See if you get a connect
or if it says it can't connect.

 

[Matthew]

We're getting somewhere!

I was able to ping and telnet my POP3 server when I was
up but when I was down I could ping but not telnet.

When I was down, I started killing processes. After
killing "msmsgs.exe" (which I assume is Windows
Messenger), I was able to telnet POP3 once, but could not
repeat and I still couldn't use IE. Then I
killed "win32server.scr" and everything was fine. I
know .scr is for screensavers which I wouldn't think
would cause this problem but maybe it's not legit.

Do you know what this means?

Thanks.

 

[Matthew]

I looked up win32server.scr. It's a trojan, so that must
be the problem. Now that it's been disbaled in my
current session I'll know by tomorrow if that's the cause.

I'll keep you posted.

 

[Matt DuBois [MSFT]]

Keep in mind that there might be another program somewhere that is launching
it too, if it isn't running at startup itself. You can use msconfig.exe as
a convenient way to check "all the usual places" for things that run at
startup. You also probably want to make sure you are up to date on your
Windows Updates

You might also want to consider snagging some antivirus software. There are
some free online virus scanners out there, and some free installable ones
too. One option you may also want to consider is an offer Computer
Associates just came out with, in partnership with Microsoft. Free A/V and
firewall for a year. http://www.my-etrust.com/microsoft/

Keep me posted!

 

[Ken Wickes [MSFT]]

Win32server.scr is a virus

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100723

 

[Matthew]

Thanks Ken. I looked it up right after I posted that
message. It was dumb of me to ask without having done at
least a cursary investigation. I appreciate the reply
though.

-----Original Message-----
Win32server.scr is a virus

http://us.mcafee.com/virusInfo/default.asp? id=description&virus_k=100723

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

We're getting somewhere!

I was able to ping and telnet my POP3 server when I was
up but when I was down I could ping but not telnet.

When I was down, I started killing processes. After
killing "msmsgs.exe" (which I assume is Windows
Messenger), I was able to telnet POP3 once, but could not
repeat and I still couldn't use IE. Then I
killed "win32server.scr" and everything was fine. I
know .scr is for screensavers which I wouldn't think
would cause this problem but maybe it's not legit.

Do you know what this means?

Thanks.


you
to try to see if we and
see if it is working from
your email client is
working right. 110
of both your POP3 if
you get a connect in
message that
I (it
may when
it stayed
up (plus
I

.

 

[Matthew]

Some research into the virus helped me clean it out and I
think I got it all but I will heed your advice. I had a
little scare tonight when I got home and couldn't connect
again. Fortunately, I couldn't ping beyond the router
either so I just recycled it and everything was fine.
I'm still holding my breath though!

I think I'm finally going to get anti-virus software.
I've been connected for years, even back during the BBS
days and this is my first. Can't take any chances
though.

I'll keep a close eye on things for the next few days and
let you know what happens. Thanks again for the help.
Hopefully I won't need it anymore!!! Let me know if
there's anything I can do for you.

 

[dan]

I have these problems as well. I think it has something
to do with WPA enabled. Do you have that? If not, do
you have IEEE authentication checked in your network
settings? Uncheck and you will be OK. WPA has no option
to uncheck, it must be used.