Help: XP Computer disappears from network

[JP]

First of all, I have to apologize for cross-posting. I am desperate for
finding a solution to an XP laptop which disappears from the network all of
a sudden. Yesterday, the computer was still PINGable on the network.
Today, you cannot PING it or use any port scanner to detect it.

The machine is running XP SP1 with all the latest patches applied. It has
NAV and Adaware installed too. Virus definition is up to date. Has
performed scanning of viruses and spyware. I used Autorun from
SysInterals.com to check all autostart components, nothing peculiar found.

1. \\HKLM\Software\Microsoft\Windows\CurrentVersion\Run - very clean
2. Startup folder is empty
3. Has run SYSEDIT to check autoexec.bat, config.sys, win.ini and
system.ini. No unknown entries found.
4. When boot to Safe Mode with Network, machine is PINGable.
5. During Normal Startup, can log on to DC, open network share, print, surf
the web and use any network resources. It can PING its own IP and loopback,
but no other machines can see it.
6. Has been working fine for a few months until today.
7. For compatibility issue, has to stay with SP1. Has just re-applied it.
8. Noticed that sometimes when starting up an application, the windows
status bar at the bottom has a "check version" box flashes and then
disappeared. Don't know if it means anything.

Help!

 

[David H. Lipman]

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (personal free version)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt220.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

You can also try some of the below online scanners.

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html


* * * Please report your results ! * * *

Dave






| First of all, I have to apologize for cross-posting. I am desperate for
| finding a solution to an XP laptop which disappears from the network all of
| a sudden. Yesterday, the computer was still PINGable on the network.
| Today, you cannot PING it or use any port scanner to detect it.
|
| The machine is running XP SP1 with all the latest patches applied. It has
| NAV and Adaware installed too. Virus definition is up to date. Has
| performed scanning of viruses and spyware. I used Autorun from
| SysInterals.com to check all autostart components, nothing peculiar found.
|
| 1. \\HKLM\Software\Microsoft\Windows\CurrentVersion\Run - very clean
| 2. Startup folder is empty
| 3. Has run SYSEDIT to check autoexec.bat, config.sys, win.ini and
| system.ini. No unknown entries found.
| 4. When boot to Safe Mode with Network, machine is PINGable.
| 5. During Normal Startup, can log on to DC, open network share, print, surf
| the web and use any network resources. It can PING its own IP and loopback,
| but no other machines can see it.
| 6. Has been working fine for a few months until today.
| 7. For compatibility issue, has to stay with SP1. Has just re-applied it.
| 8. Noticed that sometimes when starting up an application, the windows
| status bar at the bottom has a "check version" box flashes and then
| disappeared. Don't know if it means anything.
|
| Help!
|
|
|
|
|
|
|
|
|

 

[JP]

Thanks, David. I have already used the Adaware SE. But will try the Trend
solution. By the way, I have left out a few things which I have checked:

1. Windows Firewall is DISABLED - there is no reason for ICMP echo being
blocked.
2. TCP/IP filtering is not eanabled - should permit all machines to access
all of its ports.

I will focus more on the possibilities of being infected by malicious
software.

Cheers,

Joe

 

[David H. Lipman]

Don't forget the online scanners I provided, if you can.

Dave




| Thanks, David. I have already used the Adaware SE. But will try the Trend
| solution. By the way, I have left out a few things which I have checked:
|
| 1. Windows Firewall is DISABLED - there is no reason for ICMP echo being
| blocked.
| 2. TCP/IP filtering is not eanabled - should permit all machines to access
| all of its ports.
|
| I will focus more on the possibilities of being infected by malicious
| software.
|
| Cheers,
|
| Joe
|
|
|
| | >
| > 1) Download the following three items...
| >
| > Trend Sysclean Package
| > http://www.trendmicro.com/download/dcs.asp
| >
| > Latest Trend signature files.
| > http://www.trendmicro.com/download/pattern.asp
| >
| > Adaware SE (personal free version)
| > http://www.lavasoftusa.com/
|
|

 

[Scott Harding - MS MVP]

If this is Sp2 make sure the Firewall Service is disabled not just through
the Security Center in Control Panel.

 

[Scott Harding - MS MVP]

Sorry, I read your post and it appears you don't have Sp2 so disreagrd my
suggestion

 

[JP]

David,

I have tried a different scan engine. Nothing found. Instead of doing
further on-line scan, I downloaded the Winsock XP Fix from
www.spychecker.com/program/winsockxpfix.html. First of all, I back up my
registry. Then I allow the tool to replace files and modify the registry.
On a reboot, everything worked fine.

Thank you for the direction.

Cheers,

Joe

 

[David H. Lipman]

That was my next suggestion - LSP-Fix. Glad all is OK !
Usually removal of some malware can cause a WinSOCK corruption.

Dave




| David,
|
| I have tried a different scan engine. Nothing found. Instead of doing
| further on-line scan, I downloaded the Winsock XP Fix from
| www.spychecker.com/program/winsockxpfix.html. First of all, I back up my
| registry. Then I allow the tool to replace files and modify the registry.
| On a reboot, everything worked fine.
|
| Thank you for the direction.
|
| Cheers,
|
| Joe
|
|
|
|
| | > Don't forget the online scanners I provided, if you can.
| >
| > Dave
| >
| >
| >
| >
| > | > | Thanks, David. I have already used the Adaware SE. But will try the
| > Trend
| > | solution. By the way, I have left out a few things which I have
| > checked:
| > |
| > | 1. Windows Firewall is DISABLED - there is no reason for ICMP echo
| > being
| > | blocked.
| > | 2. TCP/IP filtering is not eanabled - should permit all machines to
| > access
| > | all of its ports.
| > |
| > | I will focus more on the possibilities of being infected by malicious
| > | software.
| > |
| > | Cheers,
| > |
| > | Joe
| > |
| > |
| > |
| > | | > | >
| > | > 1) Download the following three items...
| > | >
| > | > Trend Sysclean Package
| > | > http://www.trendmicro.com/download/dcs.asp
| > | >
| > | > Latest Trend signature files.
| > | > http://www.trendmicro.com/download/pattern.asp
| > | >
| > | > Adaware SE (personal free version)
| > | > http://www.lavasoftusa.com/
| > |
| > |
| >
| >
|
|

 

[JP]

Although the problem was apparently fixed by the winsock fix tool for XP, I am not sure if it is really a winsock problem. There is a list of symptom of machines having winsock errors in Microsoft KB811259. None of them symptom listed seemed to have existed on that machine. Also, the machine could be PINGed in Safe Mode.
http://support.microsoft.com/kb/811259
SYMPTOMS
When you try to release and renew the IP address using the Ipconfig program, you may receive the following error message:
An error occurred while renewing interface 'Internet': An operation was attempted on something that is not a socket.

When you start Internet Explorer, you may receive the following error message:
The page cannot be displayed

When you use your computer, you may receive the following error message:
Initialization function INITHELPERDLL in IPMONTR.DLL failed to start with error code 10107
Additionally, you may have no IP address or no Automatic Private IP Addressing (APIPA) address, and you may be receiving IP packets but not sending them.

When you use the ipconfig /renew command, you may receive the following error messages:
An error occurred while renewing interface local area connection: an operation was attempted on something that is not a socket. Unable to contact driver Error code 2.
The operation failed since no adapter is in the state permissible for this operation.
The attempted operation is not supported for the type of object referenced.

In the Device Manager, when you click Show Hidden Devices, the TCP/IP Protocol Driver is listed as disabled under Non-Plug and Play drivers, and you receive error code 24.

When you create a dial-up connection, you may receive the following error message:
Error 720: No PPP Control Protocols Configured