Hall MVM join:2000-04-28 Germantown, OH 1 edit |
to mattei
Re: Web/HTTP access doesn't work, PING doesWill try the add'l 'netsh' commands you suggest.
As for the AU downloads, it seems to me that they're occurring while the PC is sitting at the login/welcome screen. It can be there for a long time. I'm working on this thing off and on (more off than on, mind you !). Also goes along with why I thought it was something related to the user's profile since 'net access (HTTP) works in Safe Mode.
I did try "Run as..." and signing in as admin but that's not allowed on XP Home it seems. |
|
Hall |
to mattei
said by mattei: Then enable logging (advanced tab on the FW dialog) and see what you can see in %systemroot%\Pfirewall.log. What would one look for in that log file ? All it contains (after attempting to access the 'net) is a bunch of "OPEN" and "DROP" UDP connections and they're all from "internal" IP addresses, i.e. 192.168.1.x addresses. Actually, since I launch the web browser -- wait, the XP firewall doesn't block outgoing connections anyway, does it ? -- the firewall shouldn't interfere. |
|
matteiModerated, now muzzled join:2001-03-19 Canada |
to Hall
said by Hall:As for the AU downloads, it seems to me that they're occurring while the PC is sitting at the login/welcome screen. When booting normally? said by Hall: It can be there for a long time. Auto-login / login that seems slow or Hall is busy and it can wait? said by Hall:I did try "Run as..." and signing in as admin but that's not allowed on XP Home it seems. Only in Safe mode (blank default password). |
|
mattei |
to Hall
We're looking for something specific...and we'll know it when we see it :D. XP SP2+ has a stateful firewall that does not block outbound traffic but we can use it to help troubleshoot the network stack. OPEN, good. DROP, good, if the RECEIVE flag is shown. Probably port 1900? UDP only, bad. We should be seeing TCP connection OPENs when you attempt to access the Internet. Sorry that I forgot to mention this but did you check both logging options (dropped and successful)? If so, we've almost confirmed TCP protocol IP stream sockets aren't making it to the firewall. If that's not the case we'll move on to WinHTTP. Could you try FTP or POP or SMTP or all three, then check the firewall log again? You said FTP didn't work but I'd like to confirm the lack of TCP entries in the log. Afterwards, netsh interface ip show tcpstats
Oddities like zero's, much > than zero for In Errors, Out Resets equaling or approaching Out Segments? If netsh complains about the Routing and Remote Access Service you'll probably have to change the service startup mode from disabled to manual before you can start it. |
|
Hall MVM join:2000-04-28 Germantown, OH |
to mattei
said by mattei: Auto-login / login that seems slow or Hall is busy and it can wait? When there was only (1) account on the machine, it logged in automatically. At one point I added a "test" user account so when it boots, it stops at the Welcome screen. |
|
Hall |
to mattei
Let me stop the logging and get a fresh logfile to look at. Once I initiate it, I will attempt to access the internet with a browser and take a snapshot of the logfile at that point. |
|
Hall |
to mattei
The firewall logfile is attached. I actually cleared the logfile, restarted the firewall, and had to leave the PC. .122 is the laptop itself. .50 is my PC. .104 is probably my wife's laptop. |
|
Hall 1 edit |
to mattei
said by mattei: [code] netsh interface ip show tcpstats [/code] Oddities like zero's, much > than zero for In Errors, Out Resets equaling or approaching Out Segments? Here's the results of that command. |
|
matteiModerated, now muzzled join:2001-03-19 Canada |
to Hall
The UDP DROPs are just NetBIOS/SMB broadcasts and a few DHCP packets. Could you lather, rinse, repeat for FTP? I'd like to verify, via the log, that it's not just HTTP running over TCP that's blocked. All we're doing is proving the earlier assertions of a third-party component forcibly knocking all TCP connections down. tcpstats; I'm trying not to look at the obvious correlations and stick to RFC definitions but, well, eew. It looks like an ornery LSP where there shouldn't be one (or firewall hook, filter hook, intermediate NDIS driver ). I'll get back to those once the FTP test confirms it's TCP in general and not just HTTP but that's looking like a formality at this point. |
|
Hall MVM join:2000-04-28 Germantown, OH |
Hall
MVM
2009-Sep-1 11:00 am
Will try FTP in a few minutes.
Remember, this still occurs when I disable XP's firewall so that leaves "filter hook" and "intermediate NDIS driver" from your list.
Doesn't one of the 'netsh' commands wipe out LSPs and make things start over ? |
|
matteiModerated, now muzzled join:2001-03-19 Canada 1 edit |
mattei
Member
2009-Sep-1 11:10 am
said by Hall:Doesn't one of the 'netsh' commands wipe out LSPs and make things start over ? Yes, but said by mattei:A system service (hidden, injected, or sitting in plain sight) could be adding to the catalog after reset. Try netsh winsock show catalog >xsp.txt
An obvious sign would be the presence of something removed by the reset ( check the reset log Edit: no reset log is generated for winsock - use a clean machine's catalog or Google and a fine tooth comb). |
|
Hall MVM join:2000-04-28 Germantown, OH |
Hall
MVM
2009-Sep-2 8:14 am
Well, the laptop's owner asked for it back at this point.... I enjoyed the challenge !
I did tell him if/when he takes it to someone else to "fix" to not let them simply wipe it clean and start over because that's what how too many people "fix" PC problems. If that's the solution, he can do that himself vs pay someone to stick a disc in it, reboot, answer a few prompts and walk away.
Thanks to everyone for their help. |
|
gdm MVM join:2001-06-15 Mchenry, IL |
gdm
MVM
2009-Sep-2 9:56 am
I didn't think of this till first thing this morning. Not sure if would even work. Did you ever try removing all networking components and rebooting? Not that it matters now but I remember a similar problem years back with XP and it fixed it. |
|
Hall MVM join:2000-04-28 Germantown, OH |
Hall
MVM
2009-Sep-2 10:17 am
Yeah, I thought of that too but the stubborn part of me said "no, don't bother ... the NICs are able to ping, auto-updates was working and everything worked just fine in Safe Mode". Didn't do it obviously |
|
matteiModerated, now muzzled join:2001-03-19 Canada |
mattei
Member
2009-Sep-2 10:30 am
I saw it suggested earlier in the thread. When you declined to do so, I figured you had decided to go the distance.
*sniffle* I was curious. |
|
Pronoiac join:2009-09-03 San Francisco, CA |
to Hall
Hey there - I was troubleshooting a friend's netbook with the same problem when I stumbled on this page. I just signed up to post this, so pardon me if I botch the HTML. That case turned out to be an incomplete Norton uninstallation. To check that, see if booting it in Safe Mode with Networking helps. If it does, get the Norton removal program and run it. Cheers! |
|
Hall MVM join:2000-04-28 Germantown, OH |
Hall
MVM
2009-Sep-3 8:54 am
said by Pronoiac: That case turned out to be an incomplete Norton uninstallation. To check that, see if booting it in Safe Mode with Networking helps. If it does, get the Norton removal program and run it. Interesting.... He had Symantec AV on there and said it wouldn't uninstall (properly). I thought I sent him a link to Symantec's stand-alone uninstaller but don't know if it was done. |
|
RPC @net.novis.pt |
RPC to Hall
Anon
2009-Sep-7 7:35 pm
to Hall
Just solved an identical issue on a friends laptop. I've found a strange mix of AVG and bitdefender firewall registry entries. After a Registry cleanup and a Panda AV scan and Firewall correctly configured, everything seems to work just fine |
|
Hall MVM join:2000-04-28 Germantown, OH |
to Pronoiac
said by RPC :
After a Registry cleanup... Those two "fixes" solved the problem ! I used Symantec's clean-up tool (ironic that their "uninstall" routine doesn't do the job properly) and then did a registry clean-up. Running the Norton tool and rebooting wasn't sufficient. Apparently there was still stray Norton crap left behind.... |
|
gdm MVM join:2001-06-15 Mchenry, IL |
gdm
MVM
2009-Sep-9 10:06 am
Glad you got it working! |
|
Hall MVM join:2000-04-28 Germantown, OH |
Hall
MVM
2009-Sep-9 12:01 pm
All the more reason not to touch Symantec's stuff with a 10' pole ! Heh, I remember and used Peter Norton's DOS-based utilties years ago and back then they were good stuff ! I hope he regrets selling out his name.... I presume he longer works for Symantec, of course, though he may I guess. |
|
|