# [SOLVED] Missing ipsec



## dwmccauslin

Working on a Dell Inspiron 1300 laptop for a friend. It was infected with the rootkit.zeroaccess. I used Combofix yesterday, said it cleaned the infection, and subsequent scans gave no new results.

The laptop has Windows XP Home, SP3. The rootkit seems to have taken out the ipsec.sys. Looking at the Event Viewer, I see Event ID 7003, "The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec"
Then, Event 7001, "The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion."

I copied ipsec.sys from another XP Home machine that was working and pasted it in the Windows\System32\drivers directory and it still does not work.
Requested programs have been run, and the results are below and attached, per your instructions.


.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Run by Administrator at 10:24:17 on 2011-09-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.375 [GMT -4:00]
.
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* 
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Nike+ Connect] "c:\program files\nike\nike+ connect\Nike+ Connect daemon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - 
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2011-9-24 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2011-9-24 195416]
S1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2011-9-24 111320]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-24 442200]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-9-24 320856]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-9-24 20568]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-9-24 44768]
S2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2011-9-24 127192]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
.
=============== Created Last 30 ================
.
2011-09-27 21:52:02	117760	-c--a-w-	c:\windows\system32\dllcache\d100ib5.sys
2011-09-27 21:52:01	27648	-c--a-w-	c:\windows\system32\dllcache\cyzports.dll
2011-09-27 21:52:00	49792	-c--a-w-	c:\windows\system32\dllcache\cyzport.sys
2011-09-27 21:50:59	13312	-c--a-w-	c:\windows\system32\dllcache\OLD2B0.tmp
2011-09-27 21:49:59	60416	-c--a-w-	c:\windows\system32\dllcache\brserwdm.sys
2011-09-27 21:48:59	52224	-c--a-w-	c:\windows\system32\dllcache\atinraxx.sys
2011-09-27 21:47:57	101888	-c--a-w-	c:\windows\system32\dllcache\adpu160m.sys
2011-09-27 21:46:56	2148864	-c--a-w-	c:\windows\system32\dllcache\OLD59.tmp
2011-09-26 19:16:36	--------	d-----w-	c:\documents and settings\administrator\application data\Malwarebytes
2011-09-26 18:29:39	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-09-26 18:29:39	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-09-24 19:40:19	111320	----a-w-	c:\windows\system32\drivers\aswFW.sys
2011-09-24 19:39:48	195416	----a-w-	c:\windows\system32\drivers\aswNdis2.sys
2011-09-24 19:39:46	442200	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2011-09-24 19:38:53	12112	----a-w-	c:\windows\system32\drivers\aswNdis.sys
2011-09-24 19:38:52	41184	----a-w-	c:\windows\avastSS.scr
2011-09-24 19:38:19	--------	d-----w-	c:\program files\AVAST Software
2011-09-24 19:38:19	--------	d-----w-	c:\documents and settings\all users\application data\AVAST Software
2011-09-23 10:08:15	56200	----a-w-	c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{55141d46-61d0-496c-ac27-cf3d855e218a}\offreg.dll
2011-09-23 10:08:05	7269712	----a-w-	c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{55141d46-61d0-496c-ac27-cf3d855e218a}\mpengine.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-08-17 22:13:30	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-18 02:59:49	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-07-18 02:59:48	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-07-15 13:29:31	456320	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00	10496	----a-w-	c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 10:25:16.64 ===============

Thank you in advance!
Dave


----------



## dwmccauslin

*Re: Missing ipsec*

Bump, please.


----------



## Ried

*Re: Missing ipsec*

Hello Dave,

Did ComboFix produce a log? I'll need to see that. It would be located at C:\ComboFix.txt


----------



## dwmccauslin

*Re: Missing ipsec*

Ried,

Thanks for the reply. The log is attached.

Dave


----------



## Ried

*Re: Missing ipsec*

You're welcome, Dave. 

Download *SystemLook* from one of the links below and save it to your desktop.

*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:



Code:


:filefind
ipsec.sys


Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt* 

===============================

Also, download CF-querySvc.exe

Double click to run it, then please post the log it produces.


----------



## dwmccauslin

*Re: Missing ipsec*

Downloaded both tools per instructions. I had to put them on a flash drive and move them to the desktop of the infected machine, as that machine does not have Internet access.
Entire contents of SystemLook log:
SystemLook 30.07.11 by jpshortstuff
Log created at 06:20 on 03/10/2011 by David
Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"
C:\WINDOWS\system32\dllcache\ipsec.sys --a--c- 75264 bytes [04:49 14/04/2008] [04:49 14/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [04:49 14/04/2008] [04:49 14/04/2008] 23C74D75E36E7158768DD63D92789A91

-= EOF =-

Ran CF-Query. A command box popped open briefly, then closed. No log was apparent, so I did a search. It only found the executable for CF-Query. Please advise as to this.

Thanks!
Dave


----------



## Ried

*Re: Missing ipsec*

You're welcome, Dave.

Move CF-QuerySvc.exe to the C:\ drive and try again please.


----------



## dwmccauslin

*Re: Missing ipsec*

Ok, I moved it to the root, and re-ran it. There was no apparent log file created. I then opened a command prompt and ran it from there, again, no apparent log generated.

Awaiting further instructions.

Dave


----------



## Ried

*Re: Missing ipsec*

Thanks for trying, Dave. This is what I'd like for you to do...

As you've no doubt seen when ComboFix was running, it mentions that the Recovery Console should be pre-installed, and that CF may function in a somewhat limited mode if it is not pre-installed. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => How to obtain Windows XP Setup disks for a floppy boot installation

Scroll down to *Step 1*, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

* Note: If you have SP3, use the SP2 package.*


---------------------------------------------------------------------

Next, download the latest version of ComboFix from *here*.

---------------------------------------------------------------------


Transfer the files you just downloaded, to the desktop of the infected computer. (You will have to delete the existing ComboFix.exe from the desktop first)


====================================================

*Disable your AntiVirus and AntiSpyware applications *as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic *How to disable your security applications*

====================================================











Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.











At the next prompt, click 'Yes' to run the full ComboFix scan.

When the tool is finished, it will produce a report for you.
Please post the *C:\ComboFix.txt* in your next reply.


----------



## dwmccauslin

*Re: Missing ipsec*

Not trying to sound like an idiot here, Reid, but there are no floppy drives on the computer I am using, nor the infected laptop.
Suggestions?


----------



## Ried

*Re: Missing ipsec*

You don't need to copy to floppy's. All you need to do is download the package for XP Home SP2 (there isn't one for SP3, and SP2 RC will work just the same)

Download the WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe from this page Download Details - Microsoft Download Center - Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

Save it to your flashdrive, transfer to infected computer, drag and drop that .exe into ComboFix.exe and ComboFix will do the rest. :wink:


----------



## dwmccauslin

*Re: Missing ipsec*

ok... thanks!


----------



## dwmccauslin

*Re: Missing ipsec*

It is running, but throwing a message occasionally that "C:\Windows\nircmd.exe is not a valid win32 application."
I hit okay and it continues


----------



## dwmccauslin

*Re: Missing ipsec*

Here is the latest ComboFix log, attached.

Thanks!

Dave

ComboFix 11-10-02.03 - David 10/03/2011 10:10:23.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.214 [GMT -4:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-03 to 2011-10-03 )))))))))))))))))))))))))))))))
.
.
2011-10-03 13:06 . 2011-10-03 10:10	68428	----a-w-	C:\CF-querySvc.exe
2011-09-27 21:52 . 2001-08-17 16:12	117760	-c--a-w-	c:\windows\system32\dllcache\d100ib5.sys
2011-09-27 21:52 . 2001-08-18 02:36	27648	-c--a-w-	c:\windows\system32\dllcache\cyzports.dll
2011-09-27 21:52 . 2001-08-17 17:50	49792	-c--a-w-	c:\windows\system32\dllcache\cyzport.sys
2011-09-27 21:50 . 2006-02-28 12:00	13312	-c--a-w-	c:\windows\system32\dllcache\OLD2B0.tmp
2011-09-27 21:49 . 2001-08-17 17:12	60416	-c--a-w-	c:\windows\system32\dllcache\brserwdm.sys
2011-09-27 21:48 . 2008-04-14 02:04	52224	-c--a-w-	c:\windows\system32\dllcache\atinraxx.sys
2011-09-27 21:47 . 2001-08-17 18:07	101888	-c--a-w-	c:\windows\system32\dllcache\adpu160m.sys
2011-09-27 21:46 . 2010-12-09 13:42	2148864	-c--a-w-	c:\windows\system32\dllcache\OLD59.tmp
2011-09-26 19:14 . 2011-09-26 19:14	--------	d-----w-	c:\documents and settings\Administrator
2011-09-26 18:29 . 2011-09-26 18:29	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-09-26 18:29 . 2011-08-31 21:00	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-09-24 19:40 . 2011-09-06 20:36	20568	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2011-09-24 19:40 . 2011-09-06 20:37	320856	----a-w-	c:\windows\system32\drivers\aswSP.sys
2011-09-24 19:40 . 2011-09-06 20:38	111320	----a-w-	c:\windows\system32\drivers\aswFW.sys
2011-09-24 19:39 . 2011-09-06 20:37	195416	----a-w-	c:\windows\system32\drivers\aswNdis2.sys
2011-09-24 19:39 . 2011-09-06 20:36	34392	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2011-09-24 19:39 . 2011-09-06 20:38	442200	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2011-09-24 19:39 . 2011-09-06 20:36	52568	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2011-09-24 19:39 . 2011-09-06 20:36	110552	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2011-09-24 19:39 . 2011-09-06 20:36	104536	----a-w-	c:\windows\system32\drivers\aswmon.sys
2011-09-24 19:39 . 2011-09-06 20:33	30808	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2011-09-24 19:38 . 2011-09-06 20:10	12112	----a-w-	c:\windows\system32\drivers\aswNdis.sys
2011-09-24 19:38 . 2011-09-06 20:45	41184	----a-w-	c:\windows\avastSS.scr
2011-09-24 19:38 . 2011-09-06 20:45	199304	----a-w-	c:\windows\system32\aswBoot.exe
2011-09-24 19:38 . 2011-09-24 19:38	--------	d-----w-	c:\program files\AVAST Software
2011-09-24 19:38 . 2011-09-24 19:38	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVAST Software
2011-09-24 18:08 . 2011-09-24 18:11	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-24 00:27 . 2011-09-24 00:27	--------	d-----w-	c:\program files\QuickTime
2011-09-23 18:00 . 2011-09-23 18:00	--------	d-s---w-	c:\documents and settings\NetworkService\UserData
2011-09-23 10:08 . 2011-09-23 10:08	56200	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{55141D46-61D0-496C-AC27-CF3D855E218A}\offreg.dll
2011-09-23 10:08 . 2011-09-12 23:14	7269712	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{55141D46-61D0-496C-AC27-CF3D855E218A}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2008-04-14 09:41	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-08-17 22:13 . 2011-08-17 22:13	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-12 02:44 . 2009-03-18 14:24	7152464	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-07-18 02:59 . 2009-03-18 13:26	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-07-18 02:59 . 2011-07-18 03:00	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-07-15 13:29 . 2008-04-14 04:47	456320	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-14 04:27	10496	----a-w-	c:\windows\system32\drivers\ndistapi.sys
2011-09-07 10:00 . 2011-03-26 11:22	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-05-08 . 9F42478360E9B053A6703DEF39B4CE33 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45	122512	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"Nike+ Connect"="c:\program files\Nike\Nike+ Connect\Nike+ Connect daemon.exe" [2010-06-25 299008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-09-24 421888]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\David\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1550:UDP"= 1550:UDP:Windows Media Format SDK (winamp.exe)
"1551:UDP"= 1551:UDP:Windows Media Format SDK (winamp.exe)
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [9/24/2011 3:38 PM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [9/24/2011 3:39 PM 195416]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/24/2011 3:39 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/24/2011 3:40 PM 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/24/2011 3:40 PM 20568]
S1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [9/24/2011 3:40 PM 111320]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [9/24/2011 3:38 PM 127192]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\ptzsiu91.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VE3D01&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=VE3D01&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-10-03 10:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3680)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-03 10:23:25
ComboFix-quarantined-files.txt 2011-10-03 14:23
ComboFix2.txt 2011-09-27 12:44
.
Pre-Run: 51,335,671,808 bytes free
Post-Run: 51,321,331,712 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 9DC0963F82F1C5A1F64C268452676DAA


----------



## Ried

*Re: Missing ipsec*

I take it you still don't have internet from this machine?


----------



## dwmccauslin

*Re: Missing ipsec*

Correct. It will not connect via wi-fi or ethernet. I get the network connection on the taskbar to show a network connection, but it will not get to the Internet.
In the Event Viewer, it shows the same messages as I posted before.


----------



## Ried

*Re: Missing ipsec*

We need a good copy of sfcfiles.dll on this machine so we can check for patched drivers. Use SystemLook to locate any other copies that might be onboard.

Double-click SystemLook.exe to run it. 
Copy the content of the following codebox - exactly as you see it - into the main textfield:




Code:


:filefind
sfcfiles.dl*

Click the Look button to start the scan. 
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. 

Note: The log can also be found at on your Desktop entitled SystemLook.txt 

====================================

I'd also like for you to do the following. Download TDSSKiller.exe and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
Press *Start Scan*

If Malicious objects are found, *do NOT *select * Cure*. *Change the action to Skip*, and save the log.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.


----------



## dwmccauslin

*Re: Missing ipsec*

Here are the requested two logs:


----------



## Ried

*Re: Missing ipsec*

There aren't any other copies onboard, but I don't think that will make any difference at the moment. If TDSSK doesn't see a patched file, neither will SFC.

Sorry, but I have to ask - did you run CF-querySvc.exe while in Safe Mode, or Normal Mode?

**edit**

Did the onboard AV detect and remove or quarantine anything prior to you posting here for assistance?


----------



## dwmccauslin

*Re: Missing ipsec*

Normal Mode.

I turn the A/V off whenever I run these utilities... I do not know if it did prior to my friend bringing this to me. Want me to check the quarantine, if possible?
He has Avast! (free) installed.


----------



## Ried

*Re: Missing ipsec*

Yes, please


----------



## dwmccauslin

*Re: Missing ipsec*

Looking in the Avast! Virus Chest, I see two instances of ipsec.sys that were both put there on 9/24, once at 6:24pm, the other at 7:11pm. They both are listed as being infected with Win32:Alureon-AMS [Tri]
It appears that the restore points were also taken out, same day, all around 9:00pm, showing as infected with the same virus.

Hope this helps. This was before he brought it to me...

Nothing shows as being added to the Virus Chest after 9/24 at around 9:18pm.


----------



## Ried

*Re: Missing ipsec*

Ugh - no restore points. :sigh: Even an infected one is better than none when imcomplete removals are done. 

We have no choice but to hunt and rule out possiblities. This set of instructions will appear to be overwhelming, but to save time for both of us going back and forth, I'm going to give you several steps to carry out. 

First thing I want to do is truly rule out a patched file. The most accurate to do this, is to get a scan without Windows loaded. 

Please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. *Note - you must run it only once!*

As instructed when the tool runs, restart the computer and logon to the Recovery Console:

*1.* Reboot your computer and as Windows starts it will present you with your startup options for exactly two seconds - you'll have to be quick - which in your case will be *Microsoft Windows XP Professional* and *Microsoft Windows Recovery Console*

*2.* With the arrows keys on your keyboard select the option listed as *Microsoft Windows Recovery Console* and press the *enter* key on your keyboard.

If it passes by too quickly, restart the machine again, and press F8. Once you're at the Advanced Boot Menu Options screen, select "Return to OS Choices", then choose Recovery Console from the next screen.

*3. *The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press *enter*. If you have just one Windows installation, type *1* and press *enter*.

*4.* It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

*5.* You should now be presented with a *C:\Windows>* prompt 

At that prompt, type in the following bolded text and press Enter

*batch look.bat*

(Note - there is a space between the words batch and look.bat)











You will see *1 file copied* many times then return to the _x:\windows>_ prompt.
Type *Exit* to restart your computer then logon in normal mode.

Once back in Windows, click Start > Run, and copy/paste the following then press Enter.

*maxlook -sig*

Follow the prompts, and attach the C:\looklog.txt in your next reply.

===================================

Next, open Notepad and copy/paste the contents in the quotebox below, into Notepad.



> regedit /a ipsec.txt "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPSec"
> notepad ipsec.txt


Save this as *ipsec.bat* Choose to "Save type as - All Files"
It should look like this:









Double click on ipsec.bat & allow it to run. Then post the log which it produces

===================================

Click Start>Run and type the following into the Run box and click OK:

*services.msc*

Lool for IPSEC services. Double click to see its Properties. Is the service Started? Is it set to Automatic?


To summarize, please post the* C:\looklog.txt*, the *ipsec.txt*, and tell me if Ipsec service is started and set to automatic.


----------



## dwmccauslin

*Re: Missing ipsec*

At the "maxlook - sig" step it failed, as it requires an active Internet connection.

The step failed, and did not write a logfile.


----------



## dwmccauslin

*Re: Missing ipsec*

I did the IPSec step, and the logfile produced is a blank text document.
In Services, IPSec Services is there, set to Automatic, but stopped. I tried to start it, and it said "Could not start IPSec Services service on local computer. Error 1075: The dependency service does not exist or has been marked for deletion."


----------



## Ried

*Re: Missing ipsec*

Delete the batch file you just created and let's try it this way



> regedit /a ipsec.txt "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPSec"
> start notepad
> nircmd wait 7000
> notepad ipsec.txt


Save this as *ipsec.bat* Choose to "Save type as - All Files"
It should look like this:









Double click on ipsec.bat & allow it to run. Then post the log which it produces

=============================

Do you have access to a Windows XP Home Install Disc?


----------



## Ried

*Re: Missing ipsec*

If a log still is not produced, please export that key manually. Click Start>Run and type in *regedit*. Click OK

Navigate to the following subfolder

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPSec

Right click the IPSec folder and select '*Export*'. Name it Ipsec_export.*txt*. It will by default, give it a .reg extention. Change that to .txt, and save it to the desktop or flash drive so you can post it in your next reply.


----------



## dwmccauslin

*Re: Missing ipsec*

There is no IPSec folder in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services

There is one in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

I have a meeting from 8:30-Noon, EST. I will be back on this at about 1:00.


----------



## Ried

*Re: Missing ipsec*

When you get the chance, look for this key and export.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec

If you don't see it in that location either, then open SystemLook and copy/paste the following into the open field


> :regfind
> ipsec.sys


Click 'Look', then please post the log it produces.


----------



## dwmccauslin

*Re: Missing ipsec*

Ran SystemLook as requested. The log is attached.


----------



## Ried

*Re: Missing ipsec*

Looks like Avast totally wiped out the key. 

Download the attached Ipsec.zip and transfer it to the desktop of the 'troubled' machine.

Extract all files, then double click on the Ipsec.reg. Click Yes when asked to merge with registry.

Reboot.

Does the machine have internet now?


----------



## dwmccauslin

*Re: Missing ipsec*

Did the Registry merge, rebooted, and still have the same messages in the event viewer. Cannot start the service.

Still no Internet either wired or wireless.


----------



## Ried

*Re: Missing ipsec*

Try this next registry fix. Download the attached Ipsecfix.zip and same as before, extract all files and double click the Ipsecfix.reg file withing. Merge with registry, reboot.


----------



## dwmccauslin

*Re: Missing ipsec*

Getting closer... Still will not go on the Internet, but the network icons show up quicker in the task bar than before. The error messages in Event Viewer are a little different now:
"Event ID 7000 The TCP/IP Protocol Driver service failed to start due to the following error: The system cannot find the file specified."

Then, the 2nd message:
"Event ID 7001 The IPSEC Services servide depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The system cannot find the file specified."

These are different than before. For reference, these are the original messages before the registry fixes:
Event ID 7003, "The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec"
Then, Event 7001, "The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion."


----------



## Ried

*Re: Missing ipsec*

Please repeat the previous registry search we did with SystemLook. Double click to launch SystemLook and copy/paste the following into the field and click the Look button.



> :regfind
> Ipsec.sys


Please post the log it produces.

=============================

Also, click Start>Run and type in services.msc

Double click Ipsec Services and tell me what it says under 'Path to executable'

One more thing - see if you can get CF-querySvc.ext to produce a log. If it still comes up empty, place CF-querySvc.exe into the Windows\system32 folder and try again to run it.


----------



## dwmccauslin

*Re: Missing ipsec*

Here is the new SystemLook log, attached.


----------



## dwmccauslin

*Re: Missing ipsec*

Sorry - missed the other two parts.
Path to executable: C:\WINDOWS\system32\lsass.exe
Under Dependencies, it now has 
IPSEC driver
Remote Procedure Call (RPC)
TCP/IP Protocol Driver
IPSEC driver

When I tried to go back in to run the CF-querySvc.exe, it blue-screened and re-started. I will keep trying. Safe Mode does not fault out with blue screen. Can CF-querySvc.exe be run in safe mode, or does it need full boot?


----------



## dwmccauslin

*Re: Missing ipsec*

Here is the log from CF-querySvc:


----------



## Ried

*Re: Missing ipsec*

Thanks, but Normal Mode is needed. In Safe Mode, many services will not be running.

Click Start>Control Panel>Network Connections and find the LAN. Right click, select Properties and click 'Repair'.

Reboot. If internet still isn't working, navigate to this key and export it for me

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP


----------



## dwmccauslin

*Re: Missing ipsec*

Tried to repair the connection. I gave this message:
"Windows could not finish repairing the problem because the following action cannot be completed: Failed to query TCP/IP settings of the connection. Cannot proceed. For assistance, contact the person who manages your network."


----------



## dwmccauslin

*Re: Missing ipsec*

Here is the tcpip export:


----------



## Ried

*Re: Missing ipsec*

Thanks.

Use SystemLook to search for tcpip.sys



> :filefind
> tcpip.sys


Post the results of that search.


----------



## dwmccauslin

*Re: Missing ipsec*

Here it is:


----------



## Ried

*Re: Missing ipsec*

Hi Dave,

We're going to try replacing tcpip.sys and see if that helps.

Open Windows Explorer and navigate to C:\WINDOWS\system32\drivers\tcpip.sys

Right click the file and rename tcpip.sys to tcpip.old

Now, navigate to C:\WINDOWS\system32\dllcache\tcpip.sys and _copy _that file to c:\windows\system32\drivers\ folder.

Reboot.

Any internet yet?


----------



## dwmccauslin

*Re: Missing ipsec*

No C:\WINDOWS\system32\dllcache\ folder... I changed folder options to show hidden files and folders, but it goes from C:\WINDOWS\system32\DirectX\ to C:\WINDOWS\system32\drivers\

I see in the SystemLook.txt that it shows there... Advice?


----------



## dwmccauslin

*Re: Missing ipsec*

Thank God for DOS! I went through there and copied it to c:\, them on to the drivers folder.


----------



## dwmccauslin

*Re: Missing ipsec*

that did not do the trick... It still will not connect to the Internet. The same two messages appear in the System Event Viewer.


----------



## dwmccauslin

*Re: Missing ipsec*

My XP CD that has SP3 slipstreamed is XP Pro, not XP Home. Does that matter? I will have to try and find it.


----------



## dwmccauslin

*Re: Missing ipsec*

After renaming, it seemed to refresh itself. So I went back in and renamed it tcpip1.old. That shows in the directory, but then it refreshed and tcpip.sys was back, and at the end of the directory. I will power down and turn it back on instead of a restart...


----------



## Ried

*Re: Missing ipsec*

I take it you still can't access the internet?

Let's stay with 'simple' first. Let's try resetting the TCP/IP stack to installation defaults.

Click Start>Run and type in *cmd*

At the prompt, type in the following and press Enter:

*netsh int ip reset reset.log*


Next, reset winsock entries to installation defaults by typing in the following and press Enter:

*netsh winsock reset catalog*

Reboot the machine. 

If you still don't have internet, then we'll press ahead and try a Repair install of XP. The version of XP does matter. Locate the XP Home install disc and you'll need to slipstream SP3. The idea here is to perform a repair install.

Here's a couple "how-to" links:

How to Slipstream Service Pack 3 into Windows XP

Create a Slip Stream version of

After you've created the disc, perform a repair install. If you need assistance, there's a good step by step guide here --> How to Perform a Windows XP Repair Install

=======================================

If the internet is still messed up, then I would recommend uninstalling, then reinstalling SP 3

I don't see Windows Service Pack 3 in your Add or Remove programs list. If you don't see it in that panel via Control Panel>Add or Remove programs, you can uninstall it this way:

Click Start>Run and copy/paste the following into the Run box and click OK:

*c:\windows\$NtServicePackUninstall$\spuninst\spuninst.exe *

After it uninstalls, use the SP3 download from this link Download Details - Microsoft Download Center - Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers


----------



## dwmccauslin

*Re: Missing ipsec*

I did the steps to reload winsock and such, it still does not work. On a lark, I typed ipconfig at a command prompt. It returned this error:
Windows IP Configuration
An internal error occurred: The request is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.

Should I try re-loading SP3 before the slipstream?


----------



## dwmccauslin

*Re: Missing ipsec*

Can I do the XP slipstream on a Windows 7 machine? My laptop that I am using for transferring files is Windows 7 Home Premium 64-bit. Will that work?


----------



## Ried

*Re: Missing ipsec*

Yes, you can use any machine to create the slipstreamed disc.

As far as which to attempt first, it's up to you. After reading about this error and the various troubles people had trying to resolve it, I think I would try uninstalling and reinstalling SP3.


----------



## dwmccauslin

*Re: Missing ipsec*

Tried your command to uninstall SP3:

*c:\windows\$NtServicePackUninstall$\spuninst\spuninst.exe 

*entered at the Start-Run box. Came back with the following:

c:\windows\$NtServicePackUninstall$\spuninst\spuninst.exe refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location.


----------



## Ried

*Re: Missing ipsec*

Use SystemLook to see if that uninstaller is onboard. Type the following into the open field and click the Look button



> :filefind
> spuninst.exe


----------



## dwmccauslin

*Re: Missing ipsec*

Resulting log attached.

Are you familiar with ImageBurn? Can I burn the ISO with that? I am not sure what to do to burn the CD as a bootable ISO...


----------



## Ried

*Re: Missing ipsec*

Imageburn is great. Yes, you can use that to burn.


----------



## dwmccauslin

*Re: Missing ipsec*

I got the ISO created. I will try the instructions on that link you gave me.


----------



## dwmccauslin

*Re: Missing ipsec*

I read the link. Not entirely sure what to do with the XP CD. Is there a specific command that I need to do to have it refresh the files?


----------



## Ried

*Re: Missing ipsec*

Did you download and use AutoStreamer? AutoStreamer needed you to point to the XP install disc, and to the service Pack dile, in order to create the .iso file on your hard drive.


----------



## dwmccauslin

*Re: Missing ipsec*

I followed the instructions and created the CD. My question is how do I do the repair? The link discusses repairing a specific portion. Is there a command that I need to repair the tcpip services?


----------



## Ried

*Re: Missing ipsec*

You will be repairing the OS itself - the Windows XP installation.

Quoting from Michael Stevens Instructions link How to Perform a Windows XP Repair Install

1. Boot the computer using the XP CD. You may need to change the 
boot order in the system BIOS. Check your system documentation 
for steps to access the BIOS and change the boot order. 

2. When you see the "Welcome To Setup" screen, you will see the 
options below This portion of the Setup program prepares Microsoft 
Windows XP to run on your computer:

*To setup Windows XP now, press ENTER*.

To repair a Windows XP installation using Recovery Console, press R.

To quit Setup without installing Windows XP, press F3.

3. *Press Enter to start the Windows Setup.* 
do not choose "To repair a Windows XP installation using the 
Recovery Console, press R", (you do not want to load Recovery 
Console). I repeat, do not choose "To repair a Windows XP 
installation using the Recovery Console, press R". 

4. Accept the License Agreement and Windows will search for existing 
Windows installations. 

5. *Select the XP installation you want to repair from the list and 
press R to start the repair.* Note - If Repair is not one of the options, 
EXIT the setup! 

6. Setup will copy the necessary files to the hard drive and reboot. 
*Do not press any key to boot from CD when the message appears. 
Setup will continue as if it were doing a clean install, but your 
applications and settings will remain intact.*


----------



## dwmccauslin

*Re: Missing ipsec*

I no longer have the code for that old XP CD... The code on the laptop will not work, even though it is a Dell computer and Windows XP Home, like mine was. Now what?


----------



## Ried

*Re: Missing ipsec*

The key on the laptop should work. Download Magical Jelly Bean KeyFinder and use that to verify the key. The download and instructions are here --> KeyFinder | Magical Jelly Bean


----------



## dwmccauslin

*Re: Missing ipsec*

I went to replace/repair the Windows installation. It is at the Welcome to Windows Setup Wizard. Can I abort this, install the keyfinder then start over?


----------



## Ried

*Re: Missing ipsec*

Does it give you the option to Cancel or Exit? Since it hasn't started anything yet, you should be able to abort if there is no Cancel or Exit option


----------



## dwmccauslin

*Re: Missing ipsec*

The Windows XP Home CD I used for slipstreaming SP3 was an old one from a Dell Dimension I used to have. This laptop is a Dell Inspiron, from around the same age.
I did try the key that is on the laptop's Windows XP Home label, and it said the key was invalid.


----------



## Ried

*Re: Missing ipsec*

It shouldn't matter, unless there was more on the XP install disc you used from your Dell machine, than just the XP OS


----------



## dwmccauslin

*Re: Missing ipsec*

No. All it says is Operating System Reinstallation CD MS Windows XP Home Edition Including Service Pack 1.
Then it says that this CD does not contain the drivers,


----------



## dwmccauslin

*Re: Missing ipsec*

I aborted, which forced a re-boot. It is now asking for the CD labeled Windows XP Home Edition Service Pack 3. If I cancel, it gives a fatal error and tries to re-boot.


----------



## dwmccauslin

*Re: Missing ipsec*

Are there any generic keys that work? The one that is on the laptop's label (FDH9G-BK4T3-2BRJ6-4M6XB-RPVYT) is what the setup is saying is not valid. There is no way to get the original code from my old Dell. That went to the landfill 2 years ago!


----------



## Ried

*Re: Missing ipsec*

No, a generic key would be another term for' illegal'. 

Did you run JellyBean finder on the laptop we're working on? Is it the same key you see on the sticker?


----------



## dwmccauslin

*Re: Missing ipsec*

The laptop we are working on is now stuck in the Windows XP Setup where it is asking for a key. I tried F8 and selecting last known good settings, hoping it would get out of the setup, but it went back there.

Any thoughts?


----------



## Ried

*Re: Missing ipsec*

There is no reason the key on the laptop sticker shouldn't work. What version OS does the sticker say that key belongs to? Did your friend perform any sort of upgrade or use another XP disc with another key at some point? 

Are you sure you slipstreamed SP 3 and not SP2 onto that disc you created?


----------



## dwmccauslin

*Re: Missing ipsec*

The sticker says Windows XP Home. He was at SP3. I slipstreamed SP3 (WindowsXP-KB936929-SP3-x86-ENU) into my XP Home CD.


----------



## Ried

*Re: Missing ipsec*

I think you need to talk to your friend. This laptop should have come with a Recovery Partition, but I don't see one present on this machine. What happened to it? Did he reinstall Windows XP on his own at some point?

An option would be to contact Dell and order the Recovery Discs from them for this machine.


----------



## dwmccauslin

*Re: Missing ipsec*

Is there a way to back out of this recovery? I cannot seem to get past the XP setup where it wants the settings and key entered.

Thanks!


----------



## Ried

*Re: Missing ipsec*

No, there's no way to back out of it that I'm aware of. If you want to pull files from it, you can slave it to another machine and access the drive that way.


----------



## dwmccauslin

*Re: Missing ipsec*

If I slave it, is there a way to use Magical Jelly Bean KeyFinder to find the key? I mean, it seems that it looks at the boot drive. If I slave the laptop's drive, is there a specific flag to use that will make it look into that drive specifically? Maybe I can pull the key off the drive that way, then put it back in the laptop.


----------



## Ried

*Re: Missing ipsec*

I've never tried it, but according to their site, it should be able to do that.

KeyFinder | Magical Jelly Bean


> Magical Jelly Bean Keyfinder features:
> 1.An optional config file - this functionality lets you pull a key stored in the registry for any software. A sample config file is included in the zip and can be seen here: keyfinder.cfg
> 
> 2.Command line options - /save <location> /savecsv <location> /close /hive <location> /file <filename>
> 
> 3.Load Hive option - allows you to load the registry hive of another Windows installation. To use, put the hard drive in a working machine (must also be Windows 2000, XP, Vista or Windows 7) or use Windows PE (not tested, should work) and click Load Hive. Then point it to the dead Windows install. If you're using Windows Vista, Administrator rights are required for this feature. You may have to right click on the Keyfinder and run as Administrator.
> 
> 4.Improved Save & Print! - save & print options will now include all keys. Save is also available in text or CSV.


----------



## dwmccauslin

*Re: Missing ipsec*

I will try that and report back. It would seem that if I can pull the key off the drive, that should work, correct?


----------



## dwmccauslin

*Re: Missing ipsec*

Magical Jelly Bean KeyFinder worked pretty slick looking at the laptop's drive as an external device. I was able to see the key that is in registry, and it matches what is on the label.
So, I am pretty much back to square one. I will see if I can locate another XP Home CD with its own key, and try again. I still do not know why it will not accept the original key for this, especially since I did not do a fresh install, I just did the repair.
I will let you know.


----------



## dwmccauslin

*Re: Missing ipsec*

One thought... Would Magical Jelly Bean KeyFinder be able to extract the key that the CD is looking for, from the CD?


----------



## Ried

*Re: Missing ipsec*

You may want to discuss it with the folks in our Windows XP Support forum, but from the research I've done with this issue, it seems you will need to contact Dell.


----------



## dwmccauslin

*Re: Missing ipsec*

Ried, I wanted to post a follow-up. First, thanks for all of your assistance and patience! 
The Windows XP Support forum basically told me that if the computer had SP1 or 2 as the original, then the key will not work with SP3 slipstreamed, even though the computer has SP3 installed. I was not so sure that that was true. I went to a friend that had an XP Home/SP3 OEM cd and went through the process again. This time, it went through the setup properly, with the key.
However, ipsec is still missing, and it will not get on the Internet. I told my friend that he needs to get a copy of the OEM disks from Dell, and re-format and go through the whole setup from scratch.
Thanks again! I think I learned a lot!


----------



## Ried

That's good to know, thanks for the follow up. :smile:


----------

