Problem networking XP and Vista

[howardrg]

Gosh, a lot to think about...

The Vista is a laptop so I can move it anywhere. It's only a couple of weeks old. If you could tell me how to set up a wired connection I'd be willing to do it. The router is a D-Link DI-624. Thanks for all your help. I'm going to bed now but will check in again tomorrow after work.

 

[howardrg]

process explorer info...

I'm not sure if this is what you were looking for , but this is for the vista machine

 

[howardrg]

second try to attach process explorer info

it didn't make it earlier

 

[kimsland]

Gods Sake!

You have malware :
SOHDms.exe
SOHDs.exe
Please stop the above two processes, then do the following:

New Preliminary Removal Instructions

Also do not reply to yourself
Instead use the "Edit" button, if yours still the last post
.

 

[LookinAround]

1. Dlink DI-624
This device had several different hardware versions. If you look at this link it should help you determine which version you have. Please report back.

2. Wireshark
Here's our 1st experiment with Wirehark
I'm going to have you install Wireshark, a network sniffer tool. It can trace the data sent or received through a network adapter. It can have several helpful uses:

• We'll use it to verify with certaintainty that those XP -> Vista ping requests are in fact being received by Vista (then we know to focus our energy on finding what's in Vista that's suppressing it.) If we find the ping requests aren't arriving then we'd spend our timing looking at network issues.
• It may help later to see the "actual-behind-the-scenes-message traffic" when trying to understand what the heck is going on in establishing file sharing

So, to download and use Wireshark

• Download Wireshark v1.02 at this link. Execute the download file to install it. Accept all defaults. You’ll see it also installs WinPcap. That’s expected. Continue through those install screens as well.
• Wireshark Defaults. We’ll change some defaults. Click Edit –> Preferences. Under User Interface select
  • Layout : set Pane1 to Packet List, Pane2 to Packet Details, Pane3 to None. Click Apply
  • Capture: Check the 4 options: Capture in Promiscous Mode, Update packets in real time, Automatic Scrolling, Hide capture info. Click Apply
  • Name Resolution. Check all 4 options for name resolution. Click OK to close preferences
• Capturing Data. Initially, to minimize the amount of traffic close any open browser windows or other network sessions which aren’t important.
• Start a capture. Click Capture -> Interfaces. You'll see an entry for each active adapter you can capture from. For the appropriate adapter, click Start. To stop later, click Capture ->. Stop.
• One line data summaries appear in the upper pane. When you select a summary line in the upper pane, the lower pane reveals the protocol envelopes and data contained within.
• If you have too many summary lines to go through we could apply filters to only display what we want. But will assume we don’t need filters for now

Finding the important data. We want to see ARP data (to see how IP adresses are getting resolved) and ICMP data (these are the ping requests).

• In the Filter: box type: (arp) || (icmp). Note once typed it should have a green background (meaning it's a valid filter). Click the Apply button and you now only see ARP and ICMP messages displayed.
• Click File -> Export, Pick a directory and filename. Use the pulldown to set FileType to CSV
• For Packet Range, check the radio buttons for: All selected and Displayed
• Packet Format, check Packet summary line and Packet details. Pull down should indicate As displayed

 

[howardrg]

re malware and wireshark

1. The Vista laptop is brand new -- I am surprised that there is malware on it already -- and I have been running the Live OneCare that came preinstalled. I will remove this malware first this this evening when I get home.

2. On which machine am I to install the Wireshark software: Vista or XP?

 

[LookinAround]

1. When you have your firewalls off for File Sharing testing are you still connected to/accessing the internet? You shouldn't be. Disconnect from your ISP when you turn off the firewalls (may be how you picked it up. Also run your antivrus/antispy on other computers as well)

2. Vista is the one not responding to ping, correct? (just double checking). It's the one to install Wireshark on. Then we can actually trace all the packet data arriving on Vista's network adapters to see if the ping request never arrives or arrives but Vista doesn't respond

3. Do you have an extra ethernet cable also? will be used to connect your router to Vista.

4. First off, before anything else, will want to remove any malware from Vista

5. Have you EVER had ANY other internet security type software running on Vista (something you may have had installed and then removed?)

 

[DelJo63]

1- home systems do NOT need - MS TCP/IP ver. 6. Disable IPv6 altogether.

2- the Vista network wizard setup needs to create a Private Lan connection, not Public or else the system shields itself from everything -- including ping.

ENABLE your windows firewall and on the exception table, enable Print/File sharing;

 

[LookinAround]

joebeard...

we've been down the public vs. private network issue already. OP has verified it's set to private swears the native Windows firewall and the windows live firewall they normal run are both set to OFF which is gives way to determining if so.. why Vista doesn't echo the ping.... some events on the horizon

- Run a cable to connect it wired in addition to it's currently wireless
- Have Vista ping itself from LAN adapter to wireless and reverse
- Let XP try ping again to Vista over wired line instead of wireless
- Dumping Process Explorer to see what other things might be running on the computer to interfere
- Rebuilding the connection in the event something is corrupted
- Running a Network sniffer to at least prove the packet request is actually arriving at the network adapter

Open to any further ideas....

 

[DelJo63]

it is entirely possible to configure a NIC or wireless to default NO REPLY to ping.

disabling the firewall is not the 'remove all controls' that so many assume it to be.

Also, the LLTP is not a requisite to making Print/File sharing work, so if you're into
the concept of disabling unnecessary processes, then disable UPnP, SSDP and the LLTP.

I'll suggest disable the above, reboot, and then reusing the Network Wizard to specify the Private connection, and finally enabling the firewall and activate P&FS.

 

[LookinAround]

Will look at the possibility of the NIC config

I also know that packet filtering can be set in XP as a Network Connection option. Don't know if same is true of Vista but considering the possibility

Will turn off other extraneous processes as well

This is clearly a case where turning off the firewalls doesn't turn off all the controls
(and personally am anxious to see if the result is any different pinging the LAN vs wireless adapter as well as Vista pinging itself)

Thanks

 

[howardrg]

1. When you have your firewalls off for File Sharing testing are you still connected to/accessing the internet? You shouldn't be. Disconnect from your ISP when you turn off the firewalls (may be how you picked it up. Also run your antivrus/antispy on other computers as well)

Yes, internet was still connected. In future will disable with switch on cable modem.

2. Vista is the one not responding to ping, correct? (just double checking). It's the one to install Wireshark on. Then we can actually trace all the packet data arriving on Vista's network adapters to see if the ping request never arrives or arrives but Vista doesn't respond

Correct -- will install on Vista.

3. Do you have an extra ethernet cable also? will be used to connect your router to Vista.

I think I can find one.

4. First off, before anything else, will want to remove any malware from Vista

Will do.

5. Have you EVER had ANY other internet security type software running on Vista (something you may have had installed and then removed?)

Nope -- it's a new laptop and I've just been using Live OneCare

ALSO -- I have investigated the SOHD processes -- there are three and all are associated with the "Vaio Media plus" software that comes preinstalled on the laptop. It searches all the computers on the network for media (pics, music etc.) and makes it available to all the uses on the network. There are three files running now as follows:

SOHDs -- VAIO Media plus device searcher
SOHDms -- VAIO Media plus digital media server
SOHCImp -- VAIO Media plus content importer

I am disinclined to view these as malware.

 

[LookinAround]

• I’m inclined to agree on the malware issue. I think Kimsland was being careful/cautious when finding the modules listed on Prevx as unknowns (they’re probably new)
• Disable ipv6 in Vista as mentioned earlier (a link to instructions how was in an earlier post of mine)
• Have you ever connected your Vista laptop via LAN cable? It will need a network definition in Network and Sharing Center. Make certain it is also of type: private. I've never personally run that step under Vista tho so if you need help with the connection/setup/wizards for the LAN cable i'll defer that piece to someone else
• Couple other curiousities, if you go to the wireless card properties you should be able to find the driver version you're running. What is it?
• Also when you see the Wireless Adapter Properties and hit Configure... you see anything listed that might look like it has to do with packet filtering? I couldn't find any useful documentation on the mfr website

/*** Edit ***/
And oh, yes, not to be lost among all the other questions.. .when you get home could identify which version DI-624 router you have? go to this link, enter di-624 and see the info about versions

 

[kimsland]

Here's the response from Sony

Thank you for your email to Sony.



With regard to your enquiry, please be informed that we have checked that the "SOHDms.exe" file is not part of the Sony VAIO notebook’s files.



Should you require any further assistance, please feel free to contact us by email or call our hotline at (65) 6544-8600.



We look forward to your continuous support for Sony products and services.



Best regards



Nelson Goh

Executive

Customer Contact Centre Department

Customer Interface Marketing Division

Sony Singapore

 

[howardrg]

It's a DI-624 Revision E.

I followed the initial malware removal instructions and downloaded and ran Malwarebytes Anti-Malware which found no malicious items, so I will leave the malware issue behind.

Wireless card on Vista is Atheros AR928x driver ver. 7.6.0.83 (3/19/2008) (from device mgr)

Couldn't see any "configure" button for the wireless card -- where would that be?

Will work on the other items tomorrow -- thanks for your patience.

STOP THE PRESSES. I believe I have figured out and solved the problem. My partner took the computer to work because they had a license to install MS Office on employees' computers (couldn't pass that up!). What I did not know was that they also installed a remote access application called "AT&T Global Network Client Managed VPN Edition" as well as Lotus Notes. I thought something might be amiss when I turned off the internet access and up popped the "AT&T dialer" asking if I wanted it to connect. I had never seen this before and investigated. I decided to uninstall both the AT&T Global Network Client and Lotus Notes. Now, even without rebooting, all computers are visible and accessible on all other computers. With the firewalls off, each computer can ping the other. However, with the firewalls on neither computer can ping the other, but file and printer sharing still work. I believe this is not a problem.

So I think the problem is resolved and I am very grateful to all on this forum who have taken the time to assist me, esp. kimsland and LookinAround. I have learned quite a bit about networking in the process. If you want any more details on what these programs were or any more data on my setup I will be happy to oblige.

 

[LookinAround]

Glad you found the problem :grinthumb

Yup, ATT Global Net would be just the extra software to have interfered.

However, with the firewalls on neither computer can ping the other, but file and printer sharing still work.

Remember what i said about Windows Network not reflecting firewall changes immediately? wait 15 minutes or simply reboot and see if it still reports "seeing" those resources when ping doesn't work. Am pretty sure ping is required for file and printer sharing to work.

/**** Edit ****/
But do let me know if you find it otherwise (i.e. resources continue to be seen and you can actually contineu to access shared resources when ping doesn't work)

 

[kimsland]

If you want any more details on what these programs were or any more data on my setup I will be happy to oblige.

Yes I saw Lotus notes in your log
But I would actually like to see another Procexp.txt attached (from Vista, I believe)

I'd like to know which Startup affected this, or even if running this would have helped from the command line:

netsh winsock reset
netsh int ip reset
netsh interface ip delete arpcache

 

[tipstir]

Wow! I guess I had miss this posting.. I guess the user is all set and running with 'Vista and XP together.

 

[kimsland]

Yes which link would have you posted

 

[kimsland]

AT&T Global Network Client Version 7.4.1 Beta Available

Managed VPN Edition
ftp://ftp.attglobal.net/pub/client/win32/beta/agnc_vpn.exe

I believe this version is suppose to fix the issue of SP1 in full
If you still require AT&T Global Network Client, please download the latest (above) 7.4.1 Beta

 

[howardrg]

here is the process explorer result...

that kimsland wanted

ALSO. LookinAround wrote, "But do let me know if you find it otherwise (I.e. resources continue to be seen and you can actually contineu to access shared resources when ping doesn't work)"

I can report that I can still access shared resources despite being unable to ping either computer from the other. I believe the firewalls are interfering with the ping because pinging succeeds when the firewalls are turned off. Regardless, file & printer sharing are working fine (fingers crossed).

 

[LookinAround]

I can report that I can still access shared resources despite being unable to ping either computer from the other. I believe the firewalls are interfering with the ping because pinging succeeds when the firewalls are turned off. Regardless, file & printer sharing are working fine (fingers crossed).

Well, thank YOU for that update. I'll have to look further into that.

 

[DelJo63]

t
I can report that I can still access shared resources despite being unable to ping either computer from the other. I believe the firewalls are interfering with the ping because pinging succeeds when the firewalls are turned off. Regardless, file & printer sharing are working fine (fingers crossed).

That's correct. Many firewalls can disable ping replies

Ping is seldomly required, but when you enable the FW, be sure to allow
ports 139 udp and 445 tcp for all local lan addresses in both directions.

 

[LookinAround]

That's correct. Many firewalls can disable ping replies

Ping is seldomly required, but when you enable the FW, be sure to allow
ports 139 udp and 445 tcp for all local lan addresses in both directions.

As an fyi to all....It seems it's some firewalls that are creating the dependency between ping and File and Printer Sharing!

After looking into it further, it appears there’s good reason for confusion about any dependency between ICMP ping request/replies and File and Printer Sharing (FPS). I found at least two firewalls that create that dependency (tho I don’t know why as it appears it’s not necessary for FPS functionality. Ping is damn helpful as a diagnostic tool for FPS tho apparently not required for FPS to actually work)

1. Windows Firewall
   MS own implementation of Windows Firefall (WF) was probably first in starting the confusion. In WF
   • By default: ICMP ping requests and File and Printer Sharing ports are blocked
   • Enabling File and Printer Sharing opens ports: TCP 139, 445 and UDP 137, 138
   • When port TCP 445 is enabled WF automatically enables ICMP ping
   • If you go to to WF Settings Advanced/ICMP you find WF doesn’t allow you to disable ICMP ping. In fact, you see a description “Requests of this type are automatically allowed if TCP port 445 is enabled”
2. AVG 7.5 Firewall
   I happen to use AVG 7.5 Internet Security Suite.
   • I’ve had File and Printer sharing enable in the AVG firewall and running a long while on my home network
   • While looking into the problem the OP reported in this thread, I wanted to do a test on my own hardware with ping disabled. I modified the firewall rule found under System/Replies on ICMP diagnostics. I changed the rule to block inbound ping requests. When I hit OK AVG gave me a pop-up “warning” message:
     
     “Disabling PING may have bad effects on File and Printer Sharing: If you block this system service or protocol Microsoft fsp will be blocked too. Are you sure you want to blcok this service?”​
     After hitting yes, I found File and Printer Sharing no longer worked. In fact, looking into it further I found AVG actually disabled the File and Printer sharing rule!

 

[DelJo63]

open port 137 and the need for ping should disappear. MS port 135 is the name