HAVE AN ERROR had a virus now no internet Please, Please help

[Donjuan]

checked online how to fix it, but am holding off to hear from you

ty again

[Donjuan]

i do not have ipsec

[Donjuan]

I am stuck, I can not find what he wanted

[DavidR]

First essexboy will be at work and is usually on the forums around 7pm UK time, now 2:00pm in the UK.

I'm not sure what you mean by you haven't got ipsec, presumably you mean no ipsec registry key, as you have posted a registry key data but it wasn't ipsec ?
The ipsec.sys file should be here c:\windows\system32\drivers\ipsec.sys (this is a hidden folder so you many not see it), is that is what you are saying you haven't got.

I have XP Pro SP3, so I don't know if my registry key for ipsec would be the same as for XP Home (you don't say what SP you have ?). Hopefully essexboy will know and could use this information if required.

This is the content of the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec] key

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000005
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[Donjuan]

thank you for the reply, but i dont know how to find hidden files.  I am going to a funeral, this is driving me nuts.  I am hoping I am back and have that file found before essexboy boy gets back, as i don't want to waste his time.

[DavidR]

From windows explorer (not Internet Explorer) menu, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image1&2.

[essexboy]

Thank you David.. Basically it confirmed that the malware has killed that registry key - Your one looks good as the tag is 5 as well so this should work

OK lets go for it

Copy all of the quoted text to a notepad file -
Then in the notepad file select file type All Files
Save the file as IPSEC.reg to your desktop
Piccy below

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000005
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

On the desktop will be the rubics cube type icon 
Double click that and reboot
Then retry the net

[DavidR]

You're welcome.

@ Donjuan
When you double click the newly created IPSEC.reg file XP will throw up a pop-up 'Are you sure you want to add the information in <Location_To>ipsec.reg to the registry ?' answer Yes. See image example, click to expand.

[Donjuan]

Thank you guys so much, but am running into an error... cannot import.  the specified folder is not a registry script.  you can only import binary registry files within the registry editor.   

And I am naming file as you said to, and also changing to all files.

but i might have imported file first time with a different name other than ipsec.reg  it was named avast.reg

[DavidR]

I'm not sure what is happening on your system when you are trying to save the created file.

It doesn't matter what the actual name of the file.reg was as it is the contents of the file that creates the specific registry key IPSEC and associated sub-keys. So first check the registry and see if the IPSEC key as created HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec (when you ran avast.reg).

####
If it isn't there - you can download this file (from my dropbox account), I created it from exporting my XP Pro ipsec key in the registry and that type of export I have used without problem in the past. Since it was created by the registry export, I would like to think that the registry import wouldn't baulk at it.

http://dl.dropbox.com/u/56425897/avast/ipsec.reg

Just right click on the URL above and select Save As or Save Link As (depending on your browser) and save it to somewhere that you can find it later. and double click it again to import it.

[Donjuan]

NOW I DID FIND THIS

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.ipsec]
"Type"=dword:00000001
"Start"=dword:00000003
"ImagePath"="\\?"

[DavidR]

Where did you find that ?
Certainly not in the registry, looks like the start of a .reg file contents.

That is only the first 5 or so lines of a .reg file, unfortunately that file is corrupt (not all present) and incorrect as the registry key path is incorrect as there is a . (period) before the ipsec registry key name [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.ipsec] and the image path element is missing.

So if you ran this it would be incorrect and hopefully fail, not create an incorrect key, but because it had the . (period) before the ipsec it shouldn't really impact on anything.

[Donjuan]

i imported the correct file to this, and it seems to have worked, i have started another post it is "have error new farbar scan", this shows the scan after fixing this registry

[DavidR]

Although you mentioned a problem with farbar, it has completed and you should attach/copy and paste that log in here.

I have answered your other topic.

[essexboy]

Note that the registry entry you posted is .ipsec  this is the malware entry there is a dot prior to the ipsec - could you confirm that ... If so I will need to remove it

Also merge the threads - so post the farbar report here along with the problems that you now have