Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Farbar Service Scanner

  • Please log in to reply
4 replies to this topic

#1 Beech88


  • Members
  • 4 posts
  • Local time:01:26 PM

Posted 01 January 2013 - 08:23 AM

Hope this is the right place and I am not breaking any rules first time out.

I have an XP SP3 machine with Norton N360 installed. I have no apparent problems or malware infection.

I ran the Farbar Service Scanner because I wanted to keep a record of how it appears on a good system, in case mine goes bad in the future. Anyway, it reported as follows:

Farbar Service Scanner Version: 23-12-2012
Ran by Beech (administrator) on 01-01-2013 at 07:58:46
Running from "D:\Cruzer"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal

Internet Services:

Connection Status:
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

ATTENTION!=====> local policy on IP:
Key: "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local"
Vlue: "ActivePolicy"
Data: "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{3132610a-08db-4cbb-913a-c27d0ed915f9}"

Windows Firewall:
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Security Center:

Windows Update:

Windows Autoupdate Disabled Policy:

File Check:
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(10) Tcpip(4)

**** End of log ****

1. I believe the shared access service disabled and therefore the Firewall Disabled Policy are both correct since Norton turns off windows firewall in favour of its own but would appreciate confirmation that this is as expected.

2. I dont understand the local policy on IP and how it got there and whether it is OK or should be changed. Any advice welcomed. What are the consequences of the way it is at the moment. From another XP machine I see this is not standard so, as I say, I dont know why this PC has it and how it could have arisen.

3. The extra does not end in ipsec tag value is correct but again is this just because a local policy on IP exists?

Edited by hamluis, 07 January 2013 - 05:15 PM.
Moved from XP to Networking - Hamluis.

BC AdBot (Login to Remove)


#2 Beech88

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:26 PM

Posted 01 January 2013 - 08:38 AM

Sorry I looked at the registry and now I see the local policy and how it got there. Basically it should not be there. It comes from product testing and improper clean up.

Looks like I need to remove ActivePolicy under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local


but of course I will await responses first as it is doing no harm at the moment

#3 hamluis



  • Moderator
  • 55,399 posts
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:26 AM

Posted 01 January 2013 - 09:01 AM

Are you having connectivity problems?

Per description of this tool, http://www.bleepingcomputer.com/download/farbar-service-scanner/ , that's the function/purpose and...if you have no problems, I'm not sure what you are trying to accomplish here.

I am not a "tech" of any sort...and I'm often baffled by procedures employed by the more knowledgeable :).


#4 Beech88

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:26 PM

Posted 03 January 2013 - 07:36 AM

I am trying to make my PC efficient. My PC is used for testing software and in the process the registry will often have entries that are no longer required when the software is removed but the uninstall process itself does not thoroughly clean up. In short I do not have a fundamental issue with my PC but it needs to be checked and optimized from time to time. In that method I have used Farbar service scanner and low and behold it has identified two issues for me. One is that a local policy has been established which in effect blocks access to certain software house website. There are others ways to achieve a block and creating a local ipsec policy is not what I would have liked.

I can easily remove this policy as I advised in my 2nd post. I can also modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec TAg to change the value from 5 to 4 after removing the ipsecPolicy{3132610a-08db-4cbb-913a-c27d0ed915f9) but this will NOT result in the Farbar report returning the correct entry in the Extra list.i.e.
ipsec tag value is correct. I dont get that.

So since Farbar has thrown up an issue, I am trying to resolve the issue, that is all. Its rather like running a AV scanner and finding that you have malware when your existing scanner showed none. One could ask, why did you run the 2nd AV scanner. The fact is I did (so to speak) and it throwed up an error and I am trying to find out how to resolve.

#5 Beech88

  • Topic Starter

  • Members
  • 4 posts
  • Local time:01:26 PM

Posted 07 January 2013 - 04:45 PM

I do not understand. I thought Bleeping COmputer were the experts on the tools in their download area. So could some kind person please respond as I want to clean up the ipsec correctly. thank you

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users