?
Solved

All connections and Devices shut down.

Posted on 2007-12-03
14
Medium Priority
?
235 Views
Last Modified: 2010-05-18
On this Dell desktop running Winxp, SP#2 was brought to me with all network devices, cdrw drive,
and tcp/ip services shutdown. I scanned in safe mode and found several virus's, installed updated drivers for the devices . They have a problem starting. I cannot connect to the internet and have no cd drive. How can I scan deeper for a virus with no connection? Or what could be causing this lock down?

Thanks for your input,
0
Comment
Question by:Thedocdir
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 20398136
In the event logs, you should see errors from the Service Control Manager, and it should give some insight as to what services arent starting. Once you find that, chances are you will be on the right track....

Also, in the device manager>View>Show Hidden Devices>Non plug and play drivers.... Anything remarked with a yellow exclamation?
0
 

Author Comment

by:Thedocdir
ID: 20402651
Thanks johnb6767,
The event viewer has all errors stating the tcp/ip service will not start as well as it dependences.
The hidden drivers have all kinds of yellow exclamations. also, the only external device it will let
me use is a usb flash drive. I hooked up an external eide drive and the system locked up and
almost ruined the sata drive. Scary!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20402698
Find the TCPIP.sys in c:\windows\system32\drivers.....

Whats the modified date on it?

Sounds like you got rootkitted, by first glance... I got the same thing not long ago, that took me a day to recover from (unfortunately I was bored and intentionally infected myself, wanted to see what it would do...).

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:Thedocdir
ID: 20403740
I believe you called the rootkit right John,
The tcpip.sys file was modified on Tuesday Nov 27th, 2007. That is about the time my client
started having connection problems! Now, whats my next step? Appreiciate the help.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20403820
Gonna have to find the source......

c:\windows\system32
c:\windows\
c:\windows\system32\drivers

Need to search these folders for files modified since that date....Dont delete tehm all, you should be able it figure out which one it is.....Then you are going to have to get the tcpip.sys restored from an original version, and hope the machine doesnt BSOD on the next boot (or after replacing). Look for a good, non modified copy in c:\windows\system32\dllcache.

The problem I was having was replacing that damn tcpip.sys file without causing reboots on the next startup.....

You will need to figure out what services are missing from Services.msc, by comparing line by line, and also in the Device Manager>View>Show Hidden Connections>Non Plug and play drivers.

The network related drivers should be listed there, and you should be able to start them without error....
Might need to  import good copies of thier corresponding registry keys, to fix them....

I would seriously recommend reimaging this machine....`I fought with this for some time, IN FRONT of the machine, not to mention how hard this will be remotely....


0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20403846
Also, one of the biggest things that helped, was UNINSTALLING TCPIP, not just resetting it. Found a way by hacking the .inf, to completely remove it from the network connection......

Then I was able to reboot, and reinstall it, which fixed alot of stuff.....

How to remove and reinstall TCP/IP on a Windows Server 2003 domain controller
http://support.microsoft.com/kb/325356

Start with step 11. I didnt have to mess with the Winsock keys....

Might want to consider running a few Rotkit removers firs, but this was so new, I didnt see ANYTHING online about it.....

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20403848
Do me a favor, and list the most recent executables in the system32 directory....
0
 

Author Comment

by:Thedocdir
ID: 20403922
I'll get you that list later this evening John, I am at my day job now...
Thanks again for your input.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20403930
:^)
0
 

Author Comment

by:Thedocdir
ID: 20415945
Hello again johnb6767,
After viewing the list of exec's in system32 and system32/drivers I see no files listed with
any dates from 2007. All 2004,2005. I purchased a new sata drive today I'm going to ghost this
drive before it bsod me.
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 1500 total points
ID: 20417063
What about .dll files, or .dat files?
0
 

Author Comment

by:Thedocdir
ID: 20422464
Hey johnb6767,
None of the files or dll's have a 2007 date.
After a week of this machine and its no devices,I have purchased 3 new tools and none of them work or won't install. I used several rootkit tools and a ton of anti-virus programs.
 I am shutting it down and re-installing.
Thanks for your help johnb6767.
0
 

Author Closing Comment

by:Thedocdir
ID: 31412418
Thanks Johnb6767, Your rootkit advice worked. I installed a 2nd sata drive and scanned the old. Found 1415 bad guys!
Thedocdir
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20454077
Glad you finally found the problem....
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question