Solved

All connections and Devices shut down.

Posted on 2007-12-03
14
226 Views
Last Modified: 2010-05-18
On this Dell desktop running Winxp, SP#2 was brought to me with all network devices, cdrw drive,
and tcp/ip services shutdown. I scanned in safe mode and found several virus's, installed updated drivers for the devices . They have a problem starting. I cannot connect to the internet and have no cd drive. How can I scan deeper for a virus with no connection? Or what could be causing this lock down?

Thanks for your input,
0
Comment
Question by:Thedocdir
  • 8
  • 6
14 Comments
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
In the event logs, you should see errors from the Service Control Manager, and it should give some insight as to what services arent starting. Once you find that, chances are you will be on the right track....

Also, in the device manager>View>Show Hidden Devices>Non plug and play drivers.... Anything remarked with a yellow exclamation?
0
 

Author Comment

by:Thedocdir
Comment Utility
Thanks johnb6767,
The event viewer has all errors stating the tcp/ip service will not start as well as it dependences.
The hidden drivers have all kinds of yellow exclamations. also, the only external device it will let
me use is a usb flash drive. I hooked up an external eide drive and the system locked up and
almost ruined the sata drive. Scary!
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Find the TCPIP.sys in c:\windows\system32\drivers.....

Whats the modified date on it?

Sounds like you got rootkitted, by first glance... I got the same thing not long ago, that took me a day to recover from (unfortunately I was bored and intentionally infected myself, wanted to see what it would do...).

0
 

Author Comment

by:Thedocdir
Comment Utility
I believe you called the rootkit right John,
The tcpip.sys file was modified on Tuesday Nov 27th, 2007. That is about the time my client
started having connection problems! Now, whats my next step? Appreiciate the help.
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Gonna have to find the source......

c:\windows\system32
c:\windows\
c:\windows\system32\drivers

Need to search these folders for files modified since that date....Dont delete tehm all, you should be able it figure out which one it is.....Then you are going to have to get the tcpip.sys restored from an original version, and hope the machine doesnt BSOD on the next boot (or after replacing). Look for a good, non modified copy in c:\windows\system32\dllcache.

The problem I was having was replacing that damn tcpip.sys file without causing reboots on the next startup.....

You will need to figure out what services are missing from Services.msc, by comparing line by line, and also in the Device Manager>View>Show Hidden Connections>Non Plug and play drivers.

The network related drivers should be listed there, and you should be able to start them without error....
Might need to  import good copies of thier corresponding registry keys, to fix them....

I would seriously recommend reimaging this machine....`I fought with this for some time, IN FRONT of the machine, not to mention how hard this will be remotely....


0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Also, one of the biggest things that helped, was UNINSTALLING TCPIP, not just resetting it. Found a way by hacking the .inf, to completely remove it from the network connection......

Then I was able to reboot, and reinstall it, which fixed alot of stuff.....

How to remove and reinstall TCP/IP on a Windows Server 2003 domain controller
http://support.microsoft.com/kb/325356

Start with step 11. I didnt have to mess with the Winsock keys....

Might want to consider running a few Rotkit removers firs, but this was so new, I didnt see ANYTHING online about it.....

0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Do me a favor, and list the most recent executables in the system32 directory....
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Thedocdir
Comment Utility
I'll get you that list later this evening John, I am at my day job now...
Thanks again for your input.
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
:^)
0
 

Author Comment

by:Thedocdir
Comment Utility
Hello again johnb6767,
After viewing the list of exec's in system32 and system32/drivers I see no files listed with
any dates from 2007. All 2004,2005. I purchased a new sata drive today I'm going to ghost this
drive before it bsod me.
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
Comment Utility
What about .dll files, or .dat files?
0
 

Author Comment

by:Thedocdir
Comment Utility
Hey johnb6767,
None of the files or dll's have a 2007 date.
After a week of this machine and its no devices,I have purchased 3 new tools and none of them work or won't install. I used several rootkit tools and a ton of anti-virus programs.
 I am shutting it down and re-installing.
Thanks for your help johnb6767.
0
 

Author Closing Comment

by:Thedocdir
Comment Utility
Thanks Johnb6767, Your rootkit advice worked. I installed a 2nd sata drive and scanned the old. Found 1415 bad guys!
Thedocdir
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Glad you finally found the problem....
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now