All connections and Devices shut down.

On this Dell desktop running Winxp, SP#2 was brought to me with all network devices, cdrw drive,
and tcp/ip services shutdown. I scanned in safe mode and found several virus's, installed updated drivers for the devices . They have a problem starting. I cannot connect to the internet and have no cd drive. How can I scan deeper for a virus with no connection? Or what could be causing this lock down?

Thanks for your input,
ThedocdirAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

johnb6767Commented:
In the event logs, you should see errors from the Service Control Manager, and it should give some insight as to what services arent starting. Once you find that, chances are you will be on the right track....

Also, in the device manager>View>Show Hidden Devices>Non plug and play drivers.... Anything remarked with a yellow exclamation?
0
ThedocdirAuthor Commented:
Thanks johnb6767,
The event viewer has all errors stating the tcp/ip service will not start as well as it dependences.
The hidden drivers have all kinds of yellow exclamations. also, the only external device it will let
me use is a usb flash drive. I hooked up an external eide drive and the system locked up and
almost ruined the sata drive. Scary!
0
johnb6767Commented:
Find the TCPIP.sys in c:\windows\system32\drivers.....

Whats the modified date on it?

Sounds like you got rootkitted, by first glance... I got the same thing not long ago, that took me a day to recover from (unfortunately I was bored and intentionally infected myself, wanted to see what it would do...).

0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

ThedocdirAuthor Commented:
I believe you called the rootkit right John,
The tcpip.sys file was modified on Tuesday Nov 27th, 2007. That is about the time my client
started having connection problems! Now, whats my next step? Appreiciate the help.
0
johnb6767Commented:
Gonna have to find the source......

c:\windows\system32
c:\windows\
c:\windows\system32\drivers

Need to search these folders for files modified since that date....Dont delete tehm all, you should be able it figure out which one it is.....Then you are going to have to get the tcpip.sys restored from an original version, and hope the machine doesnt BSOD on the next boot (or after replacing). Look for a good, non modified copy in c:\windows\system32\dllcache.

The problem I was having was replacing that damn tcpip.sys file without causing reboots on the next startup.....

You will need to figure out what services are missing from Services.msc, by comparing line by line, and also in the Device Manager>View>Show Hidden Connections>Non Plug and play drivers.

The network related drivers should be listed there, and you should be able to start them without error....
Might need to  import good copies of thier corresponding registry keys, to fix them....

I would seriously recommend reimaging this machine....`I fought with this for some time, IN FRONT of the machine, not to mention how hard this will be remotely....


0
johnb6767Commented:
Also, one of the biggest things that helped, was UNINSTALLING TCPIP, not just resetting it. Found a way by hacking the .inf, to completely remove it from the network connection......

Then I was able to reboot, and reinstall it, which fixed alot of stuff.....

How to remove and reinstall TCP/IP on a Windows Server 2003 domain controller
http://support.microsoft.com/kb/325356

Start with step 11. I didnt have to mess with the Winsock keys....

Might want to consider running a few Rotkit removers firs, but this was so new, I didnt see ANYTHING online about it.....

0
johnb6767Commented:
Do me a favor, and list the most recent executables in the system32 directory....
0
ThedocdirAuthor Commented:
I'll get you that list later this evening John, I am at my day job now...
Thanks again for your input.
0
johnb6767Commented:
:^)
0
ThedocdirAuthor Commented:
Hello again johnb6767,
After viewing the list of exec's in system32 and system32/drivers I see no files listed with
any dates from 2007. All 2004,2005. I purchased a new sata drive today I'm going to ghost this
drive before it bsod me.
0
johnb6767Commented:
What about .dll files, or .dat files?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ThedocdirAuthor Commented:
Hey johnb6767,
None of the files or dll's have a 2007 date.
After a week of this machine and its no devices,I have purchased 3 new tools and none of them work or won't install. I used several rootkit tools and a ton of anti-virus programs.
 I am shutting it down and re-installing.
Thanks for your help johnb6767.
0
ThedocdirAuthor Commented:
Thanks Johnb6767, Your rootkit advice worked. I installed a 2nd sata drive and scanned the old. Found 1415 bad guys!
Thedocdir
0
johnb6767Commented:
Glad you finally found the problem....
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.