Thedocdir
asked on
All connections and Devices shut down.
On this Dell desktop running Winxp, SP#2 was brought to me with all network devices, cdrw drive,
and tcp/ip services shutdown. I scanned in safe mode and found several virus's, installed updated drivers for the devices . They have a problem starting. I cannot connect to the internet and have no cd drive. How can I scan deeper for a virus with no connection? Or what could be causing this lock down?
Thanks for your input,
and tcp/ip services shutdown. I scanned in safe mode and found several virus's, installed updated drivers for the devices . They have a problem starting. I cannot connect to the internet and have no cd drive. How can I scan deeper for a virus with no connection? Or what could be causing this lock down?
Thanks for your input,
ASKER
Thanks johnb6767,
The event viewer has all errors stating the tcp/ip service will not start as well as it dependences.
The hidden drivers have all kinds of yellow exclamations. also, the only external device it will let
me use is a usb flash drive. I hooked up an external eide drive and the system locked up and
almost ruined the sata drive. Scary!
The event viewer has all errors stating the tcp/ip service will not start as well as it dependences.
The hidden drivers have all kinds of yellow exclamations. also, the only external device it will let
me use is a usb flash drive. I hooked up an external eide drive and the system locked up and
almost ruined the sata drive. Scary!
Find the TCPIP.sys in c:\windows\system32\driver
Whats the modified date on it?
Sounds like you got rootkitted, by first glance... I got the same thing not long ago, that took me a day to recover from (unfortunately I was bored and intentionally infected myself, wanted to see what it would do...).
Whats the modified date on it?
Sounds like you got rootkitted, by first glance... I got the same thing not long ago, that took me a day to recover from (unfortunately I was bored and intentionally infected myself, wanted to see what it would do...).
ASKER
I believe you called the rootkit right John,
The tcpip.sys file was modified on Tuesday Nov 27th, 2007. That is about the time my client
started having connection problems! Now, whats my next step? Appreiciate the help.
The tcpip.sys file was modified on Tuesday Nov 27th, 2007. That is about the time my client
started having connection problems! Now, whats my next step? Appreiciate the help.
Gonna have to find the source......
c:\windows\system32
c:\windows\
c:\windows\system32\driver
Need to search these folders for files modified since that date....Dont delete tehm all, you should be able it figure out which one it is.....Then you are going to have to get the tcpip.sys restored from an original version, and hope the machine doesnt BSOD on the next boot (or after replacing). Look for a good, non modified copy in c:\windows\system32\dllcac
The problem I was having was replacing that damn tcpip.sys file without causing reboots on the next startup.....
You will need to figure out what services are missing from Services.msc, by comparing line by line, and also in the Device Manager>View>Show Hidden Connections>Non Plug and play drivers.
The network related drivers should be listed there, and you should be able to start them without error....
Might need to import good copies of thier corresponding registry keys, to fix them....
I would seriously recommend reimaging this machine....`I fought with this for some time, IN FRONT of the machine, not to mention how hard this will be remotely....
c:\windows\system32
c:\windows\
c:\windows\system32\driver
Need to search these folders for files modified since that date....Dont delete tehm all, you should be able it figure out which one it is.....Then you are going to have to get the tcpip.sys restored from an original version, and hope the machine doesnt BSOD on the next boot (or after replacing). Look for a good, non modified copy in c:\windows\system32\dllcac
The problem I was having was replacing that damn tcpip.sys file without causing reboots on the next startup.....
You will need to figure out what services are missing from Services.msc, by comparing line by line, and also in the Device Manager>View>Show Hidden Connections>Non Plug and play drivers.
The network related drivers should be listed there, and you should be able to start them without error....
Might need to import good copies of thier corresponding registry keys, to fix them....
I would seriously recommend reimaging this machine....`I fought with this for some time, IN FRONT of the machine, not to mention how hard this will be remotely....
Also, one of the biggest things that helped, was UNINSTALLING TCPIP, not just resetting it. Found a way by hacking the .inf, to completely remove it from the network connection......
Then I was able to reboot, and reinstall it, which fixed alot of stuff.....
How to remove and reinstall TCP/IP on a Windows Server 2003 domain controller
http://support.microsoft.com/kb/325356
Start with step 11. I didnt have to mess with the Winsock keys....
Might want to consider running a few Rotkit removers firs, but this was so new, I didnt see ANYTHING online about it.....
Then I was able to reboot, and reinstall it, which fixed alot of stuff.....
How to remove and reinstall TCP/IP on a Windows Server 2003 domain controller
http://support.microsoft.com/kb/325356
Start with step 11. I didnt have to mess with the Winsock keys....
Might want to consider running a few Rotkit removers firs, but this was so new, I didnt see ANYTHING online about it.....
Do me a favor, and list the most recent executables in the system32 directory....
ASKER
I'll get you that list later this evening John, I am at my day job now...
Thanks again for your input.
Thanks again for your input.
:^)
ASKER
Hello again johnb6767,
After viewing the list of exec's in system32 and system32/drivers I see no files listed with
any dates from 2007. All 2004,2005. I purchased a new sata drive today I'm going to ghost this
drive before it bsod me.
After viewing the list of exec's in system32 and system32/drivers I see no files listed with
any dates from 2007. All 2004,2005. I purchased a new sata drive today I'm going to ghost this
drive before it bsod me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey johnb6767,
None of the files or dll's have a 2007 date.
After a week of this machine and its no devices,I have purchased 3 new tools and none of them work or won't install. I used several rootkit tools and a ton of anti-virus programs.
I am shutting it down and re-installing.
Thanks for your help johnb6767.
None of the files or dll's have a 2007 date.
After a week of this machine and its no devices,I have purchased 3 new tools and none of them work or won't install. I used several rootkit tools and a ton of anti-virus programs.
I am shutting it down and re-installing.
Thanks for your help johnb6767.
ASKER
Thanks Johnb6767, Your rootkit advice worked. I installed a 2nd sata drive and scanned the old. Found 1415 bad guys!
Thedocdir
Thedocdir
Glad you finally found the problem....
Also, in the device manager>View>Show Hidden Devices>Non plug and play drivers.... Anything remarked with a yellow exclamation?