Results 1 to 5 of 5
  1. #1
    Member
    Join Date
    May 2008
    Posts
    8
    Points
    0

    Default Network Devices Fail To Start

    I'm sure this is related to a pretty nasty virus/spyware attack. It seems to be related to the userinit.exe kind of attack that I used Smitfraudfix to repair.

    In the device manager, ALL the network devices appear with the yellow exclamation mark and will not start, ie. Device cannot start error. Even when I try installing a new network card, or delete all the existing cards and to a hardware changes scan. The devices get redetected, but always come up with a yellow mark.

    With the new card, I manually specified the location of the drivers on a floppy disk so I know they are the correct ones. In fact I've used this before, it's a USB/Ethernet device that I use on a regular basis, so it's got nothing to do with the drivers.

    The specific error message is:

    "Windows cannot load the device driver for this hardware.
    The driver may be corrupt or missing (Code 39)."

    I'm certain that it's a corrupt registry thing. I found some information regarding this problem, I 'think' it might have been on the Microsoft website and found a registry patch that is supposed to fix it, but didn't. I've uploaded it here: "http://www.anotherworld.com.au/files/networkadapters.reg"

    Can anyone offer any ideas? (other than reformatting) please!
    Last edited by radact; 02-23-2009 at 05:23 PM.

  2. #2
    Administrator Help2Go Administrator Canuck's Avatar
    Join Date
    May 2003
    Location
    Edmonton, Alberta, Canada
    Posts
    9,817
    Points
    2034

    Default

    Go through the steps here Help2Go - free computer help and advice - Get Rid of Spyware, Adware, and Web Browser Hijackers in step 6, post the resulting log to this thread and we'll get our experts to take a look. By the way, the URL you give didn't work (for me at least).


  3. #3
    Member
    Join Date
    May 2008
    Posts
    8
    Points
    0

    Default

    Stupid Linux webservers, case sensitive.. I've changed the link details.

    Also, since I can't get internet access on that machine, due to all the network drives not working, I've already installed that hard drive into another machine and cleaned and scanned the drive with Kaspersky, MalwareBytes, and SuperAntiSpyware. Then I reinstalled the drive back into the host machine, and ran SmitfraudFix and ComboFix on it.

    LSPFix didn't detect any problems with the network setup either.

    CCleaner found lots of system and registry issues which it cleaned up.
    Last edited by radact; 02-23-2009 at 07:39 PM.

  4. #4
    Member
    Join Date
    May 2008
    Posts
    8
    Points
    0

    Default

    Help2Go Detective didn't pick up anything too bad, just a reference to a Realtek driver and an Intel button which aren't that critical.

    Here's an image of device manager and a copy of the HijackThis log:



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:13:43, on 24/02/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    K:\Apps\Virus-Spyware\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\DOCUME~1\Owner\LOCALS~1\Temp\init.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
    O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - Add to Windows Live Favorites
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    --
    End of file - 5250 bytes
    Last edited by radact; 02-23-2009 at 06:24 PM.

  5. #5
    Member
    Join Date
    May 2008
    Posts
    8
    Points
    0

    Default

    I may have narrowed down to where the problem might lie after more delving online... it could have something to do with the Firewall service.

    A post suggested that it might have something to do Firewall, so I went to the Control Panel and clicked on Firewall, and Windows displayed a message saying that the Windows Firewall settings could not be displayed because the associated Windows Firewall/Internet Connection Service (ICS) was not running and if I would like to run start it. When I say yes to 'Would you like to start the service', I get a error message saying that the service could not start, with no error code or anything.

    If I go through Control Panel/Adminstrative Tools/Services and scroll down to the Firewall service, it's already on Automatic, but not started. When I hit start, it comes up with 'Error 2: The specified file could not be found' and fails to start.

    I've tried various suggested methods of repairing the firewall components using:
    "Rundll32 setupapi,InstallHinfSection Ndi-Steelhead 132 %windir%\inf\netrass.inf"

    and repairing WMI such as:
    "net stop winmgmt
    ren c:\System32\Wbem\Repository c:\System32\Wbem\Repository_bad
    net start winmgmt
    rundll32 wbemupgd, UpgradeRepository
    "
    and
    "rundll32.exe setupapi,InstallHinfSection WBEM 132 %windir%\inf\wbemoc.inf"

    Also, additional searching suggested that "ipnathlp.dll" and "ipnat.sys" we missing or corrupted and using the following would replace the missing files, but still no luck. (Had to do this in safe mode as ipnathlp.dll was already in use while running in normal mode and couldn't be overwritten)
    "
    expand e:\i386\ipnathlp.dl_ %systemroot%\system32\ipnathlp.dll
    expand e:\i386\ipnat.sy_ %systemroot%\system32\drivers\ipnat.sys
    "
    Last edited by radact; 02-24-2009 at 12:57 AM.