Re: Problems from tcpip.sys / eventid=2446 patch
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 31 Oct 2007 19:10:43 -0500
If you have not tried so yet see if you can boot into Safe Mode and then do
a System Restore to a point in time before the patch was applied.
Steve
"Doug" <Doug@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:06DBA0F9-DFDD-45FA-B049-570AF7E67BB5@xxxxxxxxxxxxxxxx
I'm having problems restoring tcpip.sys to it's original state, and any
other changes made by the lvllord patch. It gets complicated because you
have
to deal with Windows File Protection.
This is the patch for EventID=2446 for tcpip.sys, which changes the number
of max [half-open] connections for XP.
http://www.lvllord.de/?lang=en&url=tools
Normally, on a clean XP install, this works perfectly and is pretty
brainless. However, this particular computer had all kinds of stuff
installed, like Norton AV Corporate (includes FW and AV i think), some VPN
software, etc.
It *completely* screwed up the computer. All networking shut down, there
were crashes, the computer coudln't be shut down safely, blue screens,
sometimes couldn't boot, etc.
So, we tried reverting the change, which that tool above does. That didn't
work. Then, tried replacing the file manually from another computer (same
version from the last windows update patch to this file in june). Note
that
we deleted the file from the DLL cache, placed this file in there, then
deleted teh same file in c:\windows\system32\drivers and let WPF copy from
the dllcache to the drivers directory. Then, for good measure,
reregistered
the drivers/ dir version with regsvr32 (not sure if this helped, hurt, or
had
any effect at all).
Also, curiously, there was two versions of tcpip.sys: "tcpip.sys" and
"TCPIP.SYS". This was pretty weird, but we disposed of the caps version
since
the lower-case version was verified to be the latest from ms.
At the moment, the machine doesn't boot at all.
Research has turned up the system file repair, SFR (from the cmd line).
This
will replace any protected files back to their originals.... that is, ALL
of
them, so that could create any number of new issues. I'm not sure if SFR
will
revert back to the original installation version and then windows update
will
re-apply patches, or it will be left in a state that confuses windows
update,
or what.
Other things I've discovered in research:
-Norton AV/FW may detect many connections and decide the machine is under
attack
-Lvllord patch may also change the registry. I haven't yet identified
the
keys or what other software may be using them.
-There are worms and rootkits that will 'infect' tcpip.sys. The machine
hasn't been checked for rootkits (beyond that basic ms tool)
Any ideas, folks?
.
- Prev by Date: Re: Ignore Patch That Messes With MSOE.DLL?
- Next by Date: Re: WARNING FOR WINDOWS USERS!
- Previous by thread: Re: Ignore Patch That Messes With MSOE.DLL?
- Next by thread: Odd behaviour with user accounts (accounts "hidden")
- Index(es):
Relevant Pages
|
