G
Guest
I'm having problems restoring tcpip.sys to it's original state, and any
other changes made by the lvllord patch. It gets complicated because you have
to deal with Windows File Protection.
This is the patch for EventID=2446 for tcpip.sys, which changes the number
of max [half-open] connections for XP.
http://www.lvllord.de/?lang=en&url=tools
Normally, on a clean XP install, this works perfectly and is pretty
brainless. However, this particular computer had all kinds of stuff
installed, like Norton AV Corporate (includes FW and AV i think), some VPN
software, etc.
It *completely* screwed up the computer. All networking shut down, there
were crashes, the computer coudln't be shut down safely, blue screens,
sometimes couldn't boot, etc.
So, we tried reverting the change, which that tool above does. That didn't
work. Then, tried replacing the file manually from another computer (same
version from the last windows update patch to this file in june). Note that
we deleted the file from the DLL cache, placed this file in there, then
deleted teh same file in c:\windows\system32\drivers and let WPF copy from
the dllcache to the drivers directory. Then, for good measure, reregistered
the drivers/ dir version with regsvr32 (not sure if this helped, hurt, or had
any effect at all).
Also, curiously, there was two versions of tcpip.sys: "tcpip.sys" and
"TCPIP.SYS". This was pretty weird, but we disposed of the caps version since
the lower-case version was verified to be the latest from ms.
At the moment, the machine doesn't boot at all.
Research has turned up the system file repair, SFR (from the cmd line). This
will replace any protected files back to their originals.... that is, ALL of
them, so that could create any number of new issues. I'm not sure if SFR will
revert back to the original installation version and then windows update will
re-apply patches, or it will be left in a state that confuses windows update,
or what.
Other things I've discovered in research:
-Norton AV/FW may detect many connections and decide the machine is under
attack
-Lvllord patch may also change the registry. I haven't yet identified the
keys or what other software may be using them.
-There are worms and rootkits that will 'infect' tcpip.sys. The machine
hasn't been checked for rootkits (beyond that basic ms tool)
Any ideas, folks?
other changes made by the lvllord patch. It gets complicated because you have
to deal with Windows File Protection.
This is the patch for EventID=2446 for tcpip.sys, which changes the number
of max [half-open] connections for XP.
http://www.lvllord.de/?lang=en&url=tools
Normally, on a clean XP install, this works perfectly and is pretty
brainless. However, this particular computer had all kinds of stuff
installed, like Norton AV Corporate (includes FW and AV i think), some VPN
software, etc.
It *completely* screwed up the computer. All networking shut down, there
were crashes, the computer coudln't be shut down safely, blue screens,
sometimes couldn't boot, etc.
So, we tried reverting the change, which that tool above does. That didn't
work. Then, tried replacing the file manually from another computer (same
version from the last windows update patch to this file in june). Note that
we deleted the file from the DLL cache, placed this file in there, then
deleted teh same file in c:\windows\system32\drivers and let WPF copy from
the dllcache to the drivers directory. Then, for good measure, reregistered
the drivers/ dir version with regsvr32 (not sure if this helped, hurt, or had
any effect at all).
Also, curiously, there was two versions of tcpip.sys: "tcpip.sys" and
"TCPIP.SYS". This was pretty weird, but we disposed of the caps version since
the lower-case version was verified to be the latest from ms.
At the moment, the machine doesn't boot at all.
Research has turned up the system file repair, SFR (from the cmd line). This
will replace any protected files back to their originals.... that is, ALL of
them, so that could create any number of new issues. I'm not sure if SFR will
revert back to the original installation version and then windows update will
re-apply patches, or it will be left in a state that confuses windows update,
or what.
Other things I've discovered in research:
-Norton AV/FW may detect many connections and decide the machine is under
attack
-Lvllord patch may also change the registry. I haven't yet identified the
keys or what other software may be using them.
-There are worms and rootkits that will 'infect' tcpip.sys. The machine
hasn't been checked for rootkits (beyond that basic ms tool)
Any ideas, folks?