tcpip.sys d1 error...

Moderator: The Mod Squad

tcpip.sys d1 error...

Postby bdub » Mon Jul 02, 2012 3:09 pm

so i have a wireless router/modem that verizon gave me when i moved up to fios... never used the wireless part, always kept the radio off. people living in another apt in my building asked if they could feed off my wireless, because they lost their cable modem connection in the last storm that blew thru here. i told them sure, i turned on the radio portion of the router, set up wep, and they got into it fine. now i get BSOD's that mention tcpip.sys quite often on my win7 install on the computer in my sig.
if i start up my xp install, no bsod's, everything works fine.
what gets me is why i have any problems at all... my computer is hooked up wired! why should just turning on the radio in my router cause these issues? anybody see this before?

i should also mention that i changed the wep encryption to wpa2, which i'm guessing is more secure, but i still get the same bsod's. and they usually can happen pretty quick, sometimes even after i've rebooted my machine and not even logged into my profile.
my main rig...
asrock 970 extreme3
AMD athlonII X3 440
zalman cpns5x performa hs/fan
crucial ballistix 2x4gb sport ddr3-1333
powercolor ax7750 1GBK3-H vga
antec neo he 650r
Samsung 840 EVo SSD 120 GB
toshiba 2TB HDD 64M cache sata3
seagate 1TB HDD 64M cache sata3
hitachi 2TB HDD 64M cache sata3
lg wh14ns40 bd burner
optiarc ad-7240s sata dvdrw (nec chipset)
bdub
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3492
Joined: Wed Feb 19, 2003 2:12 am
Location: Washington D.C.

Postby evasive » Mon Jul 02, 2012 11:37 pm

does it bsod with the network cable out?
what does bluescreenview tell you?
http://www.nirsoft.net/utils/blue_screen_view.html
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 36805
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Postby bdub » Tue Jul 03, 2012 4:36 am

it didn't happen with xp running on the same machine. i doubt it would happen with the network cable out. when more than one wireless device is active is when it happens, as right now i can see noone is active besides my wired computer. noone else is online right now.
i did lock down the router to only dish out dhcp to 5 devices, which are all taken by entries (right now it's this machine, my bdplayer, and three wireless devices from upstairs), so maybe it has something to do with someone else trying to get in and since this machine is first in line in the range, the router is trying to take my address away? maybe not because whenever i reboot after a bsod, i could get my old address back.
i guess i should make more room, and see if that solves it.

i like that bsod viewer. i've used nirsofts videocacheview in the past. unfortunately i used ccleaner on my machine last night, and it cleared the dumpfiles that were generated...
but all it said was pretty much exactly what was listed in the example bsod on that nirsoft page.

if it happens again, i'll get that dumpfile.
my main rig...
asrock 970 extreme3
AMD athlonII X3 440
zalman cpns5x performa hs/fan
crucial ballistix 2x4gb sport ddr3-1333
powercolor ax7750 1GBK3-H vga
antec neo he 650r
Samsung 840 EVo SSD 120 GB
toshiba 2TB HDD 64M cache sata3
seagate 1TB HDD 64M cache sata3
hitachi 2TB HDD 64M cache sata3
lg wh14ns40 bd burner
optiarc ad-7240s sata dvdrw (nec chipset)
bdub
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3492
Joined: Wed Feb 19, 2003 2:12 am
Location: Washington D.C.

Postby evasive » Tue Jul 03, 2012 5:20 am

my feeling is more like some sort of vulnerability being hit by one of their infected machines being on the same LAN so not protected from the NAT in the router that normally would close the port. Are you 100% sure your firewall is running and functional?
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 36805
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Postby bdub » Tue Jul 03, 2012 8:25 am

yeah, i was afraid of that (other infected computers).
on my general setting for the router firewall, i am right now using the middle setting by default....

Typical Security (Medium)
Inbound Policy: Reject.
Remote Administration settings will override the security inbound policy.
Outbound Policy: Accept.

there is a checkbox that says "block IP fragments" that is unchecked.

i also notice in my advanced settings under remote configuration that this is checked...
Diagnostic Tools
-Allow Incoming WAN ICMP Echo Requests (e.g. pings and ICMP traceroute queries)
i've now unchecked this.



there's a bunch of other tabs to look at, can you give a clue what else to look for?

i did notice this morning someone logged on with a static ip that was in the range of dhcp. i asked the neighbors about that, and they don't know what i'm talking about.

my computer bsod'd again while i was talking to them, and i am getting the minidump now.
will post soon.
Last edited by bdub on Tue Jul 03, 2012 9:32 am, edited 4 times in total.
my main rig...
asrock 970 extreme3
AMD athlonII X3 440
zalman cpns5x performa hs/fan
crucial ballistix 2x4gb sport ddr3-1333
powercolor ax7750 1GBK3-H vga
antec neo he 650r
Samsung 840 EVo SSD 120 GB
toshiba 2TB HDD 64M cache sata3
seagate 1TB HDD 64M cache sata3
hitachi 2TB HDD 64M cache sata3
lg wh14ns40 bd burner
optiarc ad-7240s sata dvdrw (nec chipset)
bdub
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3492
Joined: Wed Feb 19, 2003 2:12 am
Location: Washington D.C.

Postby bdub » Tue Jul 03, 2012 8:31 am

here's my firewall's security log generated by the router. i think this is since the last time i cleared the log, so not a lot in it...
i'm wondering what those ((0.0.0.0) entries are!
the xxxxx's are my main machine. the (192.168.1.x) is my main computer address.
the yyyyy is from a machine usually on the network, but hadn't been logged in for days and is turned off.

Jul 3 12:17:51 2012 Firewall Info User authentication success Username: xxxxx

Jul 3 12:12:28 2012 Firewall Setup Configuration change WBM user xxxxx (192.168.1.x) has changed security settings[repeated 2 times, last time on Jul 3 12:12:33 2012]

Jul 3 12:12:04 2012 Firewall Info User authentication success Username: xxxxx

Jul 3 10:51:37 2012 Firewall Setup Configuration change WBM user Unknown (0.0.0.0) has changed security settings[repeated 2 times, last time on Jul 3 11:28:27 2012]

Jul 3 09:45:05 2012 Firewall Info User authentication success Username: xxxxx[repeated 2 times, last time on Jul 3 10:49:05 2012]

Jul 3 09:30:50 2012 Firewall Setup Configuration change WBM user Unknown (0.0.0.0) has changed security settings[repeated 2 times, last time on Jul 3 09:35:51 2012]

Dec 14 19:00:01 2007 Unknown Unknown Error resolving hostname: "yyyyyy"

Dec 14 19:00:01 2007 Firewall Setup Firewall status changed enabled

Dec 14 19:00:01 2007 System Log Message The system is UP!
Last edited by bdub on Tue Jul 03, 2012 9:29 am, edited 2 times in total.
my main rig...
asrock 970 extreme3
AMD athlonII X3 440
zalman cpns5x performa hs/fan
crucial ballistix 2x4gb sport ddr3-1333
powercolor ax7750 1GBK3-H vga
antec neo he 650r
Samsung 840 EVo SSD 120 GB
toshiba 2TB HDD 64M cache sata3
seagate 1TB HDD 64M cache sata3
hitachi 2TB HDD 64M cache sata3
lg wh14ns40 bd burner
optiarc ad-7240s sata dvdrw (nec chipset)
bdub
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3492
Joined: Wed Feb 19, 2003 2:12 am
Location: Washington D.C.

Postby bdub » Tue Jul 03, 2012 8:52 am

crash list ...

Dump File ---- 070312-28250-01.dmp
Crash Time ---- 7/3/2012 12:14:39 PM
Bug Check String - DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code - 0x000000d1
Parameter 1 ---- 00000000`0000001c
Parameter 2 ---- 00000000`00000002
Parameter 3 ---- 00000000`00000001
Parameter 4 ---- fffff880`01a605ae
Caused By Driver --- tcpip.sys
Caused By Address -tcpip.sys+605ae
File Description
Product Name
Company
File Version
Processor x64
Crash Address -- ntoskrnl.exe+7f1c0
Stack Address 1
Stack Address 2
Stack Address 3
Computer Name
Full Path ---- C:\Windows\Minidump\070312-28250-01.dmp
Processors Count - 2
Major Version ------ 15
Minor Version ------ 7601
Dump File Size ---- 274,256
my main rig...
asrock 970 extreme3
AMD athlonII X3 440
zalman cpns5x performa hs/fan
crucial ballistix 2x4gb sport ddr3-1333
powercolor ax7750 1GBK3-H vga
antec neo he 650r
Samsung 840 EVo SSD 120 GB
toshiba 2TB HDD 64M cache sata3
seagate 1TB HDD 64M cache sata3
hitachi 2TB HDD 64M cache sata3
lg wh14ns40 bd burner
optiarc ad-7240s sata dvdrw (nec chipset)
bdub
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3492
Joined: Wed Feb 19, 2003 2:12 am
Location: Washington D.C.

Postby bdub » Tue Jul 03, 2012 11:13 am

just had another bsod, same values... it seemed to happen soon after the neighbors computer with a mac address starting with c8 logged in. all other mac addresses start with 00. could addresses with c8 belong to an apple computer?
it's not the ip address that is static though.

firewall log shows this, which happens concurrently with c8: logon...
Jul 3 14:48:19 2012 Firewall Setup Configuration change WBM user Unknown (0.0.0.0) has changed security settings

bsod occured at 14:56...
here's the router's system log from around that time...

Jul 3 15:07:04 2012 System Log Message estream: Cannot read from fd 26 Connection reset by peer(131)
[repeated 3 times, last time on Jul 3 15:16:03 2012]

Jul 3 14:58:55 2012 System Log Message Unable to change DSCP of icmp socket to value 0 for ping Socket operation on non-socket

Jul 3 14:57:57 2012 System Log Message estream: Cannot read from fd 26 Connection reset by peer(131)

Jul 3 14:48:18 2012 System Log Message Cannot find cache entry for mac 00:21:e9:dd:eb:0e ret=-1
[repeated 2 times, last time on Jul 3 14:48:18 2012]

Jul 3 14:48:10 2012 System Log Message hostapd: ath0: STA c8:bc:c8:cb:32:04 WPA: pairwise key handshake completed (RSN)

Jul 3 14:48:10 2012 System Log Message 11: associated

also noticed that in my firewall under port triggering there was this...

Protocol
-L2TP Triggering - Layer Two Tunneling Protocol
Outgoing Trigger Ports
-UDP Any -> 1701 UDP
Incoming Ports to Open
-Any -> Same as Initiating Ports

and
Protocol
-TFTP Triggering - Trivial File Transfer Protocol
Outgoing Trigger Ports
-UDP 1024-65535 -> 69 UDP
Incoming Ports to Open
-Any -> Same as Initiating Ports

i never set these triggers, and i always assumed they were there by default. but now i've unchecked them.
my main rig...
asrock 970 extreme3
AMD athlonII X3 440
zalman cpns5x performa hs/fan
crucial ballistix 2x4gb sport ddr3-1333
powercolor ax7750 1GBK3-H vga
antec neo he 650r
Samsung 840 EVo SSD 120 GB
toshiba 2TB HDD 64M cache sata3
seagate 1TB HDD 64M cache sata3
hitachi 2TB HDD 64M cache sata3
lg wh14ns40 bd burner
optiarc ad-7240s sata dvdrw (nec chipset)
bdub
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3492
Joined: Wed Feb 19, 2003 2:12 am
Location: Washington D.C.

Postby evasive » Tue Jul 03, 2012 10:56 pm

there's 8 minutes between the logon (14:48) of the c8 machine and your crash (14:56) which is neatly picked up by your router (connection reset by peer at 14:57).

Now you have the dumpfile you should be able to run a debugger over it. If you don't have that one ready, send the zipped .dmp files to my email address under the button, I'll see if i can track back what caused tcpip.sys to fall over. More than likely it is a network-related program such as the network module of anti-virus software/toolkit/firewall/monitoring/config that is a bit buggy and reacting allergic to something from the other machines...
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 36805
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Postby bdub » Wed Jul 04, 2012 6:11 am

unfortunately, i ccleaned again, losing the dump... but thanks for the offer.
neighbors are gone for the rest of the week, and radio is now off.

your perception that it might have something to do with my A-V protection is something i have been reading a bit about, and it is very possible it had to do with that.

i still wonder about those triggers that were in the router....
the "trivial file transfer protocol" and the "l2tp triggering"
...are they something that this router defaults with for some services that are common?

the (0.0.0.0) entries that were supposedly changing security settings, i think they had something to do with what the router is doing itself.

i noticed that when i changed the firewall setting to the elevated setting beyond "typical", that i could not send emails in that setting.

is the WAN ICMP echo request check box something i need? doesn't seem to affect anything since unchecking it. does that just stop outside addresses from pinging the router?
my main rig...
asrock 970 extreme3
AMD athlonII X3 440
zalman cpns5x performa hs/fan
crucial ballistix 2x4gb sport ddr3-1333
powercolor ax7750 1GBK3-H vga
antec neo he 650r
Samsung 840 EVo SSD 120 GB
toshiba 2TB HDD 64M cache sata3
seagate 1TB HDD 64M cache sata3
hitachi 2TB HDD 64M cache sata3
lg wh14ns40 bd burner
optiarc ad-7240s sata dvdrw (nec chipset)
bdub
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3492
Joined: Wed Feb 19, 2003 2:12 am
Location: Washington D.C.

Next

Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests