Bsod - afd.sys

[Louiscar]

Firstly, I've just registered, so hi to everyone.

I've been getting a regular bsod usually of the irq_not equal type. I've been somewhat frustrated by this problem as I don't get a memory dump and was wondering if there's something that might have disabled it. The message says "memory dump complete" pretty much immediately.

A memory.dmp of zero length is created in the root and checking the minidump folder in Windows revieals an empty folder.

Things I can tell you about this problem:

1) It always happens when active on the net, either downloading or browsing.
2) I begun to happen after I loaded .net framework 3.5. I had a problem installing this because Windows had lost the uninstall date for version 2.0. I had to use Aaron Stebner's cleanup tool then reinstall v.2.0 and then v.3.5.
3) Yes I do use Zonealarm (5.5) but have done so for years without problems.
4) memory info for afd.sys was B05BF50 0x00000002 0x00000000 0xB05BF5A0

I did do a restore to before the net framework install but of course the damage has been done and apps reliant on version 2.0 wouldn't work so I had to cleanup and reinstall that. I didn't however, install 3.5 this time.

Some evironment details:
O/s: Win XP pro SP3
Net Card : 3com 100mb
Dlink router
Graphics:Ati 9800 Pro
CPU: athlon 2800+ XP
MB: MSI K7

This will happen again no doubt and I'm sure you guys want the memory dump info so my first mission is to find out why I'm not getting a dump.

Otherwise does anyone know of any problems related to afd.sys or what it does ( I can't see this process in process explorer)?

MS have a hotfix for exactly this problem but related to win2K only. There is no mention of this problem related to Winxp. I do tend to think though that some kind of memory leak is occuring as in the win2K problem as it happens after some time of browsing or net use.

Any suggestions would be welcome.

Edit: I've found that memory dump was turned off in system control panel. I've set it to mini so hopefully I'll now get some information to post up soon.

 

[B00kWyrm]

To make sure you are set up properly for Minidumps, check here...

Right click on "My Computer"
Click on "Properties"
Click on "Advanced" tab
Click on Startup and Recovery "Settings" Button

Under "Write Debugging Information" it should not be "none".
Mine is set to "Small Memory Dump".

Small Dump directory should be
%SystemRoot%\Minidump

===========
Your "fix" may have been all that is needed, but check the settings now per above.


If these are your settings, then I don't know why you wouldn't have files in the minidump directory following a BSOD.

Someone here would though!

 

[Louiscar]

Thanks yes it's set to minidump now, I just need to wait for the next bsod to happen and see if it's a consistent one. I'm sure I had a Bad_pool_caller on one occasion.

Unfortunately it's intermittent so I can't force the error.

 

[Louiscar]

Ok, It happened a few minutues after I posted the last reply.

this time it was Bad_Pool_Caller error and the minidump doesn't really give me any idea why.

What is consistent is that it happens on some internet activity. I clicked on a browswer link, everything froze and then the BSOD. The other way it happens is if I'm downloading so can happen when I'm doing something else but it's has to be some kind of net activity.

Minidump is attached, hope someone can decipher this, there doesn't seem to be that much info in these dumps and this particular one has no culprit mentioned from what I can see.

 

[Louiscar]

I had another one today - this time IRQL_NOT_EQUAL

Another dump.

I see a similar pattern of Kmixer.sys and clpciid.sys neither of which explains what these have to do with net access.

Is anyone able to help me with these dumps otherwise I can try some other forums.

 

[Route44]

Hopefully without overstepping my bounds here since BookWorm+ is helping you, what security software are you running? Also, have you done a virus scan? Your first minidump gave a long list of drivers unable to load.

 

[Louiscar]

Hopefully without overstepping my bounds here since BookWorm+ is helping you, what security software are you running? Also, have you done a virus scan? Your first minidump gave a long list of drivers unable to load.

Thanks for the response, BookWyrm+ was just helping with my inability to get a dump but I've solved that as you can see.

I can only see Kmixer.sys and clpciid.sys shown in the dump files albeit several occurences.

I use Zonealarm 5.5 and Kasperski for virus scanning. The latter I don't let stay resident. I use it to scan manually when needed or to check download files.

I've run Malwarebytes to check for infections. It's come up clean.

I'm reasonably sure that the problem isn't memory or virus due to the nature of how this began. ie. the .net framework mess, although obviously I can't be 100% on it.

 

[Route44]

Is that .Netframework 3.5? It is a mess.

Is ZA 5.5 a full security suit?

 

[Louiscar]

Is that .Netframework 3.5? It is a mess.

Yes I know I installed an app that needed it but I've thrown both out now and reverted back to .net 2.0 however, as I mentioned the old files had been deleted so I had to go through the same process of cleanup to re-install v2.0. This results in less BSODs but I am still getting them.

Is ZA 5.5 a full security suit?

No it's just the firewall. I stuck with version 5.5 (it's quite old now) because version 6 onwards insists on installing all sorts of c**p. I just want a simple firewall without all the resident programs that these suites insist on installing.

 

[Louiscar]

3)

I had another last night - left Kaspersky scanning the HDDs as I'd done all but those.

This time I've got a number of other drivers listed

 

[Route44]

Your error only cited a core Windows OS driver but what was interesting in the Process section of the dump was the Dfrg.exe. Are you running any defrag software other than Windows?

See this link: http://club.cdfreaks.com/f59/nero-buffer-ok-dvd-decrypter-no-way-135263/

 

[Louiscar]

Your error only cited a core Windows OS driver but what was interesting in the Process section of the dump was the Dfrg.exe. Are you running any defrag software other than Windows?

I'm beginning to realise that dumpchk isn't telling me the whole story. I don't see any mention of Dfrg.exe when I look at with this util. What are you viewing the dumps with? ... or is it possible you looked at a someone elses dump?

I get:

for the Unloaded modules section:

acf76000 acfa1000 kmixer.sys Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
adf8b000 adf8e000 clpciid.sys Timestamp: unavailable (00000000)
ad719000 ad71c000 clpciid.sys Timestamp: unavailable (00000000)
ae14a000 ae14d000 clpciid.sys Timestamp: unavailable (00000000)
ad090000 ad093000 clpciid.sys Timestamp: unavailable (00000000)
ad1ac000 ad1af000 clpciid.sys Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
ba377000 ba37f000 mbamswissarm Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
ad041000 ad06c000 kmixer.sys Timestamp: unavailable (00000000)
adcec000 add17000 kmixer.sys Timestamp: unavailable (00000000)
bae89000 bae8a000 drmkaud.sys Timestamp: unavailable (00000000)
adefb000 adf08000 DMusic.sys Timestamp: unavailable (00000000)
add53000 add76000 aec.sys Timestamp: unavailable (00000000)
adf0b000 adf19000 swmidi.sys Timestamp: unavailable (00000000)
f79a1000 f79a3000 splitter.sys Timestamp: unavailable (00000000)
f780f000 f7817000 RNDISMPX.SYS Timestamp: unavailable (00000000)
ae156000 ae15a000 usb8023x.sys Timestamp: unavailable (00000000)
ae166000 ae169000 usbcm.sys Timestamp: unavailable (00000000)
ae027000 ae056000 NVSNPU.SYS Timestamp: unavailable (00000000)
ae1de000 ae1ec000 NVNRM.SYS Timestamp: unavailable (00000000)
ae1ee000 ae1f7000 NVENETFD.sys Timestamp: unavailable (00000000)
ae1fe000 ae20e000 nic1394.sys Timestamp: unavailable (00000000)
b053a000 b053d000 NdisIP.sys Timestamp: unavailable (00000000)
ae03d000 ae056000 bthpan.sys Timestamp: unavailable (00000000)
ae296000 ae299000 btnetdrv.sys Timestamp: unavailable (00000000)
ba3db000 ba3df000 kbdhid.sys Timestamp: unavailable (00000000)
f77cf000 f77d4000 Cdaudio.SYS Timestamp: unavailable (00000000)

plus two sections above titled:

DUMP_HEADER32: & TRIAGE_DUMP32:

To answer your question - no I don't (knowingly) use defrag software. I've never seen the process Dfrg.exe running. I presume this wouldn't be hidden from taskmanager or process explorer - I would have noticed it if it were present

See this link: http://club.cdfreaks.com/f59/nero-buffer-ok-dvd-decrypter-no-way-135263/

Interesting:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout\
EnableAutoLayout=0

There was no key for this and was about to create one when ..... BSOD!

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout\
EnableAutoLayout=0
HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\
Enable="N"

This was set to "Y" so I disbled it.

When the BSOD occured I had just done it.

4) dump attached.

 

[Louiscar]

Hi Route44

I've got another two dumps which are fairly similar in nature. I think I may have fouind something that will cause the BSOD within a few minutes.

Last night I did a full memtest (overnight) to eliminate memory faults. Passed ok.
Malware and virus scanners come up with no threats so I'm pretty sure this isn't the problem.

I can't help noticing the reference to sound files but your last message had me confused with the mention of dfrg.exe which I can't see using dumpchk so it leaves me wondering if this is the right tool to look at the dumps with.

I am getting desparate for a few pointers on how or what to point the finger at. I'm not sure what the best approach is to trouble shooting this problem.

Is it worth running sfc ?

 

[kimsland]

Inside the 2 Minidumps:

BugCheck 1000000A, {16, 2, 0, 8051609e}
Unable to load image ctaud2k.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ctaud2k.sys
*** ERROR: Module load completed but symbols could not be loaded for ctaud2k.sys
Probably caused by : ks.sys ( ks!KsProbeStreamIrp+333 )
PROCESS_NAME: Poker3d.exe

BugCheck 1000000A, {4, 2, 1, 804e6def}
Probably caused by : ntoskrnl.exe ( nt!ExDeleteResourceLite+19 )

Possibly Malware
I'd say install Avira free Antivirus (uninstall what ever you have at the moment) and run a full scan

Or just go here and run through all 8 steps:
UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

 

[Louiscar]

Inside the 2 Minidumps:


Possibly Malware
I'd say install Avira free Antivirus (uninstall what ever you have at the moment) and run a full scan

Or just go here and run through all 8 steps:
UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Hi,

Thanks for the help.

I've been already been through most of the steps in the above link. I'm rechecking but the important aspects are covered. I've just updated my Java as this was a slightly older version than the one Sun is offering now.

Current virus scanner is Kasperski which I believe is one of the better scanners. Is there any reason I should consider Avira which Kasperski would not cover?

I have HJT and Malwarebytes which I use regularly to oust stuff that is unwanted.

Both Malwarebytes and Kasperski don't detect anything suspicious.

The poker3d.exe mentioned is the program I've just aquired that I've found to bring up BSODs more regularly however, this is not the culprit, it's just that I can force a BSOD easier with it.

I'm just running the recommended SuperAntiSpyware scanner as this is one thing I have not got. I'll let you know if this comes up with anything.

Other than that I reitterate that the original problem started from a forced installation of .net framework 3.5. I had no BSOD problem before this and I am hoping this is still a valid clue.

I accept though that I should follow the process of elimination as thoroughly as possible to overrule any malicious causes.

In the meantime can you give your opinion on the constant reference to sound card drivers in these dumps? If malware isn't the reason is this worth focusing on?

 

[Louiscar]

After a scan with SuperAntiSpyware it found only a few adware bits. However, till today i was reasonably free from the BSODs. Then it happened again using poker3d.

I guess I can't force it with this, it's pretty intermittent and having two BSoDs one after the other was just a false lead.

Not sure what I should do now, perhaps it might be worth going through an sfc session.

 

[kimsland]

Or just go here and run through all 8 steps:
UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

I would not do a sfc /scannow without first doing the above

 

[Louiscar]

I would not do a sfc /scannow without first doing the above

Yes I've done the 8 steps. Should I attach the 3 logs here or in another forum?

Step 8

Attach the requested logs
1) Malwarebytes Anti Malware log
2) SuperAntiSpyware log
3) Hijackthis log

 

[kimsland]

Please make a new thread here: Virus & Malware removal and => Attach, the 3 logs

 

[Louiscar]

Please make a new thread here: Virus & Malware removal and => Attach, the 3 logs

Thanks Kimsland, will do.

 

[Louiscar]

I think I may have discovered a possible problem and maybe a reason for these BSODs, however, I'm not sure why it's happening.

Looking at the processes I was concerned that Services.exe is taking up a whopping 645MB on startup (private bytes).

Process explorer shows page faults constantly occurring. After a few mins the count is around 1.3 million and going up at the rate of about 5 per second.

Any ideas what might be the cause of this? It certainly doesn't seem right to me and checking my laptop shows that services.exe is taking up a conservative 3MB of memory.