# blue screen of death



## mabwooli (Mar 22, 2008)

Hi
my Norton anti virus expired and was still connecting onto the internet until i started getting the blue screen with the following technical information:

STOP: 0x0000008E(0xC0000005,0x8AB97248,0xA44CFAD4,0x00000000)

afd.sys-address 8AB97248 base at 8AB94000, DateStamp 4549b341

Martin


----------



## warlordfmike (Aug 15, 2007)

welcome to techsupportforum.com

post the memory.dmp its in c:\window\system32

goto device manager click view click show hidden devices yellow flags

and if so post a screenshot them 

and what are ur system specs


----------



## jcgriff2 (Sep 30, 2007)

mabwooli said:


> Hi
> my Norton anti virus expired and was still connecting onto the internet until i started getting the blue screen with the following technical information:
> 
> STOP: 0x0000008E(0xC0000005,0x8AB97248,0xA44CFAD4,0x00000000)
> ...






Hi mabwooli - 

As warlordfmike mentioned there should be memory dumps that contain additional system crash information that just may lead to a cause of your recent encounters with the infamous Blue Screen of Death (BSOD).

Each time a BSOD appears it [should] leaves a memory dump behind that I can run through a debugger and hopefully give you the name of a driver or piece of software that is the most probable cause. 

The files should be located in c:\windows\minidump\ and will be named similar to "Mini032208-01.dmp". Get them all.

Two other items that I would like are: (1) A Belarc Advisor report saved in "mht" format (Top right of IE7 screen; Page; Saved as; save as mht). You can download Belarc HERE. However, before attaching to your post *please be sure to delete the information related to your product key codes *located about ½way down the report; (2) A DXDiag report - START | type dxdiag into the Start Search box | right-click on dxdiag.exe | select Run as Administrator | respond to User Access Control prompt. Then save this report. You can then either include these two in the same zip file as the dumps or send all of the files as email attachments to me at TSFjcgriff2*at*gmail.com. My results will be posted here in this thread.

I will need some time to process the dumps as I am currently working on over 50 others. Also, this is a holiday weekend and I don't expect to be around very much until early next week.

Regards. . .

JC


----------



## Fallon McEligot (Mar 19, 2008)

afd.sys is part of winsock which is your network stuff, so the error is network-related.

Check Device Manager for any flags, and uninstall any flagged devices, with particular attention to the network cards.

You might also try the freeware "LSPFix" which repairs problems with the network configuration.


----------



## jcgriff2 (Sep 30, 2007)

@ Fallon McEligot - Thank you for the input - and I do appreciate it - because God knows that I don't have the answers to every problem coming into this Forum. Your comments here may very well turn out to be the solution. In this case the faulting system file "afd.sys" is in fact a WinSock ancillary function driver. A faulting driver may indeed provide a clue to an area in which to explore for the root cause of a system crash. However, my experience in memory dump analysis has taught me never to take a BSOD's word at face value. If I may - a case in point - A BSOD listing the Windows system module "tcpip.sys", a TCP/IP protocol driver, as the faulting driver actually turned out to be caused by a 3rd party software product and not the Microsoft Windows driver. Take a look:

http://www.techsupportforum.com/microsoft-support/windows-vista-support/228569-bsod-0x000000d1-mentioning-tcpip-sys-can-someone-help-me.html

In most cases, I don't want to know the name of the faulting driver indicated on the BSOD.

Regards. . .

jcgriff2


----------



## jcgriff2 (Sep 30, 2007)

Hi Martyn. . .

Well, the results from the 21 memory dumps that you submitted are in. Here we go. . .


```
[color=#0000cd][FONT="century gothic"][SIZE="2"]03/21/2008  02:14 PM    [color=#ff0000]SYMEVENT.SYS
[/color] 140,088 Mini032108-01.dmp

03/21/2008  02:43 PM    [color=#ff0000]srosa.sys[/color] 140,088 Mini032108-02.dmp
03/21/2008  08:20 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032108-03.dmp
03/21/2008  10:57 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032108-04.dmp
03/21/2008  11:59 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032108-05.dmp
03/22/2008  01:01 AM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032208-01.dmp
03/22/2008  02:04 AM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032208-02.dmp
03/22/2008  02:27 AM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032208-03.dmp
03/22/2008  01:08 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032208-04.dmp
03/22/2008  04:56 PM    [color=#ff0000]srosa.sys[/color] 140,088 Mini032208-05.dmp
03/22/2008  05:55 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032208-06.dmp
03/22/2008  07:03 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032208-07.dmp
03/22/2008  07:21 PM    [color=#ff0000]srosa.sys[/color] 140,088 Mini032208-08.dmp
03/22/2008  08:10 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032208-09.dmp
03/22/2008  09:20 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032208-10.dmp
03/23/2008  03:05 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032308-01.dmp
03/24/2008  02:15 AM    [color=#ff0000]srosa.sys[/color] 136,536 Mini032408-01.dmp
03/24/2008  01:39 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032408-02.dmp
03/24/2008  04:06 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032408-03.dmp
03/24/2008  05:09 PM    [color=#ff0000]srosa.sys[/color] 140,088 Mini032408-04.dmp
03/24/2008  06:32 PM    [color=#ff0000]srosa.sys[/color] 135,160 Mini032408-05.dmp
[/SIZE][/FONT][/COLOR]
```
As you can see from the above, 20 of the 21 BSODs were caused by srosa.sys. I am sorry to have to inform you that this file is part of a malicious program related to the Email-Worm.Win32.Bagle family. It downloads files via the Internet to your computer and has been launching them from various Vista NT Registry entries during boot-up. Simply deleting this file will not help to alleviate the problem. 

I highly suggest that you proceed to our Security Center, following THESE FIVE STEPS before posting your DSS/HiJackThis logs there.

This malware disables may anti-virus programs including Norton (Semantic - SYMEVENT.sys) - the related cause in the very first BSOD. According to time stamps on the srosa.sys file, it appears that your system was infected on Tuesday, March 18, 2008, around 2:45 p.m.

Ironically, the WinSock ancillary function driver "afd.sys" that was first indicated as the cause of a BSOD is nothing more than an innocent bystander - in the wrong place at the wrong time. I found no mention of this file in the memory dumps whatsoever. 

After your system receives a clean bill of health from Security, feel free to come back to this forum for any outstanding questions related to Vista. 

Thank you for providing the information that I requested as it helped me do my job. I wish you the best.

Regards. . .

JC


----------

