Hi Everyone. Help With Seemingly Random Bsod's

Hi there.

About 2 weeks ago I had a BSOD restart. Since then they sometimes happen once a day, not at all or up to four times a day. They seem random. I have the .dmp files and put them through the BlueScreenView program.

This program seemed to indicate that the problem is caused by the tcpip.sys driver, but didn't give anymore info.

I am using Windows 7 Ultimate Service Pack 1 64-bit.

Is there anyone out there who can advise me further? Any help is appreciated. This problem is drving me nuts as I can't really get any work done on an unstable system that could randomly restart.

Thanks.

S.

 

Hi S.

BSODs with tcpip.sys flagged are network -related, often 3rd party firewall/security/VPN etc. Copy the dumps to your Desktop, zip them and attach the zip in a reply, I'll see if I can find a likely root cause.

 

Thanks satrow, zip of dumps attached.

S.

 

It's currently looking like a Malwarebytes AM issue, mwac.sys is involved in all but one Stack, but it can't be verified = it might be corrupt (or it's being 'interfered' with).

MBAM was the active Process in all but one crash, the other was a BitDefender process.

It looks like the issue started after an install/upgrade of Rapport, a software that's frequently buggy and troublesome (like the above 'interference').

Uninstall MBAM completely, reboot and install the latest version.

During troubleshooting, remove Rapport for at least 10-14 (hopefully crash free) days before testing it again.

Code:

Built by: 7601.19160.amd64fre.win7sp1_gdr.160211-0600
Debug session time: Sun Apr  3 11:18:15.519 2016 (UTC + 1:00)
System Uptime: 0 days 5:33:13.628
BugCheck D1, {0, 2, 0, fffff88001c9456b}
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+86 )
BUGCHECK_STR:  0xD1
PROCESS_NAME:  mbamservice.ex
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7601.19160.amd64fre.win7sp1_gdr.160211-0600
Debug session time: Sun Apr  3 05:44:30.232 2016 (UTC + 1:00)
System Uptime: 0 days 8:23:19.230
BugCheck D1, {0, 2, 0, fffff88001c9556b}
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+86 )
BUGCHECK_STR:  0xD1
PROCESS_NAME:  mbamservice.ex
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7601.19160.amd64fre.win7sp1_gdr.160211-0600
Debug session time: Tue Mar 29 06:21:49.573 2016 (UTC + 1:00)
System Uptime: 0 days 19:26:09.547
BugCheck D1, {0, 2, 0, fffff88001a9456b}
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+86 )
BUGCHECK_STR:  0xD1
PROCESS_NAME:  mbamservice.ex
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7601.19160.amd64fre.win7sp1_gdr.160211-0600
Debug session time: Mon Mar 28 10:55:08.324 2016 (UTC + 1:00)
System Uptime: 1 days 10:45:47.005
BugCheck D1, {0, 2, 0, fffff88001a9456b}
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+86 )
BUGCHECK_STR:  0xD1
PROCESS_NAME:  mbamservice.ex
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7601.19160.amd64fre.win7sp1_gdr.160211-0600
Debug session time: Sat Mar 26 20:45:17.484 2016 (UTC + 1:00)
System Uptime: 0 days 0:51:02.593
BugCheck D1, {0, 2, 0, fffff88001c9556b}
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+86 )
BUGCHECK_STR:  0xD1
PROCESS_NAME:  mbamservice.ex
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7601.19160.amd64fre.win7sp1_gdr.160211-0600
Debug session time: Sat Mar 26 19:53:45.233 2016 (UTC + 1:00)
System Uptime: 0 days 0:53:01.342
BugCheck D1, {0, 2, 0, fffff88001a9456b}
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+86 )
BUGCHECK_STR:  0xD1
PROCESS_NAME:  mbamservice.ex
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7601.19160.amd64fre.win7sp1_gdr.160211-0600
Debug session time: Sat Mar 26 19:00:10.267 2016 (UTC + 1:00)
System Uptime: 0 days 14:17:50.360
BugCheck D1, {0, 2, 0, fffff88001c9556b}
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+86 )
BUGCHECK_STR:  0xD1
PROCESS_NAME:  mbamservice.ex
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7601.19160.amd64fre.win7sp1_gdr.160211-0600
Debug session time: Sat Mar 26 04:41:36.463 2016 (UTC + 1:00)
System Uptime: 1 days 3:39:30.571
BugCheck D1, {0, 2, 0, fffff88001a9556b}
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+86 )
BUGCHECK_STR:  0xD1
PROCESS_NAME:  mbamservice.ex
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7601.19160.amd64fre.win7sp1_gdr.160211-0600
Debug session time: Tue Mar 22 23:50:34.942 2016 (UTC + 1:00)
System Uptime: 0 days 0:01:57.050
BugCheck 4A, {7712d42a, 2, 0, fffff88008842ca0}
Probably caused by : ntkrnlmp.exe ( nt!KiSystemServiceExit+245 )
BUGCHECK_STR:  RAISED_IRQL_FAULT
PROCESS_NAME:  vsserv.exe

 

1000 thanks satrow, I'll follow your instructions and keep you updated on how things turn out. Thanks again.

S.

 

No worries, good luck!

 

Hi satrow, last night I removed MBAM using the clean removal tool and rebooted. Then completely removed Rapport using their safe unistall utility and rebooted.
Finally I installed the latest version of MBAM.
All good until this morning. Had another unexpected BSOD.
I ran the latest dmp file in bluescreenview for a quick look and It's now highlighting an additonal driver 'afd.sys'

I've attached the zipped dmp file.

 

Another recent BSOD after trying fix. zipped dmp file included.

 

Looks like much the same series of events leading to the crashes, mwac.sys still isn't being verified, strange for a driver that's almost 2 years old - you did follow the MBAM removal routine correctly, no oddities noticed?

Code:

Debug session time: Mon Apr  4 07:48:38.805 2016 (UTC + 1:00)
Loading Dump File [C:\Users\Me\SysnativeBSODApps\040416-18127-01.dmp]
Built by: 7601.19160.amd64fre.win7sp1_gdr.160211-0600
System Uptime: 0 days 7:40:14.914
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+86 )
BugCheck D1, {0, 2, 0, fffff88001c9556b}
BugCheck Info: [url=http://www.carrona.org/bsodindx.html#0x000000D1]DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)[/url]
Bugcheck code 000000d1
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88001c9556b, address which referenced memory
BUGCHECK_STR:  0xD1
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
PROCESS_NAME:  mbamservice.ex
FAILURE_BUCKET_ID:  X64_0xD1_NETIO!NetioDereferenceNetBufferList+86

I've just noticed another security -related driver loaded, could this be a remnant from a previous Avast install? Uninstall it, use ASWClear to ensure all Avast traces are removed.
aswKbd.SYS Tue Jul 3 17:13:43 2012 (4FF31A37)
avast! Keyboard Filter Driver http://support.avast.com/
http://www.carrona.org/drivers/driver.php?id=aswKbd.SYS


There's also an old security/copy protection driver for XP loaded, can you uninstall this during troubleshooting?
lirsgt.sys Tue Jun 17 16:17:08 2008 (4857D574)
part of a Copy Protection platform developed by Tages SA http://www.tagesprotection.com/[br]Uninstall link: http://www.tagesprotection.com/main.htm?page=minimum.htm
http://www.carrona.org/drivers/driver.php?id=lirsgt.sys



If the BSODs continue, please follow the routine here to collect further details/logs and attach the requested zip file(s).

 

Thanks for getting back to me so quickly satrow.
Yes, I followed the MBAM removal routine step by step. Everything seemed to go as expected with no errors.

I'll try it again and will also uninstall the two other drivers you noticed using the tools suggested.

I'll get back to you to let you know what's happening.

One question, if the BSODs continue and I'm following the new routine for details/logs, do you want me to post the results here? (After doing steps 1-4?)

Thanks again for all help so far.

 

Yes, please - but if I'm stuck (I'm not very good at remote BSOD debugging, I'm better hands on) I'll pass you on to one of my mentors who's doing BSOD analysis at Malwarebytes, amongst other places, as MBAM appears to be a likely cause. He'll likely have you do a few other things (like replacing BitDefender with MSE) as well as giving a deeper analysis than I could, and he can quickly point you to someone on the MBAM side if it's needed.

 

Great, thanks, that's more help than I could have asked for.