stuman
November 4th, 2008, 12:32 AM
Hello,
I'm currently using the latest version of the NOD32 AntiVirus program (version 3.0.672.0) on a recent reinstallation of WinXP SP3. A few hours ago, I started up my system and got a BSOD shortly after the NOD32 application kicked off.
So I got a copy of Windbg and installed the symbols and this is the result when I open the dump file:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini110308-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Mon Nov 3 20:53:11.718 2008 (GMT-5)
System Uptime: 0 days 0:00:57.406
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
..........................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 805a3a94, b60f82d8, 0}
Unable to load image eamon.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for eamon.sys
*** ERROR: Module load completed but symbols could not be loaded for eamon.sys
Probably caused by : eamon.sys ( eamon+31bb )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805a3a94, The address that the exception occurred at
Arg3: b60f82d8, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!IopLoadDriver+30c
805a3a94 8b4814 mov ecx,dword ptr [eax+14h]
TRAP_FRAME: b60f82d8 -- (.trap 0xffffffffb60f82d8)
ErrCode = 00000000
eax=01c93e20 ebx=e2c10508 ecx=000020e3 edx=00000000 esi=89a5eda8 edi=e27562b0
eip=805a3a94 esp=b60f834c ebp=b60f8368 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!IopLoadDriver+0x30c:
805a3a94 8b4814 mov ecx,dword ptr [eax+14h] ds:0023:01c93e34=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: explorer.exe
LAST_CONTROL_TRANSFER: from 805a3c71 to 805a3a94
STACK_TEXT:
b60f8368 805a3c71 01c93e20 01c93e20 b60f83a0 nt!IopLoadDriver+0x30c
b60f8380 b54c11bb e2c10508 b60f83a0 b60f83a0 nt!IopLoadUnloadDriver+0x43
WARNING: Stack unwind information not available. Following frames may be wrong.
b60f84c8 b54c30c4 b60f84e0 b60f84f8 00000000 eamon+0x31bb
b60f84fc b54c1c95 89a1c568 00000000 00000000 eamon+0x50c4
b60f8550 804ef19f 00000668 8998e730 8998e730 eamon+0x3c95
b60f8640 805bf450 89d0bc98 00000000 89a2cf30 nt!MiFlushSectionInternal+0x256
b60f86b8 805bb9dc 00000000 b60f86f8 00000040 nt!MiFindExportedRoutineByName+0x6e
b60f870c 80576033 00000000 00000000 00000101 nt!IopInitializeDCB+0xb2
b60f8788 805769aa 020dfdb4 80100000 0144e318 nt!SeAssignSecurity+0xa
b60f87e4 8057a1a9 020dfdb4 80100000 0144e318 nt!SepDuplicateToken+0x22a
b60f8824 8054162c 020dfdb4 80100000 0144e318 nt!RtlFreeHeap+0x193
b60f8844 7c90e4f4 badb0d00 0144e2f4 bf815863 nt!RtlIpv4StringToAddressExW+0xad
b60f8858 00010078 0144fa50 0144fa94 7c90e4f4 0x7c90e4f4
b60f885c 0144fa50 0144fa94 7c90e4f4 badb0d00 0x10078
b60f8860 0144fa94 7c90e4f4 badb0d00 00000000 0x144fa50
b60f8864 7c90e4f4 badb0d00 00000000 0000003b 0x144fa94
b60f8868 badb0d00 00000000 0000003b 4301036a 0x7c90e4f4
b60f886c 00000000 0000003b 4301036a 00000000 0xbadb0d00
STACK_COMMAND: kb
FOLLOWUP_IP:
eamon+31bb
b54c11bb ?? ???
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: eamon+31bb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: eamon
IMAGE_NAME: eamon.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48a95943
FAILURE_BUCKET_ID: 0x8E_eamon+31bb
BUCKET_ID: 0x8E_eamon+31bb
Followup: MachineOwner
---------
Any ideas or suggestions would certainly be appreciated. Thanks in advance.
stuman
I'm currently using the latest version of the NOD32 AntiVirus program (version 3.0.672.0) on a recent reinstallation of WinXP SP3. A few hours ago, I started up my system and got a BSOD shortly after the NOD32 application kicked off.
So I got a copy of Windbg and installed the symbols and this is the result when I open the dump file:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini110308-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Mon Nov 3 20:53:11.718 2008 (GMT-5)
System Uptime: 0 days 0:00:57.406
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
..........................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 805a3a94, b60f82d8, 0}
Unable to load image eamon.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for eamon.sys
*** ERROR: Module load completed but symbols could not be loaded for eamon.sys
Probably caused by : eamon.sys ( eamon+31bb )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805a3a94, The address that the exception occurred at
Arg3: b60f82d8, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!IopLoadDriver+30c
805a3a94 8b4814 mov ecx,dword ptr [eax+14h]
TRAP_FRAME: b60f82d8 -- (.trap 0xffffffffb60f82d8)
ErrCode = 00000000
eax=01c93e20 ebx=e2c10508 ecx=000020e3 edx=00000000 esi=89a5eda8 edi=e27562b0
eip=805a3a94 esp=b60f834c ebp=b60f8368 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!IopLoadDriver+0x30c:
805a3a94 8b4814 mov ecx,dword ptr [eax+14h] ds:0023:01c93e34=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: explorer.exe
LAST_CONTROL_TRANSFER: from 805a3c71 to 805a3a94
STACK_TEXT:
b60f8368 805a3c71 01c93e20 01c93e20 b60f83a0 nt!IopLoadDriver+0x30c
b60f8380 b54c11bb e2c10508 b60f83a0 b60f83a0 nt!IopLoadUnloadDriver+0x43
WARNING: Stack unwind information not available. Following frames may be wrong.
b60f84c8 b54c30c4 b60f84e0 b60f84f8 00000000 eamon+0x31bb
b60f84fc b54c1c95 89a1c568 00000000 00000000 eamon+0x50c4
b60f8550 804ef19f 00000668 8998e730 8998e730 eamon+0x3c95
b60f8640 805bf450 89d0bc98 00000000 89a2cf30 nt!MiFlushSectionInternal+0x256
b60f86b8 805bb9dc 00000000 b60f86f8 00000040 nt!MiFindExportedRoutineByName+0x6e
b60f870c 80576033 00000000 00000000 00000101 nt!IopInitializeDCB+0xb2
b60f8788 805769aa 020dfdb4 80100000 0144e318 nt!SeAssignSecurity+0xa
b60f87e4 8057a1a9 020dfdb4 80100000 0144e318 nt!SepDuplicateToken+0x22a
b60f8824 8054162c 020dfdb4 80100000 0144e318 nt!RtlFreeHeap+0x193
b60f8844 7c90e4f4 badb0d00 0144e2f4 bf815863 nt!RtlIpv4StringToAddressExW+0xad
b60f8858 00010078 0144fa50 0144fa94 7c90e4f4 0x7c90e4f4
b60f885c 0144fa50 0144fa94 7c90e4f4 badb0d00 0x10078
b60f8860 0144fa94 7c90e4f4 badb0d00 00000000 0x144fa50
b60f8864 7c90e4f4 badb0d00 00000000 0000003b 0x144fa94
b60f8868 badb0d00 00000000 0000003b 4301036a 0x7c90e4f4
b60f886c 00000000 0000003b 4301036a 00000000 0xbadb0d00
STACK_COMMAND: kb
FOLLOWUP_IP:
eamon+31bb
b54c11bb ?? ???
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: eamon+31bb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: eamon
IMAGE_NAME: eamon.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48a95943
FAILURE_BUCKET_ID: 0x8E_eamon+31bb
BUCKET_ID: 0x8E_eamon+31bb
Followup: MachineOwner
---------
Any ideas or suggestions would certainly be appreciated. Thanks in advance.
stuman