BSOD with Nod32 3.0 and Vista SP1

[Granpa]

Howdy all. I've been a huge fan of Nod32 for years, running without problems. I recently rebuild my PC and installed Vista x64 and SP1. Initially, I had no problems, but after a few hours I started getting BSOD right after the PC boots, right after Nod32 loads up.

Sure enough, I check the minidump info and it's a nod32 component that seems to be causing it. Please see below.

Here are my specs:

Intel Core 2 Duo 3.0 ghz
4 GB DDR
Nvidia Geforce 8800 GTS 640
evga 122-CK-NF67 Nforce 680i LT SLI mobo
all the latest firmware and drivers.

Dump information:
----------------------------------------------
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\Mini062008-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\Windows\Minidump
Windows Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
Kernel base = 0xfffff800`01a0e000 PsLoadedModuleList = 0xfffff800`01bd3db0
Debug session time: Fri Jun 20 07:16:25.787 2008 (GMT-4)
System Uptime: 0 days 0:02:46.659
Loading Kernel Symbols
.....................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff80001a97e8a, fffffa6002e61bd0, 0}

Unable to load image \SystemRoot\system32\DRIVERS\eamon.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for eamon.sys
*** ERROR: Module load completed but symbols could not be loaded for eamon.sys


Probably caused by : eamon.sys ( eamon+4bc3 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80001a97e8a, Address of the exception record for the exception that caused the bugcheck
Arg3: fffffa6002e61bd0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------




EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!MmMapViewInSystemCache+1ca
fffff800`01a97e8a 418b4018 mov eax,dword ptr [r8+18h]

CONTEXT: fffffa6002e61bd0 -- (.cxr 0xfffffa6002e61bd0)
rax=0000000000000040 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000080000 rsi=0000000000000040 rdi=fffffa800482bab0
rip=fffff80001a97e8a rsp=fffffa6002e62430 rbp=fffffa8003fa4908
r8=0000000000000000 r9=fffffa6002e62598 r10=5000941cfeba0003
r11=fffffa6000c05000 r12=fffff8800ab1fb00 r13=0000000000000040
r14=0000000000000080 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
nt!MmMapViewInSystemCache+0x1ca:
fffff800`01a97e8a 418b4018 mov eax,dword ptr [r8+18h] ds:002b:00000000`00000018=??
Resetting default scope

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff80001a96604 to fffff80001a97e8a

STACK_TEXT:
fffffa60`02e62430 fffff800`01a96604 : 00000000`00000000 00000000`00000000 fffff800`01b82cf0 fffffa80`048484e0 : nt!MmMapViewInSystemCache+0x1ca
fffffa60`02e62550 fffff800`01a7b4b8 : fffffa60`00000000 fffffa60`00c09240 00000000`0008b000 fffffa80`04a0e8b8 : nt!CcGetVacbMiss+0x1a4
fffffa60`02e625e0 fffff800`01cd6b80 : 00000000`00000000 00000000`00000800 fffffa80`048484e0 00000000`00000000 : nt!CcGetVirtualAddress+0x348
fffffa60`02e62660 fffffa60`012c0136 : fffffa80`04863c20 00000000`00000000 00000000`00000800 00000000`0008f000 : nt!CcFastCopyRead+0x3ed
fffffa60`02e62740 fffffa60`00c06248 : 00000000`00000004 fffffa60`02e627a0 fffffa80`07886501 fffffa80`04863c01 : Ntfs!NtfsCopyReadA+0x1e6
fffffa60`02e62930 fffffa60`00c091d5 : fffffa60`02e62a10 00000000`00000000 fffffa80`04863c03 fffffa80`00000000 : fltmgr!FltpPerformFastIoCall+0x88
fffffa60`02e62990 fffffa60`00c23599 : 00000000`00000000 fffffa80`01dc0070 00000000`00000000 00000000`00000000 : fltmgr!FltpPassThroughFastIo+0xb5
fffffa60`02e629e0 fffffa60`0938ebc3 : 00000000`00000008 00000000`0008b000 00000000`00000001 fffffa60`02e62b20 : fltmgr!FltpFastIoRead+0x1a9
fffffa60`02e62a80 00000000`00000008 : 00000000`0008b000 00000000`00000001 fffffa60`02e62b20 00000000`00000000 : eamon+0x4bc3
fffffa60`02e62a88 00000000`0008b000 : 00000000`00000001 fffffa60`02e62b20 00000000`00000000 00000000`07242148 : 0x8
fffffa60`02e62a90 00000000`00000001 : fffffa60`02e62b20 00000000`00000000 00000000`07242148 fffffa60`02e62b50 : 0x8b000
fffffa60`02e62a98 fffffa60`02e62b20 : 00000000`00000000 00000000`07242148 fffffa60`02e62b50 fffffa80`063ee4a0 : 0x1
fffffa60`02e62aa0 00000000`00000000 : 00000000`07242148 fffffa60`02e62b50 fffffa80`063ee4a0 00000000`00000000 : 0xfffffa60`02e62b20
fffffa60`02e62aa8 00000000`07242148 : fffffa60`02e62b50 fffffa80`063ee4a0 00000000`00000000 fffff800`01ccd8fa : 0x0
fffffa60`02e62ab0 fffffa60`02e62b50 : fffffa80`063ee4a0 00000000`00000000 fffff800`01ccd8fa fffffa80`04863c20 : 0x7242148
fffffa60`02e62ab8 fffffa80`063ee4a0 : 00000000`00000000 fffff800`01ccd8fa fffffa80`04863c20 fffff800`00000001 : 0xfffffa60`02e62b50
fffffa60`02e62ac0 00000000`00000000 : fffff800`01ccd8fa fffffa80`04863c20 fffff800`00000001 fffffa80`03fcb840 : 0xfffffa80`063ee4a0
fffffa60`02e62ac8 fffff800`01ccd8fa : fffffa80`04863c20 fffff800`00000001 fffffa80`03fcb840 fffffa60`02e62c01 : 0x0
fffffa60`02e62ad0 fffff800`01a62e33 : 00000000`00000670 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x3f8
fffffa60`02e62bb0 00000000`77615ada : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0303d408 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77615ada


FOLLOWUP_IP:
eamon+4bc3
fffffa60`0938ebc3 ??

SYMBOL_STACK_INDEX: 8

SYMBOL_NAME: eamon+4bc3

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: eamon

IMAGE_NAME: eamon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 480f2fcd

STACK_COMMAND: .cxr 0xfffffa6002e61bd0 ; kb

FAILURE_BUCKET_ID: X64_0x3B_eamon+4bc3

BUCKET_ID: X64_0x3B_eamon+4bc3

Followup: MachineOwner
---------

[Norton360]

I'm having the same problem in my computer:

Quote:

CPU: Intel Core 2 Quad Q9450 2.6 Ghz FSB 1333 12MB
M/b: Gigabyte GA-EX38T-DQ6 Socket 775
RAM: (2x) 1GB Mushkin Extreme XP3-12800 DDR3 1600
GPU: nVidia GeForce 9800 GTX 512MB GDDR3 PCI-e
PSU: 750w Aero Cool Horse Power
OS: Windows Vista Ultimate 32 Bits SP1

My system restarts with bsod sometimes without any apparently reason.

When I check the dump file, I can read the following:

Quote:

*** WARNING: Unable to verify timestamp for fltmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for fltmgr.sys
*** WARNING: Unable to verify timestamp for eamon.sys
*** ERROR: Module load completed but symbols could not be loaded for eamon.sys
*** WARNING: Unable to verify timestamp for cmdguard.sys
*** ERROR: Module load completed but symbols could not be loaded for cmdguard.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.


Probably caused by : eamon.sys ( eamon+37c1 )

I have uploaded the dump file here: -http://www.mediafire.com/?bx1jvxgy82x-

I'm using version 650. I've found other similar problem here in Wilders, but there was not any solution.

Any ideas?

[edwin3333]

My PC just BSOD'ed on eamon.sys perWinDBG. Error is the 0x0..050 one. (Device driver.)

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from 80529160 to 80537672

b4e049a8 80529160 00000050 bad0b148 00000000 nt!KeBugCheckEx+0x1b
b4e049f8 804e0934 00000000 bad0b148 00000000 nt!IoSetFileOrigin+0xc9a6
b4e04a1c 804e1bd8 8a5ebbc8 8a5ebb58 b4e04a38 nt!Kei386EoiHelper+0x271b
b4e04a94 804e1947 e1c1e4e8 00000000 b510f680 nt!KeWaitForMultipleObjects+0x1d5
b4e04be8 b50dc092 b4e04c00 b4e04c18 00000000 nt!ObfDereferenceObject+0x47
b4e04c1c b50daecb 8a5b53c8 00000000 00000003 eamon+0x5092
b4e04c60 804e13c9 0154c800 8a470db8 8a470db8 eamon+0x3ecb
b4e04ca0 8056fa4c 8a3f4b50 8a54c800 00120196 nt!IofCallDriver+0x32
b4e04cd4 8056fb9f 8a3f4b50 00000001 8a8dfca0 nt!ExfAcquirePushLockShared+0x598
b4e04cfc 8056fac5 e2e93b88 8a6ea9e0 0000073c nt!NtClose+0xad
b4e04d44 8056fb0f 0000073c 00000001 00000000 nt!ExfAcquirePushLockShared+0x611
b4e04d58 804dd98f 0000073c 0006ee40 7c90e4f4 nt!NtClose+0x1d
b4e04d70 b5c7854a 00000000 00000000 00000000 nt!KiDeliverApc+0xb9e
b4e04ddc 804ec6c9 b5c8293d b5c81fc0 00000000 rdbss+0x54a
b4e04de0 b5c8293d b5c81fc0 00000000 4000027f nt!KeInitializeTimerEx+0x1e6
b4e04de4 b5c81fc0 00000000 4000027f 000b0000 rdbss!RxpReleasePrefixTableLock+0x3a
b4e04de8 00000000 4000027f 000b0000 71961cad rdbss!RxCheckMemoryBlock+0x1809

STACK_COMMAND: kb

FOLLOWUP_IP:
eamon+5092
b50dc092 807e0201 cmp byte ptr [esi+2],1

SYMBOL_STACK_INDEX: 5

I have a 2GB memory.dmp if eSet is interested. This is XP SP3 pro.

[mayt]

Granpa, edwin3333 I'm sending you PMs.

[mayt]

Quote:

Originally Posted by Norton360

I'm using version 650. I've found other similar problem here in Wilders, but there was not any solution.

Please consider upgrading to .667. If there are still BSODs could upload new memory dump and send me a PM?

Thanks.

[Oleg]

No problems running it on XP.

[Thankful]

I stated this issue two weeks ago:
http://www.wilderssecurity.com/showthread.php?t=212369
I also sent a SysInspector log.

[eagle92]

Same error here:

Loading Dump File [C:\Windows\Minidump\Mini082508-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008 Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6001.18063.x86fre.vistasp1_gdr.080425-1930
Kernel base = 0x8243f000 PsLoadedModuleList = 0x82556c70
Debug session time: Mon Aug 25 02:04:00.959 2008 (GMT-7)
System Uptime: 1 days 11:14:43.116
Loading Kernel Symbols
..........................................................................................................................................................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {967ef5d0, 1, 890ac5b1, 0}

*** WARNING: Unable to verify timestamp for eamon.sys
*** ERROR: Module load completed but symbols could not be loaded for eamon.sys
*** WARNING: Unable to verify timestamp for easdrv.sys
*** ERROR: Module load completed but symbols could not be loaded for easdrv.sys

Could not read faulting driver name
Probably caused by : eamon.sys ( eamon+37c1 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 967ef5d0, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 890ac5b1, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

WRITE_ADDRESS: GetPointerFromAddress: unable to read from 82576868
Unable to read MiSystemVaType memory at 82556420
967ef5d0

FAULTING_IP:
Ntfs!NtfsShrinkLengthInCachedLcn+167
890ac5b1 66894c1a10 mov word ptr [edx+ebx+10h],cx

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: ekrn.exe

CURRENT_IRQL: 0

TRAP_FRAME: bb7b7598 -- (.trap 0xffffffffbb7b7598)
ErrCode = 00000002
eax=8b7276a0 ebx=967d0000 ecx=00000ab9 edx=0001f5c0 esi=877b0790 edi=967e5210
eip=890ac5b1 esp=bb7b760c ebp=bb7b761c iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
Ntfs!NtfsShrinkLengthInCachedLcn+0x167:
890ac5b1 66894c1a10 mov word ptr [edx+ebx+10h],cx ds:0023:967ef5d0=????
Resetting default scope

LAST_CONTROL_TRANSFER: from 82499bb4 to 824e4155

STACK_TEXT:
bb7b7580 82499bb4 00000001 967ef5d0 00000000 nt!MmAccessFault+0x10a
bb7b7580 890ac5b1 00000001 967ef5d0 00000000 nt!KiTrap0E+0xdc
bb7b761c 890a1b29 00000aa5 00000016 00000e16 Ntfs!NtfsShrinkLengthInCachedLcn+0x167
bb7b765c 8909ac86 877b00d8 00000005 00000000 Ntfs!NtfsRemoveCachedLcn+0x230
bb7b767c 890b1980 86a17350 877b00d8 08a431df Ntfs!NtfsAddCachedRun+0x70
bb7b76f0 890b152b 86a17350 877b00d8 0000c513 Ntfs!NtfsAllocateBitmapRun+0xf2
bb7b77ec 890b30d3 86a17350 877b00d8 b40660f8 Ntfs!NtfsAllocateClusters+0xb67
bb7b7898 890225d1 86a17350 84edc9f0 0100000c Ntfs!NtfsAddAllocation+0x34c
bb7b78dc 8901b1c1 86a17350 84edc9f0 0000000c Ntfs!NtfsAddAllocationForNonResidentWrite+0x12a
bb7b7a10 89019914 86a17350 93343a58 327f302f Ntfs!NtfsCommonWrite+0x17ef
bb7b7a88 824fb053 877b0020 93343a58 93343a58 Ntfs!NtfsFsdWrite+0x2dc
bb7b7aa0 88b22ba7 877bddf8 93343a58 00000000 nt!IofCallDriver+0x63
bb7b7ac4 88b22d64 bb7b7ae4 877bddf8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251
bb7b7afc 824fb053 877bddf8 93343a58 a671b7ac fltmgr!FltpDispatch+0xc2
bb7b7b14 a66e67c1 aa14a020 bb7b7b38 824fb053 nt!IofCallDriver+0x63
WARNING: Stack unwind information not available. Following frames may be wrong.
bb7b7b20 824fb053 aa14a020 93343a58 93343a58 eamon+0x37c1
bb7b7b38 8268b5e5 84edca1c 93343a58 93343c54 nt!IofCallDriver+0x63
bb7b7b58 826668f1 aa14a020 84edc9f0 00000001 nt!IopSynchronousServiceTail+0x1d9
bb7b7bec 94656898 aa14a020 00000000 00000000 nt!NtWriteFile+0x6fc
bb7b7c18 94656a73 02cfcf90 bbef1a8a b3b87a50 easdrv+0x2898
bb7b7c58 8268b98e b3b87a50 00000001 02cfcf90 easdrv+0x2a73
bb7b7d00 82675a61 9425db50 00000000 00000000 nt!IopXxxControlFile+0x2cf
bb7b7d34 82496a7a 000001cc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
bb7b7d34 76f59a94 000001cc 00000000 00000000 nt!KiFastCallEntry+0x12a
02cfcf40 00000000 00000000 00000000 00000000 0x76f59a94


STACK_COMMAND: kb

FOLLOWUP_IP:
eamon+37c1
a66e67c1 ?? ???

SYMBOL_STACK_INDEX: f

SYMBOL_NAME: eamon+37c1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: eamon

IMAGE_NAME: eamon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 47d94a56

FAILURE_BUCKET_ID: 0x50_W_eamon+37c1

BUCKET_ID: 0x50_W_eamon+37c1

Followup: MachineOwner

[biglat1595]

I'm having the same error here ! Most of the time is during the night when the scan is scheluded ! Error with the win32k.sys file ! I'm running Vista Ultimate 64 bits !

Thanks.