BSOD with Nod32 3.0 and Vista SP1

Discussion in 'ESET NOD32 Antivirus' started by Granpa, Jun 20, 2008.

Thread Status:
Not open for further replies.
  1. Granpa

    Granpa Registered Member

    Joined:
    Jun 20, 2008
    Posts:
    1
    Howdy all. I've been a huge fan of Nod32 for years, running without problems. I recently rebuild my PC and installed Vista x64 and SP1. Initially, I had no problems, but after a few hours I started getting BSOD right after the PC boots, right after Nod32 loads up.

    Sure enough, I check the minidump info and it's a nod32 component that seems to be causing it. Please see below.

    Here are my specs:

    Intel Core 2 Duo 3.0 ghz
    4 GB DDR
    Nvidia Geforce 8800 GTS 640
    evga 122-CK-NF67 Nforce 680i LT SLI mobo
    all the latest firmware and drivers.

    Dump information:
    ----------------------------------------------
    Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Windows\Minidump\Mini062008-02.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: C:\Windows\Minidump
    Windows Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
    Kernel base = 0xfffff800`01a0e000 PsLoadedModuleList = 0xfffff800`01bd3db0
    Debug session time: Fri Jun 20 07:16:25.787 2008 (GMT-4)
    System Uptime: 0 days 0:02:46.659
    Loading Kernel Symbols
    .....................................................................................................................................................
    Loading User Symbols
    Loading unloaded module list
    .......
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 3B, {c0000005, fffff80001a97e8a, fffffa6002e61bd0, 0}

    Unable to load image \SystemRoot\system32\DRIVERS\eamon.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for eamon.sys
    *** ERROR: Module load completed but symbols could not be loaded for eamon.sys


    Probably caused by : eamon.sys ( eamon+4bc3 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff80001a97e8a, Address of the exception record for the exception that caused the bugcheck
    Arg3: fffffa6002e61bd0, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.

    Debugging Details:
    ------------------




    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    FAULTING_IP:
    nt!MmMapViewInSystemCache+1ca
    fffff800`01a97e8a 418b4018 mov eax,dword ptr [r8+18h]

    CONTEXT: fffffa6002e61bd0 -- (.cxr 0xfffffa6002e61bd0)
    rax=0000000000000040 rbx=0000000000000000 rcx=0000000000000000
    rdx=0000000000080000 rsi=0000000000000040 rdi=fffffa800482bab0
    rip=fffff80001a97e8a rsp=fffffa6002e62430 rbp=fffffa8003fa4908
    r8=0000000000000000 r9=fffffa6002e62598 r10=5000941cfeba0003
    r11=fffffa6000c05000 r12=fffff8800ab1fb00 r13=0000000000000040
    r14=0000000000000080 r15=0000000000000000
    iopl=0 nv up ei pl nz na pe nc
    cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
    nt!MmMapViewInSystemCache+0x1ca:
    fffff800`01a97e8a 418b4018 mov eax,dword ptr [r8+18h] ds:002b:00000000`00000018=o_Oo_O??
    Resetting default scope

    CUSTOMER_CRASH_COUNT: 2

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0x3B

    PROCESS_NAME: svchost.exe

    CURRENT_IRQL: 0

    LAST_CONTROL_TRANSFER: from fffff80001a96604 to fffff80001a97e8a

    STACK_TEXT:
    fffffa60`02e62430 fffff800`01a96604 : 00000000`00000000 00000000`00000000 fffff800`01b82cf0 fffffa80`048484e0 : nt!MmMapViewInSystemCache+0x1ca
    fffffa60`02e62550 fffff800`01a7b4b8 : fffffa60`00000000 fffffa60`00c09240 00000000`0008b000 fffffa80`04a0e8b8 : nt!CcGetVacbMiss+0x1a4
    fffffa60`02e625e0 fffff800`01cd6b80 : 00000000`00000000 00000000`00000800 fffffa80`048484e0 00000000`00000000 : nt!CcGetVirtualAddress+0x348
    fffffa60`02e62660 fffffa60`012c0136 : fffffa80`04863c20 00000000`00000000 00000000`00000800 00000000`0008f000 : nt!CcFastCopyRead+0x3ed
    fffffa60`02e62740 fffffa60`00c06248 : 00000000`00000004 fffffa60`02e627a0 fffffa80`07886501 fffffa80`04863c01 : Ntfs!NtfsCopyReadA+0x1e6
    fffffa60`02e62930 fffffa60`00c091d5 : fffffa60`02e62a10 00000000`00000000 fffffa80`04863c03 fffffa80`00000000 : fltmgr!FltpPerformFastIoCall+0x88
    fffffa60`02e62990 fffffa60`00c23599 : 00000000`00000000 fffffa80`01dc0070 00000000`00000000 00000000`00000000 : fltmgr!FltpPassThroughFastIo+0xb5
    fffffa60`02e629e0 fffffa60`0938ebc3 : 00000000`00000008 00000000`0008b000 00000000`00000001 fffffa60`02e62b20 : fltmgr!FltpFastIoRead+0x1a9
    fffffa60`02e62a80 00000000`00000008 : 00000000`0008b000 00000000`00000001 fffffa60`02e62b20 00000000`00000000 : eamon+0x4bc3
    fffffa60`02e62a88 00000000`0008b000 : 00000000`00000001 fffffa60`02e62b20 00000000`00000000 00000000`07242148 : 0x8
    fffffa60`02e62a90 00000000`00000001 : fffffa60`02e62b20 00000000`00000000 00000000`07242148 fffffa60`02e62b50 : 0x8b000
    fffffa60`02e62a98 fffffa60`02e62b20 : 00000000`00000000 00000000`07242148 fffffa60`02e62b50 fffffa80`063ee4a0 : 0x1
    fffffa60`02e62aa0 00000000`00000000 : 00000000`07242148 fffffa60`02e62b50 fffffa80`063ee4a0 00000000`00000000 : 0xfffffa60`02e62b20
    fffffa60`02e62aa8 00000000`07242148 : fffffa60`02e62b50 fffffa80`063ee4a0 00000000`00000000 fffff800`01ccd8fa : 0x0
    fffffa60`02e62ab0 fffffa60`02e62b50 : fffffa80`063ee4a0 00000000`00000000 fffff800`01ccd8fa fffffa80`04863c20 : 0x7242148
    fffffa60`02e62ab8 fffffa80`063ee4a0 : 00000000`00000000 fffff800`01ccd8fa fffffa80`04863c20 fffff800`00000001 : 0xfffffa60`02e62b50
    fffffa60`02e62ac0 00000000`00000000 : fffff800`01ccd8fa fffffa80`04863c20 fffff800`00000001 fffffa80`03fcb840 : 0xfffffa80`063ee4a0
    fffffa60`02e62ac8 fffff800`01ccd8fa : fffffa80`04863c20 fffff800`00000001 fffffa80`03fcb840 fffffa60`02e62c01 : 0x0
    fffffa60`02e62ad0 fffff800`01a62e33 : 00000000`00000670 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x3f8
    fffffa60`02e62bb0 00000000`77615ada : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`0303d408 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77615ada


    FOLLOWUP_IP:
    eamon+4bc3
    fffffa60`0938ebc3 ?? o_O

    SYMBOL_STACK_INDEX: 8

    SYMBOL_NAME: eamon+4bc3

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 480f2fcd

    STACK_COMMAND: .cxr 0xfffffa6002e61bd0 ; kb

    FAILURE_BUCKET_ID: X64_0x3B_eamon+4bc3

    BUCKET_ID: X64_0x3B_eamon+4bc3

    Followup: MachineOwner
    ---------
     
  2. Norton360

    Norton360 Registered Member

    Joined:
    Nov 28, 2007
    Posts:
    71
    I'm having the same problem in my computer:

    My system restarts with bsod sometimes without any apparently reason.

    When I check the dump file, I can read the following:

    I have uploaded the dump file here: http://www.mediafire.com/?bx1jvxgy82x

    I'm using version 650. I've found other similar problem here in Wilders, but there was not any solution.

    Any ideas?
     
  3. edwin3333

    edwin3333 Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    244
    My PC just BSOD'ed on eamon.sys perWinDBG. Error is the 0x0..050 one. (Device driver.)

    BUGCHECK_STR: 0x50

    LAST_CONTROL_TRANSFER: from 80529160 to 80537672

    b4e049a8 80529160 00000050 bad0b148 00000000 nt!KeBugCheckEx+0x1b
    b4e049f8 804e0934 00000000 bad0b148 00000000 nt!IoSetFileOrigin+0xc9a6
    b4e04a1c 804e1bd8 8a5ebbc8 8a5ebb58 b4e04a38 nt!Kei386EoiHelper+0x271b
    b4e04a94 804e1947 e1c1e4e8 00000000 b510f680 nt!KeWaitForMultipleObjects+0x1d5
    b4e04be8 b50dc092 b4e04c00 b4e04c18 00000000 nt!ObfDereferenceObject+0x47
    b4e04c1c b50daecb 8a5b53c8 00000000 00000003 eamon+0x5092
    b4e04c60 804e13c9 0154c800 8a470db8 8a470db8 eamon+0x3ecb
    b4e04ca0 8056fa4c 8a3f4b50 8a54c800 00120196 nt!IofCallDriver+0x32
    b4e04cd4 8056fb9f 8a3f4b50 00000001 8a8dfca0 nt!ExfAcquirePushLockShared+0x598
    b4e04cfc 8056fac5 e2e93b88 8a6ea9e0 0000073c nt!NtClose+0xad
    b4e04d44 8056fb0f 0000073c 00000001 00000000 nt!ExfAcquirePushLockShared+0x611
    b4e04d58 804dd98f 0000073c 0006ee40 7c90e4f4 nt!NtClose+0x1d
    b4e04d70 b5c7854a 00000000 00000000 00000000 nt!KiDeliverApc+0xb9e
    b4e04ddc 804ec6c9 b5c8293d b5c81fc0 00000000 rdbss+0x54a
    b4e04de0 b5c8293d b5c81fc0 00000000 4000027f nt!KeInitializeTimerEx+0x1e6
    b4e04de4 b5c81fc0 00000000 4000027f 000b0000 rdbss!RxpReleasePrefixTableLock+0x3a
    b4e04de8 00000000 4000027f 000b0000 71961cad rdbss!RxCheckMemoryBlock+0x1809

    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+5092
    b50dc092 807e0201 cmp byte ptr [esi+2],1

    SYMBOL_STACK_INDEX: 5

    I have a 2GB memory.dmp if eSet is interested. This is XP SP3 pro.
     
  4. mayt

    mayt Eset Staff Account

    Joined:
    Mar 12, 2007
    Posts:
    84
    Location:
    Bratislava
    Granpa, edwin3333 I'm sending you PMs.
     
  5. mayt

    mayt Eset Staff Account

    Joined:
    Mar 12, 2007
    Posts:
    84
    Location:
    Bratislava
    Please consider upgrading to .667. If there are still BSODs could upload new memory dump and send me a PM?

    Thanks.
     
  6. Oleg

    Oleg Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    283
    Location:
    USA
    No problems running it on XP.
     
  7. Thankful

    Thankful Registered Member

    Joined:
    Feb 28, 2005
    Posts:
    3,017
    Location:
    New York City
  8. eagle92

    eagle92 Registered Member

    Joined:
    Jun 4, 2008
    Posts:
    1
    Same error here:

    Loading Dump File [C:\Windows\Minidump\Mini082508-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows Server 2008 Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 6001.18063.x86fre.vistasp1_gdr.080425-1930
    Kernel base = 0x8243f000 PsLoadedModuleList = 0x82556c70
    Debug session time: Mon Aug 25 02:04:00.959 2008 (GMT-7)
    System Uptime: 1 days 11:14:43.116
    Loading Kernel Symbols
    ..........................................................................................................................................................................................
    Loading User Symbols
    Loading unloaded module list
    ......
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 50, {967ef5d0, 1, 890ac5b1, 0}

    *** WARNING: Unable to verify timestamp for eamon.sys
    *** ERROR: Module load completed but symbols could not be loaded for eamon.sys
    *** WARNING: Unable to verify timestamp for easdrv.sys
    *** ERROR: Module load completed but symbols could not be loaded for easdrv.sys

    Could not read faulting driver name
    Probably caused by : eamon.sys ( eamon+37c1 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced. This cannot be protected by try-except,
    it must be protected by a Probe. Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: 967ef5d0, memory referenced.
    Arg2: 00000001, value 0 = read operation, 1 = write operation.
    Arg3: 890ac5b1, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 00000000, (reserved)

    Debugging Details:
    ------------------


    Could not read faulting driver name

    WRITE_ADDRESS: GetPointerFromAddress: unable to read from 82576868
    Unable to read MiSystemVaType memory at 82556420
    967ef5d0

    FAULTING_IP:
    Ntfs!NtfsShrinkLengthInCachedLcn+167
    890ac5b1 66894c1a10 mov word ptr [edx+ebx+10h],cx

    MM_INTERNAL_CODE: 0

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0x50

    PROCESS_NAME: ekrn.exe

    CURRENT_IRQL: 0

    TRAP_FRAME: bb7b7598 -- (.trap 0xffffffffbb7b759:cool:
    ErrCode = 00000002
    eax=8b7276a0 ebx=967d0000 ecx=00000ab9 edx=0001f5c0 esi=877b0790 edi=967e5210
    eip=890ac5b1 esp=bb7b760c ebp=bb7b761c iopl=0 nv up ei pl nz ac po nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
    Ntfs!NtfsShrinkLengthInCachedLcn+0x167:
    890ac5b1 66894c1a10 mov word ptr [edx+ebx+10h],cx ds:0023:967ef5d0=o_O?
    Resetting default scope

    LAST_CONTROL_TRANSFER: from 82499bb4 to 824e4155

    STACK_TEXT:
    bb7b7580 82499bb4 00000001 967ef5d0 00000000 nt!MmAccessFault+0x10a
    bb7b7580 890ac5b1 00000001 967ef5d0 00000000 nt!KiTrap0E+0xdc
    bb7b761c 890a1b29 00000aa5 00000016 00000e16 Ntfs!NtfsShrinkLengthInCachedLcn+0x167
    bb7b765c 8909ac86 877b00d8 00000005 00000000 Ntfs!NtfsRemoveCachedLcn+0x230
    bb7b767c 890b1980 86a17350 877b00d8 08a431df Ntfs!NtfsAddCachedRun+0x70
    bb7b76f0 890b152b 86a17350 877b00d8 0000c513 Ntfs!NtfsAllocateBitmapRun+0xf2
    bb7b77ec 890b30d3 86a17350 877b00d8 b40660f8 Ntfs!NtfsAllocateClusters+0xb67
    bb7b7898 890225d1 86a17350 84edc9f0 0100000c Ntfs!NtfsAddAllocation+0x34c
    bb7b78dc 8901b1c1 86a17350 84edc9f0 0000000c Ntfs!NtfsAddAllocationForNonResidentWrite+0x12a
    bb7b7a10 89019914 86a17350 93343a58 327f302f Ntfs!NtfsCommonWrite+0x17ef
    bb7b7a88 824fb053 877b0020 93343a58 93343a58 Ntfs!NtfsFsdWrite+0x2dc
    bb7b7aa0 88b22ba7 877bddf8 93343a58 00000000 nt!IofCallDriver+0x63
    bb7b7ac4 88b22d64 bb7b7ae4 877bddf8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251
    bb7b7afc 824fb053 877bddf8 93343a58 a671b7ac fltmgr!FltpDispatch+0xc2
    bb7b7b14 a66e67c1 aa14a020 bb7b7b38 824fb053 nt!IofCallDriver+0x63
    WARNING: Stack unwind information not available. Following frames may be wrong.
    bb7b7b20 824fb053 aa14a020 93343a58 93343a58 eamon+0x37c1
    bb7b7b38 8268b5e5 84edca1c 93343a58 93343c54 nt!IofCallDriver+0x63
    bb7b7b58 826668f1 aa14a020 84edc9f0 00000001 nt!IopSynchronousServiceTail+0x1d9
    bb7b7bec 94656898 aa14a020 00000000 00000000 nt!NtWriteFile+0x6fc
    bb7b7c18 94656a73 02cfcf90 bbef1a8a b3b87a50 easdrv+0x2898
    bb7b7c58 8268b98e b3b87a50 00000001 02cfcf90 easdrv+0x2a73
    bb7b7d00 82675a61 9425db50 00000000 00000000 nt!IopXxxControlFile+0x2cf
    bb7b7d34 82496a7a 000001cc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    bb7b7d34 76f59a94 000001cc 00000000 00000000 nt!KiFastCallEntry+0x12a
    02cfcf40 00000000 00000000 00000000 00000000 0x76f59a94


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+37c1
    a66e67c1 ?? o_O

    SYMBOL_STACK_INDEX: f

    SYMBOL_NAME: eamon+37c1

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 47d94a56

    FAILURE_BUCKET_ID: 0x50_W_eamon+37c1

    BUCKET_ID: 0x50_W_eamon+37c1

    Followup: MachineOwner
     
  9. biglat1595

    biglat1595 Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    1
    I'm having the same error here ! Most of the time is during the night when the scan is scheluded ! Error with the win32k.sys file ! I'm running Vista Ultimate 64 bits !

    Thanks.
     
Thread Status:
Not open for further replies.