BSOD with Nod32 3.0 and Vista SP1

Discussion in 'ESET NOD32 Antivirus' started by Granpa, Jun 20, 2008.

Thread Status:
Not open for further replies.
  1. Granpa
    Offline

    Granpa Registered Member

    Howdy all. I've been a huge fan of Nod32 for years, running without problems. I recently rebuild my PC and installed Vista x64 and SP1. Initially, I had no problems, but after a few hours I started getting BSOD right after the PC boots, right after Nod32 loads up.

    Sure enough, I check the minidump info and it's a nod32 component that seems to be causing it. Please see below.

    Here are my specs:

    Intel Core 2 Duo 3.0 ghz
    4 GB DDR
    Nvidia Geforce 8800 GTS 640
    evga 122-CK-NF67 Nforce 680i LT SLI mobo
    all the latest firmware and drivers.

    Dump information:
    ----------------------------------------------
    Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Windows\Minidump\Mini062008-02.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: C:\Windows\Minidump
    Windows Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
    Kernel base = 0xfffff800`01a0e000 PsLoadedModuleList = 0xfffff800`01bd3db0
    Debug session time: Fri Jun 20 07:16:25.787 2008 (GMT-4)
    System Uptime: 0 days 0:02:46.659
    Loading Kernel Symbols
    .....................................................................................................................................................
    Loading User Symbols
    Loading unloaded module list
    .......
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 3B, {c0000005, fffff80001a97e8a, fffffa6002e61bd0, 0}

    Unable to load image \SystemRoot\system32\DRIVERS\eamon.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for eamon.sys
    *** ERROR: Module load completed but symbols could not be loaded for eamon.sys


    Probably caused by : eamon.sys ( eamon+4bc3 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff80001a97e8a, Address of the exception record for the exception that caused the bugcheck
    Arg3: fffffa6002e61bd0, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.

    Debugging Details:
    ------------------




    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    FAULTING_IP:
    nt!MmMapViewInSystemCache+1ca
    fffff800`01a97e8a 418b4018 mov eax,dword ptr [r8+18h]

    CONTEXT: fffffa6002e61bd0 -- (.cxr 0xfffffa6002e61bd0)
    rax=0000000000000040 rbx=0000000000000000 rcx=0000000000000000
    rdx=0000000000080000 rsi=0000000000000040 rdi=fffffa800482bab0
    rip=fffff80001a97e8a rsp=fffffa6002e62430 rbp=fffffa8003fa4908
    r8=0000000000000000 r9=fffffa6002e62598 r10=5000941cfeba0003
    r11=fffffa6000c05000 r12=fffff8800ab1fb00 r13=0000000000000040
    r14=0000000000000080 r15=0000000000000000
    iopl=0 nv up ei pl nz na pe nc
    cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
    nt!MmMapViewInSystemCache+0x1ca:
    fffff800`01a97e8a 418b4018 mov eax,dword ptr [r8+18h] ds:002b:00000000`00000018=o_Oo_O??
    Resetting default scope

    CUSTOMER_CRASH_COUNT: 2

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0x3B

    PROCESS_NAME: svchost.exe

    CURRENT_IRQL: 0

    LAST_CONTROL_TRANSFER: from fffff80001a96604 to fffff80001a97e8a

    STACK_TEXT:
    fffffa60`02e62430 fffff800`01a96604 : 00000000`00000000 00000000`00000000 fffff800`01b82cf0 fffffa80`048484e0 : nt!MmMapViewInSystemCache+0x1ca
    fffffa60`02e62550 fffff800`01a7b4b8 : fffffa60`00000000 fffffa60`00c09240 00000000`0008b000 fffffa80`04a0e8b8 : nt!CcGetVacbMiss+0x1a4
    fffffa60`02e625e0 fffff800`01cd6b80 : 00000000`00000000 00000000`00000800 fffffa80`048484e0 00000000`00000000 : nt!CcGetVirtualAddress+0x348
    fffffa60`02e62660 fffffa60`012c0136 : fffffa80`04863c20 00000000`00000000 00000000`00000800 00000000`0008f000 : nt!CcFastCopyRead+0x3ed
    fffffa60`02e62740 fffffa60`00c06248 : 00000000`00000004 fffffa60`02e627a0 fffffa80`07886501 fffffa80`04863c01 : Ntfs!NtfsCopyReadA+0x1e6
    fffffa60`02e62930 fffffa60`00c091d5 : fffffa60`02e62a10 00000000`00000000 fffffa80`04863c03 fffffa80`00000000 : fltmgr!FltpPerformFastIoCall+0x88
    fffffa60`02e62990 fffffa60`00c23599 : 00000000`00000000 fffffa80`01dc0070 00000000`00000000 00000000`00000000 : fltmgr!FltpPassThroughFastIo+0xb5
    fffffa60`02e629e0 fffffa60`0938ebc3 : 00000000`00000008 00000000`0008b000 00000000`00000001 fffffa60`02e62b20 : fltmgr!FltpFastIoRead+0x1a9
    fffffa60`02e62a80 00000000`00000008 : 00000000`0008b000 00000000`00000001 fffffa60`02e62b20 00000000`00000000 : eamon+0x4bc3
    fffffa60`02e62a88 00000000`0008b000 : 00000000`00000001 fffffa60`02e62b20 00000000`00000000 00000000`07242148 : 0x8
    fffffa60`02e62a90 00000000`00000001 : fffffa60`02e62b20 00000000`00000000 00000000`07242148 fffffa60`02e62b50 : 0x8b000
    fffffa60`02e62a98 fffffa60`02e62b20 : 00000000`00000000 00000000`07242148 fffffa60`02e62b50 fffffa80`063ee4a0 : 0x1
    fffffa60`02e62aa0 00000000`00000000 : 00000000`07242148 fffffa60`02e62b50 fffffa80`063ee4a0 00000000`00000000 : 0xfffffa60`02e62b20
    fffffa60`02e62aa8 00000000`07242148 : fffffa60`02e62b50 fffffa80`063ee4a0 00000000`00000000 fffff800`01ccd8fa : 0x0
    fffffa60`02e62ab0 fffffa60`02e62b50 : fffffa80`063ee4a0 00000000`00000000 fffff800`01ccd8fa fffffa80`04863c20 : 0x7242148
    fffffa60`02e62ab8 fffffa80`063ee4a0 : 00000000`00000000 fffff800`01ccd8fa fffffa80`04863c20 fffff800`00000001 : 0xfffffa60`02e62b50
    fffffa60`02e62ac0 00000000`00000000 : fffff800`01ccd8fa fffffa80`04863c20 fffff800`00000001 fffffa80`03fcb840 : 0xfffffa80`063ee4a0
    fffffa60`02e62ac8 fffff800`01ccd8fa : fffffa80`04863c20 fffff800`00000001 fffffa80`03fcb840 fffffa60`02e62c01 : 0x0
    fffffa60`02e62ad0 fffff800`01a62e33 : 00000000`00000670 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x3f8
    fffffa60`02e62bb0 00000000`77615ada : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`0303d408 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77615ada


    FOLLOWUP_IP:
    eamon+4bc3
    fffffa60`0938ebc3 ?? o_O

    SYMBOL_STACK_INDEX: 8

    SYMBOL_NAME: eamon+4bc3

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 480f2fcd

    STACK_COMMAND: .cxr 0xfffffa6002e61bd0 ; kb

    FAILURE_BUCKET_ID: X64_0x3B_eamon+4bc3

    BUCKET_ID: X64_0x3B_eamon+4bc3

    Followup: MachineOwner
    ---------
  2. Norton360
    Offline

    Norton360 Registered Member

    I'm having the same problem in my computer:

    My system restarts with bsod sometimes without any apparently reason.

    When I check the dump file, I can read the following:

    I have uploaded the dump file here: http://www.mediafire.com/?bx1jvxgy82x

    I'm using version 650. I've found other similar problem here in Wilders, but there was not any solution.

    Any ideas?
  3. edwin3333
    Offline

    edwin3333 Registered Member

    My PC just BSOD'ed on eamon.sys perWinDBG. Error is the 0x0..050 one. (Device driver.)

    BUGCHECK_STR: 0x50

    LAST_CONTROL_TRANSFER: from 80529160 to 80537672

    b4e049a8 80529160 00000050 bad0b148 00000000 nt!KeBugCheckEx+0x1b
    b4e049f8 804e0934 00000000 bad0b148 00000000 nt!IoSetFileOrigin+0xc9a6
    b4e04a1c 804e1bd8 8a5ebbc8 8a5ebb58 b4e04a38 nt!Kei386EoiHelper+0x271b
    b4e04a94 804e1947 e1c1e4e8 00000000 b510f680 nt!KeWaitForMultipleObjects+0x1d5
    b4e04be8 b50dc092 b4e04c00 b4e04c18 00000000 nt!ObfDereferenceObject+0x47
    b4e04c1c b50daecb 8a5b53c8 00000000 00000003 eamon+0x5092
    b4e04c60 804e13c9 0154c800 8a470db8 8a470db8 eamon+0x3ecb
    b4e04ca0 8056fa4c 8a3f4b50 8a54c800 00120196 nt!IofCallDriver+0x32
    b4e04cd4 8056fb9f 8a3f4b50 00000001 8a8dfca0 nt!ExfAcquirePushLockShared+0x598
    b4e04cfc 8056fac5 e2e93b88 8a6ea9e0 0000073c nt!NtClose+0xad
    b4e04d44 8056fb0f 0000073c 00000001 00000000 nt!ExfAcquirePushLockShared+0x611
    b4e04d58 804dd98f 0000073c 0006ee40 7c90e4f4 nt!NtClose+0x1d
    b4e04d70 b5c7854a 00000000 00000000 00000000 nt!KiDeliverApc+0xb9e
    b4e04ddc 804ec6c9 b5c8293d b5c81fc0 00000000 rdbss+0x54a
    b4e04de0 b5c8293d b5c81fc0 00000000 4000027f nt!KeInitializeTimerEx+0x1e6
    b4e04de4 b5c81fc0 00000000 4000027f 000b0000 rdbss!RxpReleasePrefixTableLock+0x3a
    b4e04de8 00000000 4000027f 000b0000 71961cad rdbss!RxCheckMemoryBlock+0x1809

    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+5092
    b50dc092 807e0201 cmp byte ptr [esi+2],1

    SYMBOL_STACK_INDEX: 5

    I have a 2GB memory.dmp if eSet is interested. This is XP SP3 pro.
  4. mayt
    Offline

    mayt Eset Staff Account

    Granpa, edwin3333 I'm sending you PMs.
  5. mayt
    Offline

    mayt Eset Staff Account

    Please consider upgrading to .667. If there are still BSODs could upload new memory dump and send me a PM?

    Thanks.
  6. Oleg
    Offline

    Oleg Registered Member

    No problems running it on XP.
  7. Thankful
    Offline

    Thankful Registered Member

  8. eagle92
    Offline

    eagle92 Registered Member

    Same error here:

    Loading Dump File [C:\Windows\Minidump\Mini082508-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows Server 2008 Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 6001.18063.x86fre.vistasp1_gdr.080425-1930
    Kernel base = 0x8243f000 PsLoadedModuleList = 0x82556c70
    Debug session time: Mon Aug 25 02:04:00.959 2008 (GMT-7)
    System Uptime: 1 days 11:14:43.116
    Loading Kernel Symbols
    ..........................................................................................................................................................................................
    Loading User Symbols
    Loading unloaded module list
    ......
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 50, {967ef5d0, 1, 890ac5b1, 0}

    *** WARNING: Unable to verify timestamp for eamon.sys
    *** ERROR: Module load completed but symbols could not be loaded for eamon.sys
    *** WARNING: Unable to verify timestamp for easdrv.sys
    *** ERROR: Module load completed but symbols could not be loaded for easdrv.sys

    Could not read faulting driver name
    Probably caused by : eamon.sys ( eamon+37c1 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced. This cannot be protected by try-except,
    it must be protected by a Probe. Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: 967ef5d0, memory referenced.
    Arg2: 00000001, value 0 = read operation, 1 = write operation.
    Arg3: 890ac5b1, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 00000000, (reserved)

    Debugging Details:
    ------------------


    Could not read faulting driver name

    WRITE_ADDRESS: GetPointerFromAddress: unable to read from 82576868
    Unable to read MiSystemVaType memory at 82556420
    967ef5d0

    FAULTING_IP:
    Ntfs!NtfsShrinkLengthInCachedLcn+167
    890ac5b1 66894c1a10 mov word ptr [edx+ebx+10h],cx

    MM_INTERNAL_CODE: 0

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0x50

    PROCESS_NAME: ekrn.exe

    CURRENT_IRQL: 0

    TRAP_FRAME: bb7b7598 -- (.trap 0xffffffffbb7b759:cool:
    ErrCode = 00000002
    eax=8b7276a0 ebx=967d0000 ecx=00000ab9 edx=0001f5c0 esi=877b0790 edi=967e5210
    eip=890ac5b1 esp=bb7b760c ebp=bb7b761c iopl=0 nv up ei pl nz ac po nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
    Ntfs!NtfsShrinkLengthInCachedLcn+0x167:
    890ac5b1 66894c1a10 mov word ptr [edx+ebx+10h],cx ds:0023:967ef5d0=o_O?
    Resetting default scope

    LAST_CONTROL_TRANSFER: from 82499bb4 to 824e4155

    STACK_TEXT:
    bb7b7580 82499bb4 00000001 967ef5d0 00000000 nt!MmAccessFault+0x10a
    bb7b7580 890ac5b1 00000001 967ef5d0 00000000 nt!KiTrap0E+0xdc
    bb7b761c 890a1b29 00000aa5 00000016 00000e16 Ntfs!NtfsShrinkLengthInCachedLcn+0x167
    bb7b765c 8909ac86 877b00d8 00000005 00000000 Ntfs!NtfsRemoveCachedLcn+0x230
    bb7b767c 890b1980 86a17350 877b00d8 08a431df Ntfs!NtfsAddCachedRun+0x70
    bb7b76f0 890b152b 86a17350 877b00d8 0000c513 Ntfs!NtfsAllocateBitmapRun+0xf2
    bb7b77ec 890b30d3 86a17350 877b00d8 b40660f8 Ntfs!NtfsAllocateClusters+0xb67
    bb7b7898 890225d1 86a17350 84edc9f0 0100000c Ntfs!NtfsAddAllocation+0x34c
    bb7b78dc 8901b1c1 86a17350 84edc9f0 0000000c Ntfs!NtfsAddAllocationForNonResidentWrite+0x12a
    bb7b7a10 89019914 86a17350 93343a58 327f302f Ntfs!NtfsCommonWrite+0x17ef
    bb7b7a88 824fb053 877b0020 93343a58 93343a58 Ntfs!NtfsFsdWrite+0x2dc
    bb7b7aa0 88b22ba7 877bddf8 93343a58 00000000 nt!IofCallDriver+0x63
    bb7b7ac4 88b22d64 bb7b7ae4 877bddf8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251
    bb7b7afc 824fb053 877bddf8 93343a58 a671b7ac fltmgr!FltpDispatch+0xc2
    bb7b7b14 a66e67c1 aa14a020 bb7b7b38 824fb053 nt!IofCallDriver+0x63
    WARNING: Stack unwind information not available. Following frames may be wrong.
    bb7b7b20 824fb053 aa14a020 93343a58 93343a58 eamon+0x37c1
    bb7b7b38 8268b5e5 84edca1c 93343a58 93343c54 nt!IofCallDriver+0x63
    bb7b7b58 826668f1 aa14a020 84edc9f0 00000001 nt!IopSynchronousServiceTail+0x1d9
    bb7b7bec 94656898 aa14a020 00000000 00000000 nt!NtWriteFile+0x6fc
    bb7b7c18 94656a73 02cfcf90 bbef1a8a b3b87a50 easdrv+0x2898
    bb7b7c58 8268b98e b3b87a50 00000001 02cfcf90 easdrv+0x2a73
    bb7b7d00 82675a61 9425db50 00000000 00000000 nt!IopXxxControlFile+0x2cf
    bb7b7d34 82496a7a 000001cc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    bb7b7d34 76f59a94 000001cc 00000000 00000000 nt!KiFastCallEntry+0x12a
    02cfcf40 00000000 00000000 00000000 00000000 0x76f59a94


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+37c1
    a66e67c1 ?? o_O

    SYMBOL_STACK_INDEX: f

    SYMBOL_NAME: eamon+37c1

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 47d94a56

    FAILURE_BUCKET_ID: 0x50_W_eamon+37c1

    BUCKET_ID: 0x50_W_eamon+37c1

    Followup: MachineOwner
  9. biglat1595
    Offline

    biglat1595 Registered Member

    I'm having the same error here ! Most of the time is during the night when the scan is scheluded ! Error with the win32k.sys file ! I'm running Vista Ultimate 64 bits !

    Thanks.
Thread Status:
Not open for further replies.