Help! NOD32 possibly causing a BSOD!

Discussion in 'ESET NOD32 Antivirus' started by stuman, Nov 4, 2008.

Thread Status:
Not open for further replies.
  1. stuman
    Offline

    stuman Registered Member

    Hello,

    I'm currently using the latest version of the NOD32 AntiVirus program (version 3.0.672.0) on a recent reinstallation of WinXP SP3. A few hours ago, I started up my system and got a BSOD shortly after the NOD32 application kicked off.
    So I got a copy of Windbg and installed the symbols and this is the result when I open the dump file:

    Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\WINDOWS\Minidump\Mini110308-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: C:\WINDOWS\Symbols
    Executable search path is:
    Unable to load image ntoskrnl.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntoskrnl.exe
    Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
    Debug session time: Mon Nov 3 20:53:11.718 2008 (GMT-5)
    System Uptime: 0 days 0:00:57.406
    Unable to load image ntoskrnl.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntoskrnl.exe
    Loading Kernel Symbols
    ..........................................................................................................
    Loading User Symbols
    Loading unloaded module list
    ............
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 1000008E, {c0000005, 805a3a94, b60f82d8, 0}

    Unable to load image eamon.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for eamon.sys
    *** ERROR: Module load completed but symbols could not be loaded for eamon.sys
    Probably caused by : eamon.sys ( eamon+31bb )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003. This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG. This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG. This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 805a3a94, The address that the exception occurred at
    Arg3: b60f82d8, Trap Frame
    Arg4: 00000000

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

    FAULTING_IP:
    nt!IopLoadDriver+30c
    805a3a94 8b4814 mov ecx,dword ptr [eax+14h]

    TRAP_FRAME: b60f82d8 -- (.trap 0xffffffffb60f82d:cool:
    ErrCode = 00000000
    eax=01c93e20 ebx=e2c10508 ecx=000020e3 edx=00000000 esi=89a5eda8 edi=e27562b0
    eip=805a3a94 esp=b60f834c ebp=b60f8368 iopl=0 nv up ei pl nz na pe nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
    nt!IopLoadDriver+0x30c:
    805a3a94 8b4814 mov ecx,dword ptr [eax+14h] ds:0023:01c93e34=o_Oo_O??
    Resetting default scope

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 0x8E

    PROCESS_NAME: explorer.exe

    LAST_CONTROL_TRANSFER: from 805a3c71 to 805a3a94

    STACK_TEXT:
    b60f8368 805a3c71 01c93e20 01c93e20 b60f83a0 nt!IopLoadDriver+0x30c
    b60f8380 b54c11bb e2c10508 b60f83a0 b60f83a0 nt!IopLoadUnloadDriver+0x43
    WARNING: Stack unwind information not available. Following frames may be wrong.
    b60f84c8 b54c30c4 b60f84e0 b60f84f8 00000000 eamon+0x31bb
    b60f84fc b54c1c95 89a1c568 00000000 00000000 eamon+0x50c4
    b60f8550 804ef19f 00000668 8998e730 8998e730 eamon+0x3c95
    b60f8640 805bf450 89d0bc98 00000000 89a2cf30 nt!MiFlushSectionInternal+0x256
    b60f86b8 805bb9dc 00000000 b60f86f8 00000040 nt!MiFindExportedRoutineByName+0x6e
    b60f870c 80576033 00000000 00000000 00000101 nt!IopInitializeDCB+0xb2
    b60f8788 805769aa 020dfdb4 80100000 0144e318 nt!SeAssignSecurity+0xa
    b60f87e4 8057a1a9 020dfdb4 80100000 0144e318 nt!SepDuplicateToken+0x22a
    b60f8824 8054162c 020dfdb4 80100000 0144e318 nt!RtlFreeHeap+0x193
    b60f8844 7c90e4f4 badb0d00 0144e2f4 bf815863 nt!RtlIpv4StringToAddressExW+0xad
    b60f8858 00010078 0144fa50 0144fa94 7c90e4f4 0x7c90e4f4
    b60f885c 0144fa50 0144fa94 7c90e4f4 badb0d00 0x10078
    b60f8860 0144fa94 7c90e4f4 badb0d00 00000000 0x144fa50
    b60f8864 7c90e4f4 badb0d00 00000000 0000003b 0x144fa94
    b60f8868 badb0d00 00000000 0000003b 4301036a 0x7c90e4f4
    b60f886c 00000000 0000003b 4301036a 00000000 0xbadb0d00


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+31bb
    b54c11bb ?? o_O

    SYMBOL_STACK_INDEX: 2

    SYMBOL_NAME: eamon+31bb

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 48a95943

    FAILURE_BUCKET_ID: 0x8E_eamon+31bb

    BUCKET_ID: 0x8E_eamon+31bb

    Followup: MachineOwner
    ---------


    Any ideas or suggestions would certainly be appreciated. Thanks in advance.


    stuman
  2. funkydude
    Online

    funkydude Registered Member

    From past experience BSOD's are mainly caused by outdated network cards. The fact that you just did a fresh XP install may or may not prove it.
  3. stuman
    Offline

    stuman Registered Member

    Thanks for the response funkydude. Actually, it's a NIC that's built in to the P5K ASUS motherboard. The network drivers are up to date. Since the dmp file references the eamon.sys file, which is part of NOD32, that's what leads me to believe that it could be a NOD32 issue. Any other ideas?
  4. stuman
    Offline

    stuman Registered Member

    Btw, I ran memtest for over 2 hours (6 passes) and no errors. So the 2 gigs of RAM are ok.
  5. Marcos
    Offline

    Marcos Eset Staff Account

    We'll need to get a complete memory dump. From what you have posted it looks like a serious problem with your OS and since eamon.sys was the last one in the order the OS blames it to be the culprit even if it isn't.
  6. stuman
    Offline

    stuman Registered Member

    Thanks for responding Marcos. I modified Startup and Recovery to do a complete memory dump so we'll see what happens. Who knows, I may need to do a reinstall of XP. Hopefully, I can get to the bottom of this.


    stuman
  7. stuman
    Offline

    stuman Registered Member

    The BSOD was caused by a faulty PSU (please delete)

    Hi,

    Just wanted to touch base and report that the BSOD was actually due to a failing power supply, which resulted in sporadic sudden restarts and a sudden shutdown. After the shutdown, I couldn't start the system for at least 5 min. Looks like I'm finally up and running and wanted to thank those of you who replied. :thumb: :)


    stuman
Thread Status:
Not open for further replies.