nod32 kernell32 error message

I keep getting an error message kernell32 at 016:ff766bc. I read what buster had to say on this and tried a few ideas but nothing seems to work I am running WIN98SE and have had nod32 trial version installed for about a month.Before that i had no problems. Is there a fix for this that anybody knows of.
I am not very keen on playing with the registry.
Any ideas would be greatly appreciated.I better mention
that the trial version is still current it is from PCuser and can be updated each month.

 

Hi steveharro,

I have seen this message on a number of pcs all running Win98SE.

The error seems to occur on pcs running a firewall and the latest windows updates from the MS site. Is this the case with your pc?

Minacross also has this error on his pc.

If you would like to upgrade your OS to WinXP the error will disappear. Otherwise we're waiting for Eset to come up with a solution. I've been in touch with Jan who's working on a fix.

Any progress Jan?

Rgds

Buster

 

Hi Buster
thanks for getting back so soon. No firewall but i have updated about two months ago.Any idea how Jans getting on with the fix

 

Hmmm....I thought this error might have been a combination of Win98SE, firewall and Win updates....I guess that theory is blown.

Problem is this error is intermittent and Eset is finding it difficult to reproduce. Hard to fix something that doesn't seem to be broken...
Does the error occur when you close Internet Explorer or Outlook Express?

If you can supply Jan with any details on how to reproduce this error that would be a help. Send an IM to Jan with screen dumps attached...Eset need all the numbers in the error box so you'll have to save one pic, scroll down to view the remaining numbers and then save a second dump.

Jan, if you read this post can you give us an update on any progress.

Rgds

Buster

 

Hi,

I run WIN98SE and Kerio 2.1.5 and have never experianced this problem. Have any of you tried to un install and clean the registry entries for NOD and then re install? Just a thought!

Regards,
~Fire~Dancer~

 

Hi FireDancer,

We meet again...

I had one particular pc where this error was constantly appearing on closing either Internet Explorer, Yahoo Messenger or Outlook Express.
(The problem was solved by upgrading to Win XP)

Win98SE was reinstalled on this pc at least half a dozen times
This crash would pop up almost immediately on closing Internet Explorer. Have tried changing hardware with no luck

As I am upgrading customer's pcs to NODv2 this error is becoming more frequent. Thing is it doesn't happen on all Win98SE pcs, some run OK for a while then the error will appear in 1 or 2 weeks. I can't work it out.

Disabling IMON has resolved the error on some pcs, not all.

Suggestions?

Rgds

Buster

 

Hi Buster
I tried outlook express and within about a minute got the error.I couldnt get a snap shot everything slows to a crawl and nothing seems to work properly.This is the 4th time I have attempted to send this message.I finished up having to reboot.But the good news is I did manage to copy and paste the details.Then I tried closing the error box. And at first it did.Which is a first I have usually got to reboot.I got a second error with different details.And copied those as well.
THIS IS THE FIRST MESSAGE

EXPLORER caused an invalid page fault in
module KERNEL32.DLL at 0167:bff7b9a6.
Registers:
EAX=00000000 CS=0167 EIP=bff7b9a6 EFLGS=00000246
EBX=81726d4c SS=016f ESP=0086fbe8 EBP=0086fc00
ECX=cbf47e20 DS=016f ESI=77640678 FS=2ccf
EDX=bffc9490 ES=016f EDI=00000000 GS=0000
Bytes at CS:EIP:
ff 76 04 e8 13 89 ff ff 5e c2 04 00 56 8b 74 24
Stack dump:
77640678 77632cc6 77640678 00000000 77640678 81726d4c 0086fdf0 77631e87 77640678 00000000 77637ed3 77630000 7763200a 77630000 77630000 77632064

THIS IS THE SECOND

IEXPLORE caused an invalid page fault in
module KERNEL32.DLL at 0167:bff766bc.
Registers:
EAX=0088003c CS=0167 EIP=bff766bc EFLGS=00010202
EBX=00000000 SS=016f ESP=00880000 EBP=00880010
ECX=00000000 DS=016f ESI=00880108 FS=2477
EDX=bff76855 ES=016f EDI=81748998 GS=0000
Bytes at CS:EIP:
e8 13 ad ff ff 8b 55 08 8f 82 b0 00 00 00 8b 4d
Stack dump:
002a0014 00000000 0088003c 0088003c 00880024 bff766fd 0088003c 008801b4 00000000 008801b4 bff883ed 0088003c bff79060 00000000 0097ffec ffffffff

I hope this helps

 

Hi Steveharro,

Thanks for the info. The second error message is the same address that pops up on my Win98SE pcs. I'm unable to close the box, you have to restart.

I'll send Jan an IM with a link to this thread. Cross your fingers this prob will soon be fixed.

Rgds

Buster

 

Hi Buster
Lets hope so .I couldnt shut the second box.That was the first time I was able to shut it before that I had to restart every time by turning of at the on off switch. Another thought I had was maybe the error only appears in outlook express 6.Thats what version I have What version are you running.My Internet explorer is version 6 with service pack 1.Anyway here's hoping

Regards

Steveharro

 

Hi Steveharro,

Am running same as you, IE6 with SP1, Outlook Express 6. I can also reproduce the error by closing Internet Explorer. Have you tried disabling IMON, this works on some pcs. AMON will prevent you opening any infected files, so your pc is still protected.

I've sent Jan an IM. I'll keep you posted with any updates.

Rgds

Buster

 

Hi Buster
Yes i tried that before after I read your ideas a while back.Thanks for the help this has been driving me crazy

Regards

STEVEHARRO

 

Hi all,

one guy here is trying to reproduce the problem. However - it is a intermittent problem - so despite we have many details about it it's difficult to reproduce it. Anyway - we'll continue trying it. The users having this problem can try to disable IMON and check for changes. The protection of the machine continues with AMON.

Immediately we'll have some news, we''ll post it here.

Thanks for the understanding and patience.

Rgds,

jan

 

Hey all,


good news - we have reproduced the problem and are searching for the solution!

I'll keep you posted.

All the best,

jan

 

Hi Jan
Thats great news.Now I can save on my therapy bills


Regards

Steveharro

 

Hi Jan,

Good stuff, Jan!

I'm sure it's only a matter of time before you nail this error to the wall.

Thank you, thank you, thank you to Jan and all involved for your persistence in pursuing this!

You're all heroes. Eset you’re the BEST!

Rgds

Buster

 

QSection asked if he could help with my NOD32 / Kernel32 issue in the thread below:

http://www.wilderssecurity.com/showthread.php?t=16010;start=60

I asked that the discussion be moved here and that he read this thread if he hadn't already read it. The most significant info in this thread is Jan's post.

QSection made his offer of help with this:

So here goes:

The problem machine is configured as such:
Win98 4.10 (Build 199 - Not SE - All the latest Update Patches
IE 6.0.2800.1106IC 128-Bit Encryption - All The Latest Update patches

When Nod32 was most recently tested again, this was the config:

Information on other scanner support parts
Advanced heuristics module version:   1.004 (2003102
Advanced heuristics module build:   1037
Archive support module version:   1.007 (20031104)
Archive support module build version:   1074

Information on installed components
NOD32 For Windows 95/98[me=]- Base[/me]
Version:   2.000.6
NOD32 for Windows 95/98[me=]- Standard component[/me]
Version:   2.000.6
NOD32 For Windows 95/98[me=]- Internet support[/me]
Version:   2.000.6

AMON - On
IMON - On
AH - On
Scan all filetypes - On
Paolo's Context menu Item Installed
Graphics On - Never had a problem like Mele20 says he's had
*Basically - Highest functionality set

Various configurations have been tried: options set "on"/ set "off", uninstalled and reinstalled NOD, closed various background programs, etc. The usual testing was done to see if anything could be isolated. In all instances, NOD32 was run with other AVs completely uninstalled and registry cleaned. Computer does runs fine with no AV installed, and runs fine with Norton AV 2002 & 2003. Kaspersky versions 3.* & 4.* run slow and clunky, but they do not cause the Kernel 32 errors.

I use various other security software (Kerio 2.1.5, DNSKong, Proxomitron, TDS-3, and ID-Blaster);. NOD32 v2 was tested with various combos of these loaded and unloaded. Nothing changed the Kernel32 error behavior.

Unloading Imon with the first iterations of NOD32 v2 did not cause a positive change in behavior. The most recent build of NOD32 causes Kernel 32 problems with IMON on just as frequently as the earlier builds. However, though not perfect, unloading IMON in the latest build causes less frequent issues.

The issue:

With NOD32 v2 installed, various programs (usually internet related...IE, Mozilla, etc.) cause a crash in Kernel32. The error-message window that is displayed will not close and ultimately the computer locks up and has to be re-booted; or the computer crashes during the restart necessary to clear the error-message window.

Others have described the problem well enough and that is why I didn't feel a need to add my 2 cents. Posts in another recent thread in which I participated and QSection's offer to help prompted me to go through this exercise, if for no other reason than to express my appreciation for QSection's concern.

IMON, I believe, has something to do with it, as others have theorized. Not only because of the obvious (unloading IMON helps or fixes the problem for some), but according to the NOD32 v2 Help File description of the components of NOD, IMON is said to be an Internet Monitor (not just a mail scanner - hence the broader descriptive name IMON):

IMON – this scanner provides the first line of defense by monitoring Internet traffic (smtp, ftp, http and other Winsock protocols)

I think this module was initially designed to scan other traffic besides SMTP port 110, but was never properly implemented and scrapped, leaving it to scan only SMTP. But, some vestigal elements of the original intent of this module are left and cause programs like IE and Mozilla (which handle http connections) to crash.

What do you think QSection?

Sorry for grammar, typos, missing words, etc. I was in a bit of a hurry and did not proof read adequately.

Thanks.

 

NewNOD
A few things come to mind not in any particular order.

First - perhaps your Kernel32.dll is damaged. To reload it you can follow these instructions.

Second - perhaps another Windows file is damaged or has the wrong version (due to a download changing it). Have you tried Start>Programs>Accessories>System Tools>Tools>System File Checker? Although this is a more difficult possible solution (because one must make an unguided decision about which files to choose) it very well may be the answer. We know of a few people who have had various problems resolved by this fix.

Please consider these possibilities and post your reply to them.

By the way - we are unfortunately not programmers nor do we sell or work for ESET or Wilders (just in case anyone was wondering).

There may be another one or two things we can suggest but we need to check our archives first.

Best wishes.

 

I don't have a damaged Kernel32.dll. I replaced that file with a fresh one as one of the first things I did upon getting an error message. I have been pretty thorough in trying to track down this problem, including checking system files.

I didn't just jump to the conclusion that NOD32 was unworkable as I really wanted to be able to use NOD...getting rid of NAV after they implemented the DRM scheme in version 2003 was something I was really intent on doing. However, I am pretty sure this thing is isolated to NOD32 as I can install NOD and get crashes, then imeddiately uninstall it and be back to stable (can you use that term with WIN98?). As I mentioned previously, I get no crashes without an AV installed; I get no crashes with NAV 2002 installed; I get no crashes with NAV 2003 installed; I get no crashes with various versions of Kasperskey installed; eeeeehhhh .... I get tons of crashes with NOD32 v 2 installed. I don't think it's coincidental, nor do I think it's something that needs to be fixed on the base machine. The error is strictly caused when NOD32 is running on an otherwise stable and tested system, so I can only conclude that the issue is NOD, not my system.

In other words, if so many other pieces of software can play well together on my system (not only AVs but I use a lot of software of all kinds...lots of graphics, web design, utilities, etc.), I have to conclude (maybe not from a scientific standpoint but certainly from a practical one) that NOD is the bad kid on the block. The flipside is that you could argue "why does it work on my configuration, then". I don't know. I'm hoping at some point Jan will get it figured out.

What do you think of my theory regarding vestigial coding elements in IMON causing problems? I still find it odd that the description of IMON's functionality in the Help File differs so greatly from what it actually does. If the intention was to have it do this (scan HTTP, FTP, and other protocols besides SMTP) and the attempt failed or was aborted at the last minute, maybe the code was screwed when IMON was limited to scanning SMTP in the final releases.

 

Well we are not very up on the intricacies of IMON but have you tried the second idea we suggested? Perhaps there is some corrupted code in another Windows file that although you have tried other programs that have run fine this possibly corrupted file can make NOD32 not run right. By corrupted this would include a version of a Windows file which is not the correct one needed to run NOD32. Perhaps you may have a newer version of a file (.dll or otherwise) that is causing the fault error. We have definitely heard of a problem that this was the cause.

Another idea is program compatability. Have you tried this - close all other programs except Windows and NOD32 and see if you have the problem. We also have heard of this as a problem and ESET changed their program right away so the problem was no longer there. There was a confilct with another security program. Perhaps it would be better to start in Safe mode so the normal programs' dll files will not be put into the memory as Win98SE sometines does not release the dll's after the program is shut down. One cannot exclude any possibility.

Thirdly, do you think any other tools can benefit you? We have an associate who has just about all the diagnostic tools one can imagine. There is a tool for following a process to see what it starts and if a fault occurs perhaps it could be traced exactly from process to process. We will try to contact the associate and get them to join this thread if we can.

Please keep us posted.

 

Hi all,

the imon.dll has been modified and it helped several NOD32 users with this problem. Who is enough computer skilled and wants to test is as an UNRELEASED version yet - which is being tested and might have some problems - can send me a personal message with an e-mail address where I can send the new imon.dll .

If the tests will be successful, we can release a program component upgrade with the new imon.dll shortly .

Thanks,

jan

 

For QSection,

Yes I checked system files (I believe that was your Suggestion #2 - see my answer from the previous post below, last sentence:

I really have been thorough. I have been playing with this since June, 2003, intensely (emphasis on intensely) for a month or so, then had to uninstall and get on with life. After that I have re-installed periodically to try new things, including suggestions found on this forum. Nothing has worked.

I have booted into safe mode many times trying to understand the problem. I have used all kinds of utilities to monitor activity including installation monitors (InCtrl5, etc.), I have used Filemon to monitor file system activity and RegMon to monitor registry activity (I have applied many different filter combinations in these apps to isolate the things I monitor), I have used ATM and Faber Toys to monitor and manipulate running processes, and the list of utilities and efforts goes on...way too many to list here.

Quote from QSection:

I'll answer your quote with a quote from my first post here:

To be more specific, I systematically closed all processes that could be closed without crashing the computer using ATM (or Faber Toys, depending on my mood) to try to isolate and identify compatibility issues.

Seriously, I am not a computer newbie, and again, my desire was pretty high in regards to trying to get NOD to run; the combination allowed me to proceed with testing pretty thoroughly. I must concede, however, that I think my desire diminished before my knowledge did, and I had to move on for the most part.

Thanks for the continued concern. I appreciate it.

__________
Jan,

Thank you very much for providing input. Your offer sounds great.

By the way, was IMON intended originally to scan many more protocols than ESET was successful at achieving, thus relegating what was once supposed to be an Internet Monitor (scanner of HTTP, FTP, etc. per the Help File) to strictly an SMTP / POP monitor? Maybe the transformation was not adequate or complete. Or maybe it was simply, "Oh, well, it doesn't work as a monitor of other protocols, but it works as a monitor of SMTP" and therefore no effort was made to remove the extraneous code? And did this have anything to do with the issues some have reported here? I probably don't know what I'm talking about, but as I said before, I find it intriguing that the file is named IMON, that it is described as an Internet Monitor which scans HTTP, FTP, SMTP, etc. in the Help File, that NOD32 only has options in the final release to set scanning of the SMTP protocol under IMON options, and that some users are experiencing HTTP related crashes (the crashes occur generally when internet applications, which use HTTP, are run or closed).

Thank you.

 

Hey NewNOD,

>By the way, was IMON intended originally to scan many more protocols

This is true.

>than ESET was successful at achieving,

I wonder how do you know that we have start to achieve this and were not successful at achieving it. Sorry - none of these two is true. Still having more important things to do than adding new protocols to IMON.

> thus relegating what was once supposed to be an Internet Monitor (scanner of HTTP, FTP, etc. per the Help File)

Yes, you're right these two prototocols are planned to be added to IMON too, but no time for it now. Sorry, I haven't found it in the help file, could you pls. point me more exactly where?

>to strictly an SMTP / POP monitor?

Yes, it is scanning the POP3 protocol now.

>Maybe the transformation was not adequate or complete. Or maybe it was simply, "Oh, well, it doesn't work as a monitor of other protocols, but it works as a monitor of SMTP" and therefore no effort was made to remove the extraneous code? And did this have anything to do with the issues some have reported here?

I appreciate your rich imagination, but sorry, this is really just the imagination and no reality.

>I probably don't know what I'm talking about,

I also appreciate your sense for the reality.

>but as I said before, I find it intriguing that the file is named IMON, that it is described as an Internet Monitor which scans HTTP, FTP, SMTP, etc. in the Help File, that NOD32 only has options in the final release to set scanning of the SMTP protocol under IMON options,

I can understand that, but it's difficult to talk about the final release for software products - there are still in development (to better serve the users) and are upgraded via program component upgrades - so I think what is missing here is our time and your patience.

>and that some users are experiencing HTTP related crashes (the crashes occur generally when internet applications, which use HTTP, are run or closed).

Pls. specify closer.

You have a couple of good ideas, but (don't mean as an insult) I find you a bit spitfire and I think if you can manage your energy to good things, you can be sucessful in many of your efforts.

As I wrote, the mentioned protocols are planned to add, but need to e.g. fix some things that are more important.

Hope you understand me.

All the best,

jan

 

Jan,

Quote from me earlier in this thread:

The line above set off by asterisks is a "cut and paste" directly from the Help File (it wasn't set off with asterisks originally, but since you missed it, I thought I'd highlight it to help out).

By the way, that cut and paste is from the help file description of modules (AMON, IMON, EMON, etc.) for the current build.

And it isn't something new. I posted back on JUNE 14, 2003 on the same thing trying to get clarification of IMON functionality due to what I perceived as a contradiction in stated functionality versus true functionality. That post, quoted in part below, has zero (0) responses to it (guess it was too lengthy a post to read for most people):

Quote from me on June 14, 2003:

Don't quite understand how all this is my imagination. How would I have even known about any of this if Eset hadn't included the information in the NOD32 documentation. And the documentation didn't say, "planned for future releases". It says it's in the current version and it's said so since NOD32 v2 came out back in June, 2003.

So instead of labeling all this as my "imagination", let's call it "reasoning".

I did say in my last post that I could be wrong about my conclusions, but faced with the information I had, it was not unreasonable to offer the theory. It did not begin with imagination, it began with:

1. Product documentation claiming that a product module (IMON) can do something that it cannot do (there are no options available in the interface to set any of the parameters required to do these things);
2. Product module causes crashes related to the things that the module is claimed to be able to do, but cannot.

I thought I was being helpful by pointing out something I thought was relative to finding what has thus far been an illusive solution.

That makes me a spitfire?

What does writing an insulting and lengthy post, almost entirely based on the fact that you don't know what's included in your help file, make you? I think it just means you made a mistake. No big deal.

Sorry. Hope you understand me.

 

NewNOD,

OK, sorry - I should have searched the help file other way that I did. Nobody and nothing is absolutely perfect, so it's really good to avoid any personal comments and stay on the facts.

You're right that it is written wrong in the help files. I told the guy who has written it. It will be changed in the next program component upgrade.

Thanks for letting us now.

Hope we can be friends

Best wishes,

jan

 

Well, I don't know about that.

Let's get the problem solved, then maybe we can start with a beer to celebrate and see how it goes from there.