Crashes with version 4.2.67.10

I was told to post this information here, even though I'm not running a server. I'm just running a personal computer. Anyhow:

I've just had a rather disturbing event transpire that's never happened at all: My entire system (Running Windows 7 x64) completely hard-locked on me for several moments. Eventually I regained control, but investigating my system logs and looking at ESET revealed that NOD had crashed horribly, and restarted itself.

I've never had NOD crash on me before, though I admit that in the last three weeks I've upgraded from an earlier version of 4.X to 4.2.67.10.

Is this indicative of my being infected with anything? Did something kill NOD so it could play nasty games? I was running Opera at the time, but it was operating inside Sandboxie.

My NOD information is as follows:

Code:

Virus signature database: 5758 (20110104)
Update module: 1031 (20091029)
Antivirus and antispyware scanner module: 1293 (20101110)
Advanced heuristics module: 1115 (20101116)
Archive support module: 1123 (20101108)
Cleaner module: 1050 (20101207)
Anti-Stealth support module: 1023 (20101125)
SysInspector module: 1217 (20100907)
Self-defense support module : 1018 (20100812)
Real-time file system protection module: 1004 (20100727)

In the event viewer, during the crashes, I see:

Code:

Faulting application name: ekrn.exe, version: 4.2.67.10, time stamp: 0x4cd2d774
Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp: 0x4ba9b29c
Exception code: 0xc0000005
Fault offset: 0x0002e1fe
Faulting process id: 0x604
Faulting application start time: 0x01cbac18b8b782b0
Faulting application path: C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report Id: f75fa3f0-180c-11e0-822a-001fbc01945b

And

Code:

Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: ekrn.exe
P2: 4.2.67.10
P3: 4cd2d774
P4: ntdll.dll
P5: 6.1.7600.16559
P6: 4ba9b29c
P7: c0000005
P8: 0002e1fe
P9: 
P10: 

Attached files:
C:\Windows\Temp\WERD2F2.tmp.appcompat.txt
C:\Windows\Temp\WERD380.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WERD381.tmp.hdmp
C:\Windows\Temp\WERD44D.tmp.mdmp

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ekrn.exe_5cafdb419b39a302b95eedcc5235e7e1e346185_cab_053ad498

Analysis symbol: 
Rechecking for solution: 0
Report Id: f75fa3f0-180c-11e0-822a-001fbc01945b
Report Status: 4

Any help with this would be appreciated. I'm not sure if this is something seriously wrong, and I need to panic about infection, or if it's just a fluke, and everything is OK. Thanks.

 

My apologies for posting again so soon, but I just had the same experience with my Macbook pro. Strangely, as soon as the laptop started up, the entire system hardlocked for a good two minutes. Checking the console showed me this:

Code:

1/4/11 7:57:54 AM	esets_daemon[105]	esets_daemon(105,0xb0a0f000) malloc: *** error for object 0x20ff10: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
1/4/11 7:57:55 AM	esets_daemon[105]	esets_daemon(105,0xb080d000) malloc: *** error for object 0x190e1d0: double free
*** set a breakpoint in malloc_error_break to debug
1/4/11 7:58:08 AM	esets_daemon[105]	esets_daemon(105,0xb080d000) malloc: *** error for object 0x2801200: pointer being reallocated was not allocated
*** set a breakpoint in malloc_error_break to debug
1/4/11 7:58:09 AM	esets_daemon[105]	esets_daemon(105,0xb060b000) malloc: *** error for object 0x1a00784: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug
1/4/11 7:58:33 AM	esets_daemon[104]	error[00680000]: Child process esets_daemon[105] did not handle signal 10, restart in 0 seconds
1/4/11 7:58:33 AM	esets_sci[230]	error[00e60000]: Cannot scan: Daemon closed connection
1/4/11 7:58:33 AM	esets_sci[228]	error[00e40000]: Cannot scan: Daemon closed connection
1/4/11 7:58:33 AM	com.apple.ReportCrash.Root[233]	2011-01-04 07:58:33.966 ReportCrash[233:2a03] Saved crash report for esets_daemon[105] version ??? (???) to /Library/Logs/DiagnosticReports/esets_daemon_2011-01-04-075833_localhost.crash

The contents of the DiagnosticReports crash log is as follows:

Code:

Process:         esets_daemon [105]
Path:            /Applications/ESET Cybersecurity.app/Contents/MacOS/esets_daemon
Identifier:      esets_daemon
Version:         ??? (???)
Code Type:       X86 (Native)
Parent Process:  esets_daemon [104]

Date/Time:       2011-01-04 07:58:33.401 -0700
OS Version:      Mac OS X 10.6.5 (10H574)
Report Version:  6

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000020
Crashed Thread:  4

Application Specific Information:
*** single-threaded process forked ***

Thread 0:  Dispatch queue: com.apple.main-thread
0   libSystem.B.dylib             	0x94f2d0c6 select$DARWIN_EXTSN + 10
1   libesets.4.dylib              	0x000b6e01 nod_select(_nod_fdsets_t_*, int) + 171
2   esets_daemon                  	0x0005c69d CParamStructHelper<_DISKLOG_WARNING_RECORD>::SetStringA(char const*) + 9407
3   esets_daemon                  	0x000225f6 Blowfish::BF_De(Word*, Word*) + 58490
4   esets_daemon                  	0x00022953 Blowfish::BF_De(Word*, Word*) + 59351
5   esets_daemon                  	0x0002831f YesNo(int) + 9377
6   esets_daemon                  	0x00001a9e 0x1000 + 2718

Thread 1:
0   libSystem.B.dylib             	0x94fd4b9a msgrcv$UNIX2003 + 10
1   esets_daemon                  	0x00021143 Blowfish::BF_De(Word*, Word*) + 53191
2   libSystem.B.dylib             	0x94f3b85d _pthread_start + 345
3   libSystem.B.dylib             	0x94f3b6e2 thread_start + 34

Thread 2:
0   libSystem.B.dylib             	0x94f3c0a6 __semwait_signal + 10
1   libSystem.B.dylib             	0x94f3bd62 _pthread_cond_wait + 1191
2   libSystem.B.dylib             	0x94f3b8b5 pthread_cond_timedwait$UNIX2003 + 72
3   libesets.4.dylib              	0x000b7c6d nod_eventa_wait(_nod_event_array_t_*, unsigned long, int const*, int, int) + 195
4   libesets.4.dylib              	0x0009b547 esets_charon_sender_thread(void*) + 277
5   libSystem.B.dylib             	0x94f3b85d _pthread_start + 345
6   libSystem.B.dylib             	0x94f3b6e2 thread_start + 34

Thread 3:
0   libSystem.B.dylib             	0x94f3c0a6 __semwait_signal + 10
1   libSystem.B.dylib             	0x94f3bd62 _pthread_cond_wait + 1191
2   libSystem.B.dylib             	0x94f3d9f8 pthread_cond_wait$UNIX2003 + 73
3   esets_daemon                  	0x0005b497 CParamStructHelper<_DISKLOG_WARNING_RECORD>::SetStringA(char const*) + 4793
4   esets_daemon                  	0x00039c75 CBuffer::GetSize() const + 7365
5   libSystem.B.dylib             	0x94f3b85d _pthread_start + 345
6   libSystem.B.dylib             	0x94f3b6e2 thread_start + 34

Thread 4 Crashed:
0   ???                           	0x05c595fe 0 + 96835070
1   ???                           	0x05c5c7c4 0 + 96847812
2   libesets.4.dylib              	0x000a6fb4 PerseusScanObject(_PERSEUS_MODULE_DATA*, _s_packet*) + 44
3   libesets.4.dylib              	0x000a2168 esets_scan_internal + 2408
4   esets_daemon                  	0x0002dbd5 OnLeave<struct_list*, void, void, void, void, void, void>::~OnLeave() + 4063
5   esets_daemon                  	0x000304db OnLeave<struct_list*, void, void, void, void, void, void>::~OnLeave() + 14565
6   esets_daemon                  	0x000396b4 CBuffer::GetSize() const + 5892
7   esets_daemon                  	0x00039c39 CBuffer::GetSize() const + 7305
8   libSystem.B.dylib             	0x94f3b85d _pthread_start + 345
9   libSystem.B.dylib             	0x94f3b6e2 thread_start + 34

Thread 5:
0   ???                           	0x08a4d0d3 0 + 145019091
1   ???                           	0x08a4efa0 0 + 145026976

Thread 6:
0   ???                           	0x08e90090 0 + 149487760

Thread 7:
0   libSystem.B.dylib             	0x94f3c0a6 __semwait_signal + 10
1   libSystem.B.dylib             	0x94f67ee5 nanosleep$UNIX2003 + 188
2   libSystem.B.dylib             	0x94f9d49e sleep$UNIX2003 + 63
3   esets_daemon                  	0x00035913 cmp_media_info(void const*, void const*) + 14365
4   esets_daemon                  	0x00020624 Blowfish::BF_De(Word*, Word*) + 50344
5   libSystem.B.dylib             	0x94f3b85d _pthread_start + 345
6   libSystem.B.dylib             	0x94f3b6e2 thread_start + 34

Thread 8:
0   libSystem.B.dylib             	0x94f3c0a6 __semwait_signal + 10
1   libSystem.B.dylib             	0x94f3bd62 _pthread_cond_wait + 1191
2   libSystem.B.dylib             	0x94f3b8b5 pthread_cond_timedwait$UNIX2003 + 72
3   libesets.4.dylib              	0x000b7c6d nod_eventa_wait(_nod_event_array_t_*, unsigned long, int const*, int, int) + 195
4   esets_daemon                  	0x00005b29 CBuffer::GetData() const + 13657
5   esets_daemon                  	0x0000621f CBuffer::GetData() const + 15439
6   libSystem.B.dylib             	0x94f3b85d _pthread_start + 345
7   libSystem.B.dylib             	0x94f3b6e2 thread_start + 34

Thread 4 crashed with X86 Thread State (32-bit):
  eax: 0x00008000  ebx: 0x01a00610  ecx: 0x00000000  edx: 0xb0607fc8
  edi: 0x00000000  esi: 0x00010000  ebp: 0xb0608bbc  esp: 0xb0607e60
   ss: 0x0000001f  efl: 0x00010246  eip: 0x05c595fe   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x0000001f   gs: 0x00000037
  cr2: 0x00000020

Binary Images:
    0x1000 -    0x82fff +esets_daemon ??? (???) <34CAFD8D-D6DF-85C8-147C-4999BFAFE606> /Applications/ESET Cybersecurity.app/Contents/MacOS/esets_daemon
   0x99000 -   0x118fe8  libesets.4.dylib 4.0.62 (compatibility 0.0.0) <EE340AC7-4B32-3CCA-C3D5-4D82A697D501> /usr/lib/libesets.4.dylib
  0x16e000 -   0x190ff6  libesets_as.4.dylib 4.0.62 (compatibility 0.0.0) <09BB22F4-5021-A4C6-4986-79F7E147013F> /usr/lib/libesets_as.4.dylib
0x8fe00000 - 0x8fe4162b  dyld 132.1 (???) <28F0312C-0678-159E-34E2-9A4E3DEADB20> /usr/lib/dyld
0x921e7000 - 0x921eafe7  libmathCommon.A.dylib 315.0.0 (compatibility 1.0.0) <1622A54F-1A98-2CBE-B6A4-2122981A500E> /usr/lib/system/libmathCommon.A.dylib
0x93399000 - 0x933dfff7  libauto.dylib ??? (???) <29422A70-87CF-10E2-CE59-FEE1234CFAAE> /usr/lib/libauto.dylib
0x935bc000 - 0x93669fe7  libobjc.A.dylib 227.0.0 (compatibility 1.0.0) <DF8E4CFA-3719-3415-0BF1-E8C5E561C3B1> /usr/lib/libobjc.A.dylib
0x938b7000 - 0x939abff7  libiconv.2.dylib 7.0.0 (compatibility 7.0.0) <9EC28185-D26F-533F-90C4-FBAA13A15947> /usr/lib/libiconv.2.dylib
0x94bc1000 - 0x94bcffe7  libz.1.dylib 1.2.3 (compatibility 1.0.0) <3CE8AA79-F077-F1B0-A039-9103A4A02E92> /usr/lib/libz.1.dylib
0x94f0d000 - 0x950b4ff7  libSystem.B.dylib 125.2.1 (compatibility 1.0.0) <62291026-D016-705D-DC1E-FC2B09D47DE5> /usr/lib/libSystem.B.dylib
0x97192000 - 0x97314fe7  libicucore.A.dylib 40.0.0 (compatibility 1.0.0) <35DB7644-0780-D2AB-F6A9-45F28D2D434A> /usr/lib/libicucore.A.dylib
0x98665000 - 0x986cffe7  libstdc++.6.dylib 7.9.0 (compatibility 7.0.0) <411D87F4-B7E1-44EB-F201-F8B4F9227213> /usr/lib/libstdc++.6.dylib
0x98859000 - 0x989d4fe7  com.apple.CoreFoundation 6.6.4 (550.42) <C78D5079-663E-9734-7AFA-6CE79A0539F1> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0xffff0000 - 0xffff1fff  libSystem.B.dylib ??? (???) <62291026-D016-705D-DC1E-FC2B09D47DE5> /usr/lib/libSystem.B.dylib

I'm running OS X 10.6.5, with all the latest software updates applied. My NOD information on the OS X machine is as follows:

Code:

Update module                                     1031 (20091029)
Antivirus and antispyware scanner module          1293 (20101110)
Virus signature database                          5757 (20110103)
Archive support module                            1123 (20101108)
Advanced heuristics module                        1115 (20101116)
Cleaner module                                    1050 (20101207)

Mac OS X 10.6.5 (10H574) (32-bit)
Darwin  (10.5.0)
Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz (2400 MHz), 4096 MB RAM

 

People wanting to test a potential permanent fix please PM me.

 

I think this will not be necessary, a new update containing the fix should be available within 30-60 minutes to all users

 

Ok great .

 

This is good news indeed, Marcos. Thank you.

Will this fix be a part of the modules which self-update? Or will it require an uninstall/reinstall of NOD? Just curious.

 

It's a Virus DB update, 5759.

 

Is this update tested before released or is it public release with the possibility that systems return into the same errors again?

 

I've also had random daily hard lockups since 12/30/10 Def 5747 on Windows XP. I've been trying to figure out why (checking hardware, memory, etc.). I'm glad I tracked it down to Eset. Hopefully, this will be fixed today.

 

Version 5759 is out on the update servers.

 

Updated successfully!
Maybe it'll work out really well. So fingers crossed!

 

Could you please update to the latest version 5759 and confirm that it fixed the issues you've recently encountered ?

 

Updated to 5759
Running procdump (heap checking on)

I will let you know if EAV4 re-crashes in the next days

 

Thanks Marcos! I will let you know too.

 

enabled NOD32 on 1 server to see how that works. cross your fingers and toes.

 

Marcos,

Can you please provide us the signature version at which this issue started on and also let us know why and how this has happened yet again! It seems very sparodic by us but we are definately seeing some effect from it.

Thanks

 

Pushing the updates to all the servers so hopefully this will fix it...


We've also noticed on the Exchange servers that during the "lockups" all mail received during that time from external SMTP seems to have been lost...

Is this because of how NOD32 plugs into the transport engine? Is there any way to recover this lost mail?

That's a much bigger issue than the server crashing, honestly...

 

For me and others it started on 12/30/10 with Definition 5747.

 

In the last hour I had 3 crashes with 5759 right after Windows logon (a matter of seconds, while the EAV4 splash on screen was disappearing), so that I hadn't the opportunity to launch procdump
I restarted the PC and now the system is running.

I'll let you know

 

Mail should not get lost completely even if ekrn is an unstable state. In such case, EMSX returns an error to the Exchange server. The server subsequently stores such mail in its internal buffer until it's scanned via VSAPI (e.g. until ekrn is started).
If Outlook attempts to download mail during the unavailability of ekrn on the Exchange server, such mail is stored in the "Sync issues" folder which is logged in the Synchronization log as "The following message had an error and synchronization of it was skipped (0x80004005):".
If the transport agent is disabled and the option "Scan transported messages" enabled, in the event of communication problems of the ESET VSAPI module with ekrn MS Exchange defers the mail and saves it to the "Messages pending submission" queue ("C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue"). The mail can be unfreezed within the System manager.

 

The transport agent was running (with lockup issues), so we found missing messages in Sync Issues \ Server Failures in outlook...

thanks!

 

Have the newer definitions resolved this issue at all, or is the problem still impacting anyone else? Seems like at least Wallaby is still having the same lockups.

I'm just trying to figure out if this is an issue on my end, or if the latest fix didn't actually work...

 

1/4/2011 12:04:29 PM Kernel Virus signature database successfully updated to version 5759 (20110104).

1/4/2011 5:04:46 PM Kernel Virus signature database successfully updated to version 5760 (20110104).

So far no lockups after these two updates. But Since 12/30, my 2 WinXP boxes hard locked once a day every ~24 hours. So I'll let you know tomorrow.

Update:
24 hours later and no more lockups - All Fixed with Virus signature updates 5759 and 5760.

 

Updating to 5760 should completely solve all issues. If you're still having issues with 5760 after reboot please contact support.

 

It seems the problems are solved also on my side.

Last night (when I posted) I had this problem:
1. since there was the news that we were on a good path to the resolution of the problem I decided to uninstall my old firewall (COMODO 5.0) and install the new version (COMODO 5.3).
EAV4 update version was 5760.
2. Just when exited from the Windows boot up screen, EAV4 splash screen lasted too much and in the end a crash message came out (I have startup scan disabled, anyway)
3. So I restarted the PC other two times, having the same results
4. The fourth time it went all good (... software mysteries... ), and I made my post here
5. At this point I launched "procdump -e -ma ekrn" having heap checking on (as suggested by Marcos and dmaasland, that I thank a lot for their interest)
6. Having all this set (new FW and this configuration) I decided to make a complete in-depth scan of my system (a lot of hard disks)
7. At this point something went wrong because, practically, the scan gave an interminable list with this error (I copied it in a txt file where I find 15532 lines of this message)

I pressed "Stop" (scanning) and at that point ekrn went to 25% CPU, the system slowed down, all became unresponsive, I tried to close the other programs but I didn't succeed.

All that I know is that after a lot of minutes ekrn closed (I had EAV "self defense" disabled)

I waited for almost 45 minutes to see if procdump could produce a dump, or another dump could come out, but nothing happened.
I decided then to close the DOS window where procdump was running, and at that point the PC resurrected everything went back to normal (even if ekrn was dead), so I restarted the PC, set heap checking off, enabled self defense, deleted procdump, and the PC worked fine all night long

Now it is working OK.

I don't know at what was due the Outlook Express error, but I have just relaunched an in-depth scanning and no error came out.

Maybe it was due to heap checking, maybe it was due to procdump running... another software mistery

Now I have this

and everything is going well (let's hope we don't talk too early)

Thank guys for solving the problem