amon.sys crashing win 2003 server

Discussion in 'NOD32 version 2 Forum' started by Vandy, Oct 14, 2009.

Thread Status:
Not open for further replies.
  1. Vandy

    Vandy Registered Member

    Joined:
    Oct 14, 2009
    Posts:
    4
    Hi all,

    Have an ongoing issue for the past couple months. Randomly happens when we are doing backups. BSOD and the computer reboots.. Initially thought it was the SCSI tape hardware, went to external USB backups using xcopy in a batch file.. Went to new hardware still happens.

    I decided to look at the MEMORY.DMP using the MS debugging tools and it indicates that the issue is in amon.sys..

    Here are some of the details. Any help is much appreciated. TIA.

    Code:
    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: 9242f800, memory referenced.
    Arg2: 00000008, value 0 = read operation, 1 = write operation.
    Arg3: 9242f800, If non-zero, the instruction address which referenced the bad memory
    	address.
    Arg4: 00000000, (reserved)
    
    Debugging Details:
    ------------------
    
    PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
    PEB is paged out (Peb.Ldr = 7ffdf00c).  Type ".hh dbgerr001" for details
    
    WRITE_ADDRESS:  9242f800 
    
    FAULTING_IP: 
    +26b952f014edfe0
    9242f800 ??              ???
    
    MM_INTERNAL_CODE:  0
    
    DEFAULT_BUCKET_ID:  DRIVER_FAULT
    
    BUGCHECK_STR:  0x50
    
    PROCESS_NAME:  xcopy.exe
    
    CURRENT_IRQL:  1
    
    TRAP_FRAME:  f52828e0 -- (.trap 0xfffffffff52828e0)
    ErrCode = 00000010
    eax=8877cb78 ebx=00000000 ecx=00000000 edx=9242f800 esi=8877cbb0 edi=8892433b
    eip=9242f800 esp=f5282954 ebp=8c4251e0 iopl=0         nv up ei ng nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
    9242f800 ??              ???
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from 8085ed19 to 80827c83
    
    STACK_TEXT:  
    f5282850 8085ed19 00000050 9242f800 00000008 nt!KeBugCheckEx+0x1b
    f52828c8 8088c7c8 00000008 9242f800 00000000 nt!MmAccessFault+0xb25
    f52828c8 9242f800 00000008 9242f800 00000000 nt!KiTrap0E+0xdc
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    f5282950 8872959e 8a9b6c00 0000000a f5b21fe7 0x9242f800
    f528295c f5b21fe7 00000000 f5b64a80 8a9b6c00 0x8872959e
    f5282990 8082f501 00000008 004d0054 00000050 amon+0x5fe7
    f5282a48 8081df85 8cd0b300 8c3c31b0 8c3c31b0 nt!ZwReadFile+0x11
    f5282ab4 f71b4f06 8b4ae4a8 f71b635f 00000080 nt!IofCallDriver+0x45
    f5282abc f71b635f 00000080 f5282a01 8c3c3364 Ntfs!ExFreeToNPagedLookasideList+0x29
    f5282afc 80937942 8c830601 00000000 00120089 Ntfs!NtfsCleanupIrpContext+0xd0
    f5282bc4 80933a76 00000000 f5282c04 00000040 nt!ObpLookupObjectName+0x5b0
    f5282c18 808eae25 00000000 00000000 00000001 nt!ObOpenObjectByName+0xea
    f5282c94 808ec0bf 0007e1ac 80100080 0007e148 nt!IopCreateFile+0x447
    f5282cf0 808eeb4e 0007e1ac 80100080 0007e148 nt!IoCreateFile+0xa3
    f5282d30 808897bc 0007e1ac 80100080 0007e148 nt!NtCreateFile+0x30
    f5282d30 7c82860c 0007e1ac 80100080 0007e148 nt!KiFastCallEntry+0xfc
    0007e1a4 00000000 00000000 00000000 00000000 0x7c82860c
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    amon+5fe7
    f5b21fe7 59              pop     ecx
    
    SYMBOL_STACK_INDEX:  5
    
    SYMBOL_NAME:  amon+5fe7
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: amon
    
    IMAGE_NAME:  amon.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  45cc413d
    
    FAILURE_BUCKET_ID:  0x50_amon+5fe7
    
    BUCKET_ID:  0x50_amon+5fe7
    
    Followup: MachineOwner
    ---------
     
  2. Vandy

    Vandy Registered Member

    Joined:
    Oct 14, 2009
    Posts:
    4
    Additional info:

    NOD32 version 2.7.32
     
  3. Vandy

    Vandy Registered Member

    Joined:
    Oct 14, 2009
    Posts:
    4
    Sorry wrong fourm. Can a mod move to v2 fourm.

    thanks
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Since v2 is no longer being developed, I'd suggest upgrading to v. 4.0.467 or at least the latest v3 (3.0.694).
     
  5. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    What is this server also has Exchange Server on it?
    Since XMON still requires 2.7, the replacement version for 3 and now 4 has been vaporware for years now....

    Not to mention v3 and especially v4 have an incredibly high rate of locking up servers or bring them to a crawl. An awful lot of us in IT who management lots of servers are stucking having to use 2.7 or go to something else, because 3 or 4 just tanked our servers.

    Vandy, what else is running on this server? Databases? Exchange?
    What exclusions are you running?
     
  6. Vandy

    Vandy Registered Member

    Joined:
    Oct 14, 2009
    Posts:
    4
    This server is not running much. domain controller, DNS, DHCP, and our subversion for source control, and NOD32 mirror. That's it.

    I've since demoted it and it isn't doing DNS or DHCP anymore..

    No defined exclusions.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.