Blue Screen of Death:( Is this a possible link to amon.sys? See windbg log.

Discussion in 'NOD32 version 2 Forum' started by zoril, Apr 16, 2006.

Thread Status:
Not open for further replies.
  1. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hi there:)

    I have had the occasional "blue screen of death recently". I am not certain what the exact cause is. The log below has a few references to amon.sys. My knowledge of computers is very limited.

    This computer is a new Dell Dimension 9150 PentiumD Windows XP Professional with 1 gig ram (purchased in the last month). Currently I only have the one minidump.

    Can anyone have a look at this log and see if it makes sense? If so is there anything that you can suggest to resolve the blue screen problem? I already have run a detailed extended test of the hardware using Dell diagnostics, memtest86 and Mtinst. All showed clear. Any help is much appreciated.

    .....Howard

    The Minidump analysis shows the following:-

    Microsoft (R) Windows Debugger Version 6.6.0003.5
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\WINDOWS\Minidump\Mini041406-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp_sp2_gdr.050301-1519
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
    Debug session time: Fri Apr 14 15:56:46.093 2006 (GMT+1)
    System Uptime: 0 days 0:34:22.826
    Loading Kernel Symbols
    ....................................................................................................................................
    Loading User Symbols
    Loading unloaded module list
    ..............
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 19, {20, 85704620, 85704948, 1a650068}

    *** WARNING: Unable to verify timestamp for amon.sys
    *** ERROR: Module load completed but symbols could not be loaded for amon.sys
    Unable to load image vsdatant.sys, Win32 error 2
    *** WARNING: Unable to verify timestamp for vsdatant.sys
    *** ERROR: Module load completed but symbols could not be loaded for vsdatant.sys
    *** WARNING: Unable to verify timestamp for procguard.sys
    *** ERROR: Module load completed but symbols could not be loaded for procguard.sys
    Probably caused by : amon.sys ( amon+2405 )

    Followup: MachineOwner
    ---------

    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    BAD_POOL_HEADER (19)
    The pool is already corrupt at the time of the current request.
    This may or may not be due to the caller.
    The internal pool links must be walked to figure out a possible cause of
    the problem, and then special pool applied to the suspect tags or the driver
    verifier to a suspect driver.
    Arguments:
    Arg1: 00000020, a pool block header size is corrupt.
    Arg2: 85704620, The pool entry we were looking for within the page.
    Arg3: 85704948, The next pool entry.
    Arg4: 1a650068, (reserved)

    Debugging Details:
    ------------------


    BUGCHECK_STR: 0x19_20

    POOL_ADDRESS: 85704620

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    LAST_CONTROL_TRANSFER: from 8054a583 to 804f9c37

    IRP_ADDRESS: 85dff008

    STACK_TEXT:
    b89df6c4 8054a583 00000019 00000020 85704620 nt!KeBugCheckEx+0x1b
    b89df714 804f4940 85704628 00000000 806e4410 nt!ExFreePoolWithTag+0x2a3
    b89df76c 80579d43 85dff048 b89df7ac b89df7b8 nt!IopCompleteRequest+0xf4
    b89df808 8054060c 0000034c b89df8b0 b89df8b8 nt!NtQueryInformationFile+0x561
    b89df808 804ffc7d 0000034c b89df8b0 b89df8b8 nt!KiFastCallEntry+0xfc
    b89df894 b8f33405 0000034c b89df8b0 b89df8b8 nt!ZwQueryInformationFile+0x11
    WARNING: Stack unwind information not available. Following frames may be wrong.
    b89df8c0 b8f335bf 0000034c 85c44490 85c44490 amon+0x2405
    b89df914 b8f3670e 00000028 85c44490 85679c60 amon+0x25bf
    b89df928 b8f34eb0 85c44490 00000000 80581b00 amon+0x570e
    b89df970 804eeeb1 85679ba8 8509d008 8509d008 amon+0x3eb0
    b89df980 80581eba 8677bbe0 85bbf6f4 b89dfb18 nt!IopfCallDriver+0x31
    b89dfa60 805bdd08 8677bbf8 00000000 85bbf650 nt!IopParseDevice+0xa58
    b89dfad8 805ba390 00000000 b89dfb18 00000040 nt!ObpLookupObjectName+0x53c
    b89dfb2c 80574e37 00000000 00000000 0a094001 nt!ObOpenObjectByName+0xea
    b89dfba8 805757ae 00f3ef44 80100080 00f3eee4 nt!IopCreateFile+0x407
    b89dfc04 80577e78 00f3ef44 80100080 00f3eee4 nt!IoCreateFile+0x8e
    b89dfc44 edaa7c88 00f3ef44 80100080 00f3eee4 nt!NtCreateFile+0x30
    b89dfcd0 f78e5760 00f3ef44 80100080 00f3eee4 vsdatant+0x18c88
    b89dfd30 8054060c 00f3ef44 80100080 00f3eee4 procguard+0x3760
    b89dfd30 7c90eb94 00f3ef44 80100080 00f3eee4 nt!KiFastCallEntry+0xfc
    00f3ef3c 00000000 00000000 00000000 00000000 0x7c90eb94


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    amon+2405
    b8f33405 ?? o_O

    FAULTING_SOURCE_CODE:


    SYMBOL_STACK_INDEX: 6

    FOLLOWUP_NAME: MachineOwner

    SYMBOL_NAME: amon+2405

    MODULE_NAME: amon

    IMAGE_NAME: amon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 43c51d41

    FAILURE_BUCKET_ID: 0x19_20_amon+2405

    BUCKET_ID: 0x19_20_amon+2405

    Followup: MachineOwner
     
  2. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
    Do you have ZoneAlarm?
     
  3. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
  4. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
    It looks lile 3? security app's in the thick of it.
    ZoneAlarm, Nod and Processguard?

    Have you tried uninstalling, say, ZA cleaning up and rebooting.
     
  5. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    I tried several things and can reproduce a "blue screen of death" at startup at the same point everytime:-

    1.) I used verifier.exe to check out my unsigned drivers - No problem there.

    2.) I used create custom settings included all tests (except low resources simulation) selected all the individual settings then rebooted - No problem! I tried including add currently not loaded drivers and added them all - No problem. I also included the older drivers option.

    3.) I tested the three files amon.sys, vsdatant.sys and procguard.sys with nothing else checked (used all tests except lrs) - Nothing showed.

    I can reproduce the blue screen everytime by opting for select all drivers on this machine then rebooting. The blue screen always occurs shortly after NOD32 loads on the desktop but before Zone Alarm Firewall has loaded.

    The exact message now which I can reproduce everytime at the same point by using the verifier option select all drivers is:-

    STOP: 0x000000C4 0X0000003C 0X00000000 0X00000000 0X00000000

    This message now does not vary. There is no reference to this in either the minidump or in the events application or system log! For some reason the "blue screen of death" is not logged in either or in the minidump? I do have the correct configuration in the startup/recovery settings.

    4.) - I uninstalled Zone Alarm and Process Guard but still get the above message. As yet I have not uninstalled NOD32.

    I should maybe add that if I use the option select all drivers then reboot in safe mode, there is no blue screen.


    Howard
     
    Last edited: Apr 17, 2006
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you please try repairing Winsock as described HERE and then repair IMON as described in post number 40 HERE

    Let us know how you go...

    Cheers :D
     
  7. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    I will try that now and post the results:)

    Many thanks for the advice.

    I should maybe have said that my internet connection is wireless.

    Howard
     
  8. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    I tried that re deleting the winsock files and rebooted right away. Only Winsock32 was restored after the reboot. The Winsock key was not there. I used system restore to get back to normal to an earlier configuration.
     
  9. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
    Last edited: Apr 17, 2006
  10. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Many thanks for the item links David. The first Microsoft item I had read earlier. The second one is very interesting. I did have a look at my display adaptor but as I just reinstalled completely 1 day ago I don't think that is the issue. The fact that I can boot in safe mode with no problems, but not normally when verifying all drivers is enabled - as that article suggests it must be something that does not load in safe mode.

    I wish that there was some way that I could work out exactly what device is causing the problem by a process of elimination. I might try uninstalling NOD32to see if it makes a difference. I never did have Norton's installed on this machine................Howard

    Follow up:- I uninstalled Nod32, Zone Alarm, Process Guard, and rolled back the Radeon Graphic driver, but still have the problem STOP: 0x000000C4 0X0000003C 0X00000000 0X00000000 0X00000000at that point. I reinstalled all the above products.

    Hi Blackspear - The image I restored had a clean original Winsock and Winsock 2 configuration. I read the page re repairing IMON. The illustrations are excellent, but I am a little unsure which settings to change and which to leave?
     
    Last edited: Apr 17, 2006
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You don't change anything, just click on the repair button with IMON, it will then ask to reboot.

    Cheers :D
     
  12. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hi Blackspear:)

    Many thanks for the reply.


    I just repaired IMON from setup/miscellaneous then rebooted and tried out verifier again. Sadly I still get the same blue screen error, but only with verifier when the all drivers option is selected....

    Howard:thumb:
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you please try excluding "verifier" in AMON.

    Cheers :D
     
  14. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Hi Blackspear:),

    I have just chosen "select driver names from a list" using verifier - I excluded amon.sys as you suggested - All others drivers were ticked. Windows loaded with no "blue screen of death". I thought that might be the case, as the driver list hasn't produced a blue screen error message to date...

    The thing is when I use the other verifier option - "automatically select all drivers on this computer", there seems to be no way to stop amon.sys from loading along with the rest, as there is only the finish button after doing so. I wonder if there is some way to either disable, or prevent amon.sys from loading along with the rest using that option?

    Everytime I select "automatically select all drivers on this computer", I get the "blue screen of death" when I get to the desktop after startup (except in safe mode). This never happen with either "automatically select drivers built for older versions of Windows", or "automatically select unsigned drivers", or "select driver names from a list"

    .....Howard
     
    Last edited: Apr 17, 2006
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would suggest that there is a bug with how Verifier deals with AMON, being that it is resident protection and has self-termination protection built in. From memory of what Marcos has written AMON can not be killed, this is not a design fault it is for self preservation, or Viruses and Malware would be able to do the same.

    My suggestion in this case is to contact the manufacturer of Verifier for either a work around or updated version.

    Cheers :D
     
  16. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    Verifier.exe - maybe Microsoft as it is part of Windows XP Professional?
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Well I learn something every day, this is a tool I have never used, and I can guarantee that 100% of my customers have never used it either. Being this is the operating system I think Eset ought to have a look at this, though as to priority, I can't see it being right up there.

    Cheers :D
     
  18. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    There is some risk involved using verifier:-

    Start/Run/Verifier - Gives you various options and a series of tests for individual, unsigned, or all drivers on a computer. It is probably best used by someone with a decent level of computer knowledge. I definitely don't put myself in that category lol!

    Anyone using it may find that a blue screen can occur at startup so that there is an element of risk. Often it is necessary to use safe mode to get to the desktop and even that is not guaranteed to work, so problems can occur using it - beware!!!!

    It is also important to remember to click start/run/verifier, then delete existing settings, when back at the desktop to get back to normal settings, as the tests when running can dramatically slow down the computer, and do remain in place until removed. I didn't realise this initially:(

    I am definitely no expert. I would most strongly advise anyone to read the Microsoft article before using verifier. I am not sure, but I believe that one test - "low resource simulation" can cause a problem with desktop icons on occasions.

    Definitely read the Microsoft article first before using verifier!
    athttp://support.microsoft.com/?kbid=244617

    I would also recommend looking at EdBott's article which offers a much simpler explanation of verifier along with warnings of potential problems. I found it to be very helpful and well written:-
    athttp://www.edbott.com/weblog/archives/000576.html

    I included "at" before http to avoid setting up a direct link, which some sites may object to.


    Howard
     
    Last edited: Apr 18, 2006
Thread Status:
Not open for further replies.