BSOD from eamon.sys

Discussion in 'ESET NOD32 Antivirus' started by w33mhz, Jun 16, 2010.

Thread Status:
Not open for further replies.
  1. w33mhz

    w33mhz Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    7
    I have a terminal server that is running Windows 2008 ENT (not RC2). That I seem to be having issues with, I seem to get a BSOD everyonce in a while on that machine and the dmp file show it was from eamon.sys
    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced. This cannot be protected by try-except,
    it must be protected by a Probe. Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: d5d5b000, memory referenced.
    Arg2: 00000000, value 0 = read operation, 1 = write operation.
    Arg3: 81e2d113, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 00000000, (reserved)

    Debugging Details:
    ------------------

    Page 42d0c2 not present in the dump file. Type ".hh dbgerr004" for details
    Page 42ecde not present in the dump file. Type ".hh dbgerr004" for details
    PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
    PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details

    READ_ADDRESS: d5d5b000 Nonpaged pool

    FAULTING_IP:
    nt!wcschr+15
    81e2d113 0fb708 movzx ecx,word ptr [eax]

    MM_INTERNAL_CODE: 0

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0x50

    PROCESS_NAME: AcroRd32.exe

    CURRENT_IRQL: 0

    TRAP_FRAME: af50c864 -- (.trap 0xffffffffaf50c864)
    ErrCode = 00000000
    eax=d5d5b000 ebx=0000006e ecx=0000000a edx=00000000 esi=d5d5ad78 edi=8c1128f8
    eip=81e2d113 esp=af50c8d8 ebp=af50c8d8 iopl=0 nv up ei ng nz ac pe nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
    nt!wcschr+0x15:
    81e2d113 0fb708 movzx ecx,word ptr [eax] ds:0023:d5d5b000=o_O?
    Resetting default scope

    LAST_CONTROL_TRANSFER: from 81e63dd4 to 81eae38d

    STACK_TEXT:
    af50c84c 81e63dd4 00000000 d5d5b000 00000000 nt!MmAccessFault+0x10a
    af50c84c 81e2d113 00000000 d5d5b000 00000000 nt!KiTrap0E+0xdc
    af50c8d8 9833bb1e d5d5ada8 00000000 3765f920 nt!wcschr+0x15
    WARNING: Stack unwind information not available. Following frames may be wrong.
    af50c934 9833e2a0 d5d5ad78 8c1128e8 00000001 eamon+0x2b1e
    af50c978 81e5a9c6 8c112830 97faa600 9115fce4 eamon+0x52a0
    af50c990 82055195 7994deb4 9677c188 af50cbf4 nt!IofCallDriver+0x63
    af50ca60 82057e07 8c112830 00000000 acc035f0 nt!IopParseDevice+0xf61
    af50ca98 8204315a 9677c188 00000000 acc035f0 nt!IopParseFile+0x46
    af50cb28 82050b62 00000008 af50cb80 00000040 nt!ObpLookupObjectName+0x11e
    af50cb88 82035ed2 0012eab0 00000000 00000001 nt!ObOpenObjectByName+0x13c
    af50cd34 81e60c7a 0012eab0 0012ea88 0012eae0 nt!NtQueryAttributesFile+0x125
    af50cd34 77005e74 0012eab0 0012ea88 0012eae0 nt!KiFastCallEntry+0x12a
    0012eae0 00000000 00000000 00000000 00000000 0x77005e74


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+2b1e
    9833bb1e 59 pop ecx

    SYMBOL_STACK_INDEX: 3

    SYMBOL_NAME: eamon+2b1e

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 498c37ad

    FAILURE_BUCKET_ID: 0x50_eamon+2b1e

    BUCKET_ID: 0x50_eamon+2b1e

    Followup: MachineOwner
    ---------

    I have also noticed that that the erkn.exe process has a high number of page faults as well. The hardware is Dell PE 1950 III with 16GB of RAM, 2 Intel Xeon E5410 @ 2.33GHz. I have other terminal servers with similar and disimilar hardware that it seems to happen as well, but I don't always get a dump file for some reason so I can't quite point the finger at ESET but issues seem similar. Anyone know of a fix.
     
  2. w33mhz

    w33mhz Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    7
    BTW forgot to mention
    ESET Version 4.0.314.0
    Virus signature database: 5202 (20100616)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1278 (2010060:cool:
    Advanced heuristics module: 1109 (20100519)
    Archive support module: 1115 (20100513)
    Cleaner module: 1048 (20091123)
    Anti-Stealth support module: 1017 (20100204)
    SysInspector module: 1216 (20100517)
    Self-defense support module : 1016 (20100404)

    Windows Server 2008 Ent (32-bit)
    Version 6.0.6002 SP2
     
  3. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    There were quite a few bugfixes between 4.0.314 and the current build. I would recommend you update to the latest build as a starting step.
     
  4. w33mhz

    w33mhz Registered Member

    Joined:
    Jun 16, 2010
    Posts:
    7
    OK, yea I just saw that post for 4.2.4 I will try that out on a few servers and see how that helps.
     
  5. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    That or 4.0.474. 4.2 is a fairly young version and you may want to hold off on that one on servers for a bit.
     
Thread Status:
Not open for further replies.