BSOD in eamon.sys with Windows 7

I am currenlty evaluating NOD32 as a replacment to my McAfee & Spyware Doctor.

Initial impression (good) becuase it does not hog my resources, but after a day of running the software I have noticed a total of 4 BSOD's now. The origional 3 were while I was running J River media Center 14, and now the last one was for eamon.sys. Below is the memory dmp interperation. "Process Name: jrworker" is J River mediacenter component. When it happens it usually is the result of adding something to the mediacenter's library, but this time it happened when I was playing a song, but it could have very well been looking for changes in the library

I am using 4.0.468 of nod32 for 64bit software. I've tried to download the "newer" version that of 474 but it indicates I have a newer version.


Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`02a12000 PsLoadedModuleList = 0xfffff800`02c4fe50
Debug session time: Fri Nov 27 19:56:19.220 2009 (GMT-5)
System Uptime: 0 days 23:50:41.436
Loading Kernel Symbols
...............................................................
................................................................
.............................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7efdf01. Type ".hh dbgerr001" for details
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {6169646d9937, 2, 0, fffff880034de45f}

*** ERROR: Module load completed but symbols could not be loaded for eamon.sys
PEB is paged out (Peb.Ldr = 00000000`7efdf01. Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 00000000`7efdf01. Type ".hh dbgerr001" for details
Probably caused by : eamon.sys ( eamon+645f )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00006169646d9937, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff880034de45f, address which referenced memory

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 00000000`7efdf01. Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 00000000`7efdf01. Type ".hh dbgerr001" for details

READ_ADDRESS: 00006169646d9937

CURRENT_IRQL: 2

FAULTING_IP:
eamon+645f
fffff880`034de45f 4c396510 cmp qword ptr [rbp+10h],r12

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: JRWorker.exe

TRAP_FRAME: fffff880028e8820 -- (.trap 0xfffff880028e8820)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa80067a60f8
rdx=fffffa800c684100 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880034de45f rsp=fffff880028e89b0 rbp=00006169646d9927
r8=fffffa8004a2aa30 r9=0000000000000000 r10=fffff80002c11888
r11=fffffa8005679270 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
eamon+0x645f:
fffff880`034de45f 4c396510 cmp qword ptr [rbp+10h],r12 ss:0018:00006169`646d9937=?
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80002a83469 to fffff80002a83f00

STACK_TEXT:
fffff880`028e86d8 fffff800`02a83469 : 00000000`0000000a 00006169`646d9937 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`028e86e0 fffff800`02a820e0 : 00000000`00000000 fffffa80`0c684100 00000000`00000000 fffff880`028e8838 : nt!KiBugCheckDispatch+0x69
fffff880`028e8820 fffff880`034de45f : fffffa80`0c6841f0 00000000`000007ff 00000000`00000000 fffffa80`0c684100 : nt!KiPageFault+0x260
fffff880`028e89b0 fffff800`02d9768f : fffffa80`0c6841f0 fffffa80`0592b8f0 00000000`00000000 fffffa80`11ccddd0 : eamon+0x645f
fffff880`028e8a30 fffff800`02d7d304 : 00000000`00000000 fffffa80`0592b8f0 00000000`0008e318 00000000`00000000 : nt!IopCloseFile+0x11f
fffff880`028e8ac0 fffff800`02d97181 : fffffa80`0592b8f0 fffffa80`00000001 fffff8a0`0e8f4450 00000000`00000000 : nt!ObpDecrementHandleCount+0xb4
fffff880`028e8b40 fffff800`02d97094 : 00000000`000005b0 fffffa80`0592b8f0 fffff8a0`0e8f4450 00000000`000005b0 : nt!ObpCloseHandleTableEntry+0xb1
fffff880`028e8bd0 fffff800`02a83153 : fffffa80`05679270 fffff880`028e8ca0 00000000`7efdb000 00000000`7efdb000 : nt!ObpCloseHandle+0x94
fffff880`028e8c20 00000000`7743ffaa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0008e308 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7743ffaa


STACK_COMMAND: kb

FOLLOWUP_IP:
eamon+645f
fffff880`034de45f 4c396510 cmp qword ptr [rbp+10h],r12

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: eamon+645f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: eamon

IMAGE_NAME: eamon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4ac1e6c3

FAILURE_BUCKET_ID: X64_0xD1_eamon+645f

BUCKET_ID: X64_0xD1_eamon+645f

Followup: MachineOwner
---------

 

You are not alone with errors relating to eamon.sys related issues

 

The latest build is 4.0.474. Does the problem persist even with that build installed?

 

Hi Eastmarw,

I do noticed you mention McAfee and Spyware Doctor. Were these applications installed prior to the NOD32 install? Also where they uninstalled at the time of installing NOD32? If they were installed prior to NOD32 what I would do is uninstall NOD32, use McAfree removal tool to clean out anything left behind from priror McAfree install. Also do the same with SD if PCtools have such a removal tool. I would then download the latest build of NOD32 4.0.474 Also I would create exclusions for the root dir of J River Media Center. Then while inside the Advanced Setup Tree goto

Antivirus and antispyware-->Web access protection-->HTTP,HTTPS-->Web browsers

Here you will see a list of application NOD32 has deemed to be/behave as an "Internet browser" find the entry for JRMC and if not there click Add and find the location of it's .exe Click the check box next to the JRMC entry a few times untill a RED X appears next to it's entry.

I believe this should help your issue with JRMC and Nod32.

Solid-State

 

Well i would love to download the newest version but here is the problem. I have downloade the current version from the link posted in the download section. Uninstall everything reboot and reinstall with the new download. The Help/About indicates that it is version 437 and not 474 as it indicates that newest version is. So the website link is incorrect!

The "Trialed version" is 468. ESET needs to fix ther web links.

 

OK, removed everything cleaned the registry with jv16 powertools for any references with Mcafee & Spyware doctor.

I uninsatlled/reinstalled the nod32, with version 468 becausae version 474 is not available to download until they fix their links. I excluded the J River Mediacenter directory and everything below it. The other request for the HTTP/HTTPS requests do not work like indicated. There are two directories there for JRMC but you can only check them uncheck them for Active Mode/Passive Mode.

Going to test it now to see if I can get it to lock up or BSOD.

Maybe they can fix their download link in the meantime.

 

You can request a 30-day ESS evaulation license here and use it to download the full version of EAV 4.0.474 that you'll be able to update for 30 days.

 

Thanks Marcus, but that is for their Security Suite. I don't need more headaches with their firewall product/spam etc. I have will not use a thrid party firewall that requires even more of my time to get it to work. I tried this as an alternative earlier today, and was immediatly not able to access the internet after installing it. I am not in the mood to deal with yet another issue at this time.

Do you have the link for just the Virus/Spyware, Malware?

 

It is for ESS (suite) but you can use the trial key for EAV (only AV) also. That is what Marcos suggested.

 

Hi eastmarw,
I didn't mean you ought to download ESS, just fill in an email address on that web page and you'll receive a 30-day evaluation license. You will receive a username and password that you can use to download the latest commercial (full) version of EAV 4.0.474 and update it for 30 days.

 

Ok, thanks! I'll try it.

 

OK, I do not get the same thing that you must get. That link is for the Trial request for the Security Suite.

If you request one for the AV software you will receive the following link:
http://www.eset.com/download/trial_software.php?product=EAV
but this version of the software is 468 not 474. You can't even download that version from their site.

Download link from the eset.com site.
http://new.eset.com/download
The one from the site is 437 that states 474 but it is not.

If i uninstall the AV software I don't lock up at all with a BSOD. I can do everything that I did before with the laptop and no issues. So I have come to the conclusion that this is not the correct type of software to work with Windows 7. McAfee work great but the drawback was with the spyware/adware ability it had was horrible. So I gues that I am back to McAfee. Three days of BSOD's with me trying to troubleshot an issue is not worth my time. I can no longer waste my time on this issue. Good thing I didn't make a jump purchase.

 

I hate to tell you but from experience JRMC has issues with the "Web access protection" (HTTP scanning) in Nod32. It will cause the exact issues you describe. Considering Eset stupidly removed the ability to control on an application level the includes/exludes for the "Web access protection" by removing the "Web browsers" setting in the advanced setup tree. This sucks for you friend as there is no way to prevent Nod32 from messing with and causing BSOD when using JRMC due to it's browser based UI. ENABLE THIS ABILITY AGAIN ESET! It's crazy you can't do this as a LOT of applications use browser based UIs and JRMC is an example where the compatibility issues brings the entire OS to it's knees. This is BS and should be fixed/re-enabled. There is no excuse if the driver used in Vista/7 can't do this anymore. We NEED control of this aspect of Nod32 PERIOD!

Solid-State

PS You might have hope by entering the advanced setup tree and go to "Protocol Filtering" and change the radio button to "Applications marked as Internet browsers and email clients" from "Ports and applications..." This way perhaps it won't mess with JRMC but I doubt it. Try an exclusion for the JRMC dir. But in all honesty if you wish to run JRMC your screwed to use Nod32!

 

Actually I provided clear instructions how to trial EAV 4.0.474 that might resolve your problem:
1, apply for a 30-day trial ESS license so that you receive a username and password
2, use that username and password to download the commercial (full) version of EAV 4.0.474