BSOD in eamon.sys with Windows 7

Discussion in 'ESET NOD32 Antivirus' started by eastmarw, Nov 27, 2009.

Thread Status:
Not open for further replies.
  1. eastmarw

    eastmarw Registered Member

    Joined:
    Nov 27, 2009
    Posts:
    6
    Location:
    Grand Rapids
    I am currenlty evaluating NOD32 as a replacment to my McAfee & Spyware Doctor.

    Initial impression (good) becuase it does not hog my resources, but after a day of running the software I have noticed a total of 4 BSOD's now. The origional 3 were while I was running J River media Center 14, and now the last one was for eamon.sys. Below is the memory dmp interperation. "Process Name: jrworker" is J River mediacenter component. When it happens it usually is the result of adding something to the mediacenter's library, but this time it happened when I was playing a song, but it could have very well been looking for changes in the library

    I am using 4.0.468 of nod32 for 64bit software. I've tried to download the "newer" version that of 474 but it indicates I have a newer version.


    Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Windows\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available

    Symbol search path is: SRV*c:\windows\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows 7 Kernel Version 7600 MP (2 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
    Machine Name:
    Kernel base = 0xfffff800`02a12000 PsLoadedModuleList = 0xfffff800`02c4fe50
    Debug session time: Fri Nov 27 19:56:19.220 2009 (GMT-5)
    System Uptime: 0 days 23:50:41.436
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    .............................................
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 00000000`7efdf01:cool:. Type ".hh dbgerr001" for details
    Loading unloaded module list
    ....
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck D1, {6169646d9937, 2, 0, fffff880034de45f}

    *** ERROR: Module load completed but symbols could not be loaded for eamon.sys
    PEB is paged out (Peb.Ldr = 00000000`7efdf01:cool:. Type ".hh dbgerr001" for details
    PEB is paged out (Peb.Ldr = 00000000`7efdf01:cool:. Type ".hh dbgerr001" for details
    Probably caused by : eamon.sys ( eamon+645f )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high. This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 00006169646d9937, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg4: fffff880034de45f, address which referenced memory

    Debugging Details:
    ------------------

    PEB is paged out (Peb.Ldr = 00000000`7efdf01:cool:. Type ".hh dbgerr001" for details
    PEB is paged out (Peb.Ldr = 00000000`7efdf01:cool:. Type ".hh dbgerr001" for details

    READ_ADDRESS: 00006169646d9937

    CURRENT_IRQL: 2

    FAULTING_IP:
    eamon+645f
    fffff880`034de45f 4c396510 cmp qword ptr [rbp+10h],r12

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0xD1

    PROCESS_NAME: JRWorker.exe

    TRAP_FRAME: fffff880028e8820 -- (.trap 0xfffff880028e8820)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=fffffa80067a60f8
    rdx=fffffa800c684100 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff880034de45f rsp=fffff880028e89b0 rbp=00006169646d9927
    r8=fffffa8004a2aa30 r9=0000000000000000 r10=fffff80002c11888
    r11=fffffa8005679270 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei pl nz na po nc
    eamon+0x645f:
    fffff880`034de45f 4c396510 cmp qword ptr [rbp+10h],r12 ss:0018:00006169`646d9937=o_Oo_Oo_Oo_Oo_O?
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff80002a83469 to fffff80002a83f00

    STACK_TEXT:
    fffff880`028e86d8 fffff800`02a83469 : 00000000`0000000a 00006169`646d9937 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
    fffff880`028e86e0 fffff800`02a820e0 : 00000000`00000000 fffffa80`0c684100 00000000`00000000 fffff880`028e8838 : nt!KiBugCheckDispatch+0x69
    fffff880`028e8820 fffff880`034de45f : fffffa80`0c6841f0 00000000`000007ff 00000000`00000000 fffffa80`0c684100 : nt!KiPageFault+0x260
    fffff880`028e89b0 fffff800`02d9768f : fffffa80`0c6841f0 fffffa80`0592b8f0 00000000`00000000 fffffa80`11ccddd0 : eamon+0x645f
    fffff880`028e8a30 fffff800`02d7d304 : 00000000`00000000 fffffa80`0592b8f0 00000000`0008e318 00000000`00000000 : nt!IopCloseFile+0x11f
    fffff880`028e8ac0 fffff800`02d97181 : fffffa80`0592b8f0 fffffa80`00000001 fffff8a0`0e8f4450 00000000`00000000 : nt!ObpDecrementHandleCount+0xb4
    fffff880`028e8b40 fffff800`02d97094 : 00000000`000005b0 fffffa80`0592b8f0 fffff8a0`0e8f4450 00000000`000005b0 : nt!ObpCloseHandleTableEntry+0xb1
    fffff880`028e8bd0 fffff800`02a83153 : fffffa80`05679270 fffff880`028e8ca0 00000000`7efdb000 00000000`7efdb000 : nt!ObpCloseHandle+0x94
    fffff880`028e8c20 00000000`7743ffaa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`0008e308 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7743ffaa


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+645f
    fffff880`034de45f 4c396510 cmp qword ptr [rbp+10h],r12

    SYMBOL_STACK_INDEX: 3

    SYMBOL_NAME: eamon+645f

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 4ac1e6c3

    FAILURE_BUCKET_ID: X64_0xD1_eamon+645f

    BUCKET_ID: X64_0xD1_eamon+645f

    Followup: MachineOwner
    ---------
     
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The latest build is 4.0.474. Does the problem persist even with that build installed?
     
  4. SolidState

    SolidState Registered Member

    Joined:
    Dec 18, 2007
    Posts:
    92
    Hi Eastmarw,

    I do noticed you mention McAfee and Spyware Doctor. Were these applications installed prior to the NOD32 install? Also where they uninstalled at the time of installing NOD32? If they were installed prior to NOD32 what I would do is uninstall NOD32, use McAfree removal tool to clean out anything left behind from priror McAfree install. Also do the same with SD if PCtools have such a removal tool. I would then download the latest build of NOD32 4.0.474 Also I would create exclusions for the root dir of J River Media Center. Then while inside the Advanced Setup Tree goto

    Antivirus and antispyware-->Web access protection-->HTTP,HTTPS-->Web browsers

    Here you will see a list of application NOD32 has deemed to be/behave as an "Internet browser" find the entry for JRMC and if not there click Add and find the location of it's .exe Click the check box next to the JRMC entry a few times untill a RED X appears next to it's entry.

    I believe this should help your issue with JRMC and Nod32. :thumb:

    Solid-State
     
  5. eastmarw

    eastmarw Registered Member

    Joined:
    Nov 27, 2009
    Posts:
    6
    Location:
    Grand Rapids
    Well i would love to download the newest version but here is the problem. I have downloade the current version from the link posted in the download section. Uninstall everything reboot and reinstall with the new download. The Help/About indicates that it is version 437 and not 474 as it indicates that newest version is. So the website link is incorrect!

    The "Trialed version" is 468. ESET needs to fix ther web links.
     
  6. eastmarw

    eastmarw Registered Member

    Joined:
    Nov 27, 2009
    Posts:
    6
    Location:
    Grand Rapids
    OK, removed everything cleaned the registry with jv16 powertools for any references with Mcafee & Spyware doctor.

    I uninsatlled/reinstalled the nod32, with version 468 becausae version 474 is not available to download until they fix their links. I excluded the J River Mediacenter directory and everything below it. The other request for the HTTP/HTTPS requests do not work like indicated. There are two directories there for JRMC but you can only check them uncheck them for Active Mode/Passive Mode.

    Going to test it now to see if I can get it to lock up or BSOD.

    Maybe they can fix their download link in the meantime. :D
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You can request a 30-day ESS evaulation license here and use it to download the full version of EAV 4.0.474 that you'll be able to update for 30 days.
     
  8. eastmarw

    eastmarw Registered Member

    Joined:
    Nov 27, 2009
    Posts:
    6
    Location:
    Grand Rapids
    Thanks Marcus, but that is for their Security Suite. I don't need more headaches with their firewall product/spam etc. I have will not use a thrid party firewall that requires even more of my time to get it to work. I tried this as an alternative earlier today, and was immediatly not able to access the internet after installing it. I am not in the mood to deal with yet another issue at this time.

    Do you have the link for just the Virus/Spyware, Malware?
     
  9. Brambb

    Brambb Registered Member

    Joined:
    Sep 25, 2006
    Posts:
    411
    Location:
    The Netherlands
    It is for ESS (suite) but you can use the trial key for EAV (only AV) also. That is what Marcos suggested.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi eastmarw,
    I didn't mean you ought to download ESS, just fill in an email address on that web page and you'll receive a 30-day evaluation license. You will receive a username and password that you can use to download the latest commercial (full) version of EAV 4.0.474 and update it for 30 days.
     
  11. eastmarw

    eastmarw Registered Member

    Joined:
    Nov 27, 2009
    Posts:
    6
    Location:
    Grand Rapids
    Ok, thanks! I'll try it.
     
  12. eastmarw

    eastmarw Registered Member

    Joined:
    Nov 27, 2009
    Posts:
    6
    Location:
    Grand Rapids
    OK, I do not get the same thing that you must get. That link is for the Trial request for the Security Suite.

    If you request one for the AV software you will receive the following link:
    http://www.eset.com/download/trial_software.php?product=EAV
    but this version of the software is 468 not 474. You can't even download that version from their site.

    Download link from the eset.com site.
    http://new.eset.com/download
    The one from the site is 437 that states 474 but it is not.

    If i uninstall the AV software I don't lock up at all with a BSOD. I can do everything that I did before with the laptop and no issues. So I have come to the conclusion that this is not the correct type of software to work with Windows 7. McAfee work great but the drawback was with the spyware/adware ability it had was horrible. So I gues that I am back to McAfee. Three days of BSOD's with me trying to troubleshot an issue is not worth my time. I can no longer waste my time on this issue. Good thing I didn't make a jump purchase.
     
  13. SolidState

    SolidState Registered Member

    Joined:
    Dec 18, 2007
    Posts:
    92
    I hate to tell you but from experience JRMC has issues with the "Web access protection" (HTTP scanning) in Nod32. It will cause the exact issues you describe. Considering Eset stupidly removed the ability to control on an application level the includes/exludes for the "Web access protection" by removing the "Web browsers" setting in the advanced setup tree. This sucks for you friend as there is no way to prevent Nod32 from messing with and causing BSOD when using JRMC due to it's browser based UI. ENABLE THIS ABILITY AGAIN ESET! It's crazy you can't do this as a LOT of applications use browser based UIs and JRMC is an example where the compatibility issues brings the entire OS to it's knees. This is BS and should be fixed/re-enabled. There is no excuse if the driver used in Vista/7 can't do this anymore. We NEED control of this aspect of Nod32 PERIOD!

    Solid-State

    PS You might have hope by entering the advanced setup tree and go to "Protocol Filtering" and change the radio button to "Applications marked as Internet browsers and email clients" from "Ports and applications..." This way perhaps it won't mess with JRMC but I doubt it. Try an exclusion for the JRMC dir. But in all honesty if you wish to run JRMC your screwed to use Nod32!
     
    Last edited: Nov 29, 2009
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Actually I provided clear instructions how to trial EAV 4.0.474 that might resolve your problem:
    1, apply for a 30-day trial ESS license so that you receive a username and password
    2, use that username and password to download the commercial (full) version of EAV 4.0.474
     
Thread Status:
Not open for further replies.