BSOD probably caused by eamon.sys

Discussion in 'ESET NOD32 Antivirus' started by De Hollander, Feb 28, 2009.

Thread Status:
Not open for further replies.
  1. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    Today at startup one of my machine's reported a BSOD.
    (Vista SP1 and V3.0.384.0)

    o_O o_O



    =========================================================



    Microsoft (R) Windows Debugger Version 6.11.0001.402 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Mini022809-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
    Machine Name:
    Kernel base = 0x82412000 PsLoadedModuleList = 0x82529c70
    Debug session time: Sat Feb 28 15:14:38.566 2009 (GMT+1)
    System Uptime: 0 days 0:00:30.253
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ..............................
    Loading User Symbols
    Loading unloaded module list
    ....
    Unable to load image \SystemRoot\system32\DRIVERS\eamon.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for eamon.sys
    *** ERROR: Module load completed but symbols could not be loaded for eamon.sys
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 18, {bad0b0b0, 9af97b00, 2, 8251476c}

    Probably caused by : eamon.sys ( eamon+327a )

    Followup: MachineOwner
    ---------

    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    REFERENCE_BY_POINTER (1:cool:
    Arguments:
    Arg1: bad0b0b0, Object type of the object whose reference count is being lowered
    Arg2: 9af97b00, Object whose reference count is being lowered
    Arg3: 00000002, Reserved
    Arg4: 8251476c, Reserved
    The reference count of an object is illegal for the current state of the object.
    Each time a driver uses a pointer to an object the driver calls a kernel routine
    to increment the reference count of the object. When the driver is done with the
    pointer the driver calls another kernel routine to decrement the reference count.
    Drivers must match calls to the increment and decrement routines. This bugcheck
    can occur because an object's reference count goes to zero while there are still
    open handles to the object, in which case the fourth parameter indicates the number
    of opened handles. It may also occur when the object?s reference count drops below zero
    whether or not there are open handles to the object, and in that case the fourth parameter
    contains the actual value of the pointer references count.

    Debugging Details:
    ------------------


    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0x18

    PROCESS_NAME: svchost.exe

    CURRENT_IRQL: 0

    LAST_CONTROL_TRANSFER: from 9a46b27a to 8246388e

    STACK_TEXT:
    80f5a8ec 9a46b27a 9af866e8 9af866c8 9af866c8 nt!ObfDereferenceObject+0x66
    WARNING: Stack unwind information not available. Following frames may be wrong.
    80f5aa28 9a46d166 80f5aa40 80f5aa58 00000000 eamon+0x327a
    80f5aa5c 9a46bd37 9af866c8 00000000 00000001 eamon+0x5166
    80f5aab0 824cdfd3 000003fc 9afaabf8 9af672bc eamon+0x3d37
    80f5aac8 82632d11 b3154e9e 87b2d334 861395f8 nt!IofCallDriver+0x63
    80f5ab98 826583ff 86139610 00000000 87b2d290 nt!IopParseDevice+0xf61
    80f5ac28 826300f6 00000000 80f5ac80 00000040 nt!ObpLookupObjectName+0x5a8
    80f5ac88 82631bf3 03f6f12c 00000000 00000001 nt!ObOpenObjectByName+0x13c
    80f5acfc 82622639 03f6f158 00100021 03f6f12c nt!IopCreateFile+0x63b
    80f5ad44 82469a1a 03f6f158 00100021 03f6f12c nt!NtOpenFile+0x2a
    80f5ad44 77da9a94 03f6f158 00100021 03f6f12c nt!KiFastCallEntry+0x12a
    03f6f14c 00000000 00000000 00000000 00000000 0x77da9a94


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+327a
    9a46b27a ?? o_O

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: eamon+327a

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 49021686

    FAILURE_BUCKET_ID: 0x18_BADMEMREF_eamon+327a

    BUCKET_ID: 0x18_BADMEMREF_eamon+327a

    Followup: MachineOwner
    ---------

    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    REFERENCE_BY_POINTER (1:cool:
    Arguments:
    Arg1: bad0b0b0, Object type of the object whose reference count is being lowered
    Arg2: 9af97b00, Object whose reference count is being lowered
    Arg3: 00000002, Reserved
    Arg4: 8251476c, Reserved
    The reference count of an object is illegal for the current state of the object.
    Each time a driver uses a pointer to an object the driver calls a kernel routine
    to increment the reference count of the object. When the driver is done with the
    pointer the driver calls another kernel routine to decrement the reference count.
    Drivers must match calls to the increment and decrement routines. This bugcheck
    can occur because an object's reference count goes to zero while there are still
    open handles to the object, in which case the fourth parameter indicates the number
    of opened handles. It may also occur when the object?s reference count drops below zero
    whether or not there are open handles to the object, and in that case the fourth parameter
    contains the actual value of the pointer references count.

    Debugging Details:
    ------------------


    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0x18

    PROCESS_NAME: svchost.exe

    CURRENT_IRQL: 0

    LAST_CONTROL_TRANSFER: from 9a46b27a to 8246388e

    STACK_TEXT:
    80f5a8ec 9a46b27a 9af866e8 9af866c8 9af866c8 nt!ObfDereferenceObject+0x66
    WARNING: Stack unwind information not available. Following frames may be wrong.
    80f5aa28 9a46d166 80f5aa40 80f5aa58 00000000 eamon+0x327a
    80f5aa5c 9a46bd37 9af866c8 00000000 00000001 eamon+0x5166
    80f5aab0 824cdfd3 000003fc 9afaabf8 9af672bc eamon+0x3d37
    80f5aac8 82632d11 b3154e9e 87b2d334 861395f8 nt!IofCallDriver+0x63
    80f5ab98 826583ff 86139610 00000000 87b2d290 nt!IopParseDevice+0xf61
    80f5ac28 826300f6 00000000 80f5ac80 00000040 nt!ObpLookupObjectName+0x5a8
    80f5ac88 82631bf3 03f6f12c 00000000 00000001 nt!ObOpenObjectByName+0x13c
    80f5acfc 82622639 03f6f158 00100021 03f6f12c nt!IopCreateFile+0x63b
    80f5ad44 82469a1a 03f6f158 00100021 03f6f12c nt!NtOpenFile+0x2a
    80f5ad44 77da9a94 03f6f158 00100021 03f6f12c nt!KiFastCallEntry+0x12a
    03f6f14c 00000000 00000000 00000000 00000000 0x77da9a94


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+327a
    9a46b27a ?? o_O

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: eamon+327a

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 49021686

    FAILURE_BUCKET_ID: 0x18_BADMEMREF_eamon+327a

    BUCKET_ID: 0x18_BADMEMREF_eamon+327a

    Followup: MachineOwner
    ---------

    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    REFERENCE_BY_POINTER (1:cool:
    Arguments:
    Arg1: bad0b0b0, Object type of the object whose reference count is being lowered
    Arg2: 9af97b00, Object whose reference count is being lowered
    Arg3: 00000002, Reserved
    Arg4: 8251476c, Reserved
    The reference count of an object is illegal for the current state of the object.
    Each time a driver uses a pointer to an object the driver calls a kernel routine
    to increment the reference count of the object. When the driver is done with the
    pointer the driver calls another kernel routine to decrement the reference count.
    Drivers must match calls to the increment and decrement routines. This bugcheck
    can occur because an object's reference count goes to zero while there are still
    open handles to the object, in which case the fourth parameter indicates the number
    of opened handles. It may also occur when the object?s reference count drops below zero
    whether or not there are open handles to the object, and in that case the fourth parameter
    contains the actual value of the pointer references count.

    Debugging Details:
    ------------------


    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0x18

    PROCESS_NAME: svchost.exe

    CURRENT_IRQL: 0

    LAST_CONTROL_TRANSFER: from 9a46b27a to 8246388e

    STACK_TEXT:
    80f5a8ec 9a46b27a 9af866e8 9af866c8 9af866c8 nt!ObfDereferenceObject+0x66
    WARNING: Stack unwind information not available. Following frames may be wrong.
    80f5aa28 9a46d166 80f5aa40 80f5aa58 00000000 eamon+0x327a
    80f5aa5c 9a46bd37 9af866c8 00000000 00000001 eamon+0x5166
    80f5aab0 824cdfd3 000003fc 9afaabf8 9af672bc eamon+0x3d37
    80f5aac8 82632d11 b3154e9e 87b2d334 861395f8 nt!IofCallDriver+0x63
    80f5ab98 826583ff 86139610 00000000 87b2d290 nt!IopParseDevice+0xf61
    80f5ac28 826300f6 00000000 80f5ac80 00000040 nt!ObpLookupObjectName+0x5a8
    80f5ac88 82631bf3 03f6f12c 00000000 00000001 nt!ObOpenObjectByName+0x13c
    80f5acfc 82622639 03f6f158 00100021 03f6f12c nt!IopCreateFile+0x63b
    80f5ad44 82469a1a 03f6f158 00100021 03f6f12c nt!NtOpenFile+0x2a
    80f5ad44 77da9a94 03f6f158 00100021 03f6f12c nt!KiFastCallEntry+0x12a
    03f6f14c 00000000 00000000 00000000 00000000 0x77da9a94


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+327a
    9a46b27a ?? o_O

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: eamon+327a

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 49021686

    FAILURE_BUCKET_ID: 0x18_BADMEMREF_eamon+327a

    BUCKET_ID: 0x18_BADMEMREF_eamon+327a

    Followup: MachineOwner
    ---------

    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    REFERENCE_BY_POINTER (1:cool:
    Arguments:
    Arg1: bad0b0b0, Object type of the object whose reference count is being lowered
    Arg2: 9af97b00, Object whose reference count is being lowered
    Arg3: 00000002, Reserved
    Arg4: 8251476c, Reserved
    The reference count of an object is illegal for the current state of the object.
    Each time a driver uses a pointer to an object the driver calls a kernel routine
    to increment the reference count of the object. When the driver is done with the
    pointer the driver calls another kernel routine to decrement the reference count.
    Drivers must match calls to the increment and decrement routines. This bugcheck
    can occur because an object's reference count goes to zero while there are still
    open handles to the object, in which case the fourth parameter indicates the number
    of opened handles. It may also occur when the object?s reference count drops below zero
    whether or not there are open handles to the object, and in that case the fourth parameter
    contains the actual value of the pointer references count.

    Debugging Details:
    ------------------


    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0x18

    PROCESS_NAME: svchost.exe

    CURRENT_IRQL: 0

    LAST_CONTROL_TRANSFER: from 9a46b27a to 8246388e

    STACK_TEXT:
    80f5a8ec 9a46b27a 9af866e8 9af866c8 9af866c8 nt!ObfDereferenceObject+0x66
    WARNING: Stack unwind information not available. Following frames may be wrong.
    80f5aa28 9a46d166 80f5aa40 80f5aa58 00000000 eamon+0x327a
    80f5aa5c 9a46bd37 9af866c8 00000000 00000001 eamon+0x5166
    80f5aab0 824cdfd3 000003fc 9afaabf8 9af672bc eamon+0x3d37
    80f5aac8 82632d11 b3154e9e 87b2d334 861395f8 nt!IofCallDriver+0x63
    80f5ab98 826583ff 86139610 00000000 87b2d290 nt!IopParseDevice+0xf61
    80f5ac28 826300f6 00000000 80f5ac80 00000040 nt!ObpLookupObjectName+0x5a8
    80f5ac88 82631bf3 03f6f12c 00000000 00000001 nt!ObOpenObjectByName+0x13c
    80f5acfc 82622639 03f6f158 00100021 03f6f12c nt!IopCreateFile+0x63b
    80f5ad44 82469a1a 03f6f158 00100021 03f6f12c nt!NtOpenFile+0x2a
    80f5ad44 77da9a94 03f6f158 00100021 03f6f12c nt!KiFastCallEntry+0x12a
    03f6f14c 00000000 00000000 00000000 00000000 0x77da9a94


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+327a
    9a46b27a ?? o_O

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: eamon+327a

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 49021686

    FAILURE_BUCKET_ID: 0x18_BADMEMREF_eamon+327a

    BUCKET_ID: 0x18_BADMEMREF_eamon+327a

    Followup: MachineOwner
    ---------
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I assume you meant v. 3.0.684. Please create a kernel or complete memory dump and let me know when done. I'll provide you access to our ftp.
     
  3. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    I stand correct, v 3.0.684. I have send you a PM.

    Note: The BSOD only happend ones . Creating a memory dump, I assume you mean forcing a manually one (CrashOnCtrlScroll)
     
    Last edited: Feb 28, 2009
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the system blue screens, it creates a dump without pressing Ctrl+ScrollLock.
     
  5. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    After the first and only BSOD on this machine, I changed the settings from small towards a full memory dump. At this moment the system works normal, so to generated a full memory dump I used the CrashOnCtrlScroll switch, described in this article http://msdn.microsoft.com/en-us/library/cc266483.aspx

    Please let me know if you still want the dump


    Thank You
     
Thread Status:
Not open for further replies.