BSODs since upgrade to v3

Discussion in 'ESET NOD32 Antivirus' started by vorgos, Jan 27, 2009.

Thread Status:
Not open for further replies.
  1. vorgos

    vorgos Registered Member

    Joined:
    Jul 29, 2008
    Posts:
    12
    Hi,

    in Oct 08 we upgraded to NOD32 v3 and for the last couple of months we have had a number of pcs blue screen. The codes are mostly 0x1000008e and 0x10000050. All the pcs are XP sp3 with the latest patches. I should point out that the BSODs most often occur duing shutdown or startup/logon.

    I've used the windows debugger on the minidumps and emon.sys keeps coming up. I've included a debugger output below. Anyone else experiencing this? Any ideas?

    Thanks
    Vic.


    Debugging Details:
    ------------------

    Unable to load image eamon.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for eamon.sys
    *** ERROR: Module load completed but symbols could not be loaded for eamon.sys

    Could not read faulting driver name

    WRITE_ADDRESS: ffffffe9

    FAULTING_IP:
    nt!ObfReferenceObject+25
    804d9044 0fc101 xadd dword ptr [ecx],eax

    MM_INTERNAL_CODE: 0
    CUSTOMER_CRASH_COUNT: 1
    DEFAULT_BUCKET_ID: DRIVER_FAULT
    BUGCHECK_STR: 0x50
    PROCESS_NAME: msiexec.exe
    LAST_CONTROL_TRANSFER: from 8059b73e to 804d9044
    STACK_TEXT:
    ef3b6a64 8059b73e 00000000 ef904680 ef3b6c00 nt!ObfReferenceObject+0x25
    ef3b6a88 8059b8ea 00000001 00000001 ef3b6ac0 nt!LpcpRequestWaitReplyPort+0x33b
    ef3b6aa0 ef8cf1bb e21794f8 ef3b6ac0 ef3b6ac0 nt!LpcRequestWaitReplyPort+0x15
    WARNING: Stack unwind information not available. Following frames may be wrong.
    ef3b6be8 ef8d10c4 ef3b6c00 ef3b6c18 00000000 eamon+0x31bb
    ef3b6c1c ef8cff03 82bbb130 00000000 00000003 eamon+0x50c4
    ef3b6c60 804e37f7 01b8fae8 82b90008 82b90008 eamon+0x3f03
    ef3b6c70 8056c15b 82b93560 82fb6560 82b93578 nt!IopfCallDriver+0x31
    ef3b6ca4 80567697 829ebbc8 82b8fae8 00120196 nt!IopCloseFile+0x27c
    ef3b6cd4 8056783f 829ebbc8 00000001 82fb6560 nt!ObpDecrementHandleCount+0xd4
    ef3b6cfc 805678b0 e18a5128 82b93578 000002ac nt!ObpCloseHandleTableEntry+0x14d
    ef3b6d44 805678fa 000002ac 00000001 00000000 nt!ObpCloseHandle+0x87
    ef3b6d58 804de7ec 000002ac 00b4ecfc 7c90e4f4 nt!NtClose+0x1d
    ef3b6d58 7c90e4f4 000002ac 00b4ecfc 7c90e4f4 nt!KiFastCallEntry+0xf8
    00b4ecfc 00000000 00000000 00000000 00000000 0x7c90e4f4


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+31bb
    ef8cf1bb ?? o_O

    SYMBOL_STACK_INDEX: 3
    SYMBOL_NAME: eamon+31bb
    FOLLOWUP_NAME: MachineOwner
    MODULE_NAME: eamon
    IMAGE_NAME: eamon.sys
    DEBUG_FLR_IMAGE_TIMESTAMP: 48a95943
    FAILURE_BUCKET_ID: 0x50_eamon+31bb
    BUCKET_ID: 0x50_eamon+31bb
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Are you using the latest NIC drivers?
     
  3. vorgos

    vorgos Registered Member

    Joined:
    Jul 29, 2008
    Posts:
    12
    I am not sure. The machines (dell dimension 2400) have been very stable until this started happening. In fact we've not had a single blue screen since they were purchased. I'll check and update any that are out of date.

    What makes you suggest the NIC drivers?
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Just to make sure, is this happening with EAV v. 3.0.684 installed? Did you have an older version or another AV installed previously?
     
  5. vorgos

    vorgos Registered Member

    Joined:
    Jul 29, 2008
    Posts:
    12
    we upgraded from NOD32 v2. We are currently at v3.0.672.0 and program is setup to automatically install program updates. I am not sure when the last program update was since it is pushed out automatically.

    BTW I checked the NIC drivers and according to DELL's site we are running the latest version.

    Vic
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Laptop manufacturers rarely if ever have the latest version of drivers. They have the "last tested working drivers", simply because they don't have the time to test every version.

    I'm not sure if it's a Vista only feature, but my laptop gets its NIC drivers from windows update which are far newer than the ones on MSI's website (2007).

    If this isn't a solution for you, you could try browsing the NIC manufacturers website.
     
  7. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Any idea what msiexec was doing at the time? Maybe installing packages via GPO?

    I would be running hardware diagnostics on these systems, specifically ram and checking the event log for reported disk errors. Heuristic routines are going to gobble up memory, cpu, and disk resources when they are scanning packages before they install. CPU and disk issues typically show themselves under any manner of system load, but bad areas of memory can sit benign for a long time until you change a system's config to increase the memory footprint and start touching areas that were rarely used, causing blue screens.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Besides updating NIC drivers, please install the latest version 3.0.684 on such a problematic computer to see if it makes a difference.
     
  9. vorgos

    vorgos Registered Member

    Joined:
    Jul 29, 2008
    Posts:
    12
    Marcos, when was this update released? All networked pcs pick up virusdefs & program updates from the mirror/rac server. Shouldn't that push the update through? If I have to push it out manually, where do I get it? The website doesnt seem to offer it anywhere.

    Vic
     
  10. vorgos

    vorgos Registered Member

    Joined:
    Jul 29, 2008
    Posts:
    12
    we use WSUS to update XP pcs. Its likely that an update was installing or cleaningup after install.

    Other BSOD mention, svchost.exe, cisvc.exe, winlogon.exe, ekrn.exe.
     
  11. vorgos

    vorgos Registered Member

    Joined:
    Jul 29, 2008
    Posts:
    12

    just came across http://www.eset.com/support/news.php which states that it was released December 18, 2008. I've rechecked out Remote Admin server settings and all appears as it should...

    Out server is still v2, should we upgrade to v3?

    Vic
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The log was referring to eamon.sys so apparently v3 was installed on that computer. Try installing the latest version of EAV 3.0.684 on that problematic computer. It should be possible to push v. 3.0.684 package to that workstation via ERA so that it'll replace the older version. A computer restart may be required after installation.
     
  13. Interghost

    Interghost Registered Member

    Joined:
    Jan 31, 2009
    Posts:
    1
    I have the same issue on XP SP2. Used nod 2 for a few years without problems, few weeks ago I uninstalled it and installed v3, since then I get BSODs on >50% of shutdowns.

    I have the latest (3.0.684) version.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please create a full or kernel memory dump and convey it to customer care who will pass it to ESET's engineers for perusal.
     
Thread Status:
Not open for further replies.