nod32 causing BSOD please help

Discussion in 'ESET NOD32 Antivirus' started by megapixel, Apr 24, 2009.

Thread Status:
Not open for further replies.
  1. megapixel

    megapixel Registered Member

    Joined:
    Apr 24, 2009
    Posts:
    3
    sup yall.
    as soon as i found out that nod32 v 4 was released, i uninstalled avg8 and got meself nod32 v4. then soon after that i started getting BSODs saying something like irql not less or equal. i did a dump check and netio.sys was at fault or something and somebody suggested i updated my drivers and i did. still BSOD occured frequently. now i switched back to avg8 and no BSODs anymore. i really want to use nod32 v4 because its a lot faster. i have a lenovo laptop with 512 mb ram with windows vista home basic version that came with the computer. any help would be appreciated.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you were trying to install v. 4.0.424 and BSOD occurred though, please follow these instructions to create a kernel or complete memory dump. Let me know when you have it ready so that I can PM you details how to proceed.
     
  3. megapixel

    megapixel Registered Member

    Joined:
    Apr 24, 2009
    Posts:
    3
    thanks for the reply. the BSOD occured after the installation was completed and when it was updating database for the first time. and does the memory dump look something like this? i used debuggin tools for windows for this.
    Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Windows\Minidump\Mini042309-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: *** Invalid ***
    ****************************************************************************
    * Symbol loading may be unreliable without a symbol search path. *
    * Use .symfix to have the debugger choose a symbol path. *
    * After setting your symbol path, use .reload to refresh symbol locations. *
    ****************************************************************************
    Executable search path is:
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    * *
    * The Symbol Path can be set by: *
    * using the _NT_SYMBOL_PATH environment variable. *
    * using the -y <symbol_path> argument when starting the debugger. *
    * using .sympath and .sympath+ *
    *********************************************************************
    Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntkrnlpa.exe
    *** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
    Windows Vista Kernel Version 6000 UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Machine Name:
    Kernel base = 0x82000000 PsLoadedModuleList = 0x82111e10
    Debug session time: Thu Apr 23 17:49:48.746 2009 (GMT+5)
    System Uptime: 0 days 0:55:58.408
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    * *
    * The Symbol Path can be set by: *
    * using the _NT_SYMBOL_PATH environment variable. *
    * using the -y <symbol_path> argument when starting the debugger. *
    * using .sympath and .sympath+ *
    *********************************************************************
    Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntkrnlpa.exe
    *** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    .........................
    Loading User Symbols
    Loading unloaded module list
    .....
    *** WARNING: Unable to verify timestamp for hal.dll
    *** ERROR: Module load completed but symbols could not be loaded for hal.dll
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck A, {20000, 2, 1, 823a4e89}

    *** WARNING: Unable to verify timestamp for NETIO.SYS
    *** ERROR: Module load completed but symbols could not be loaded for NETIO.SYS
    *** WARNING: Unable to verify timestamp for fwpkclnt.sys
    *** ERROR: Module load completed but symbols could not be loaded for fwpkclnt.sys
    *** WARNING: Unable to verify timestamp for epfwwfpr.sys
    *** ERROR: Module load completed but symbols could not be loaded for epfwwfpr.sys
    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.

    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    * *
    * The Symbol Path can be set by: *
    * using the _NT_SYMBOL_PATH environment variable. *
    * using the -y <symbol_path> argument when starting the debugger. *
    * using .sympath and .sympath+ *
    *********************************************************************
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    * *
    * The Symbol Path can be set by: *
    * using the _NT_SYMBOL_PATH environment variable. *
    * using the -y <symbol_path> argument when starting the debugger. *
    * using .sympath and .sympath+ *
    *********************************************************************
    Probably caused by : NETIO.SYS ( NETIO+231cc )

    Followup: MachineOwner
    ---------

    kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    IRQL_NOT_LESS_OR_EQUAL (a)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high. This is usually
    caused by drivers using improper addresses.
    If a kernel debugger is available get the stack backtrace.
    Arguments:
    Arg1: 00020000, memory referenced
    Arg2: 00000002, IRQL
    Arg3: 00000001, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
    Arg4: 823a4e89, address which referenced memory

    Debugging Details:
    ------------------

    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.

    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *************************************************************************
    *** ***
    *** ***
    *** Your debugger is not using the correct symbols ***
    *** ***
    *** In order for this command to work properly, your symbol path ***
    *** must point to .pdb files that have full type information. ***
    *** ***
    *** Certain .pdb files (such as the public OS symbols) do not ***
    *** contain the required information. Contact the group that ***
    *** provided you with these symbols if you need this command to ***
    *** work. ***
    *** ***
    *** Type referenced: nt!_KPRCB ***
    *** ***
    *************************************************************************
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    * *
    * The Symbol Path can be set by: *
    * using the _NT_SYMBOL_PATH environment variable. *
    * using the -y <symbol_path> argument when starting the debugger. *
    * using .sympath and .sympath+ *
    *********************************************************************
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    * *
    * The Symbol Path can be set by: *
    * using the _NT_SYMBOL_PATH environment variable. *
    * using the -y <symbol_path> argument when starting the debugger. *
    * using .sympath and .sympath+ *
    *********************************************************************

    ADDITIONAL_DEBUG_TEXT:
    Use '!findthebuild' command to search for the target build information.
    If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

    MODULE_NAME: NETIO

    FAULTING_MODULE: 82000000 nt

    DEBUG_FLR_IMAGE_TIMESTAMP: 46fc6b19

    WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
    unable to get nt!MmSpecialPoolEnd
    unable to get nt!MmPoolCodeStart
    unable to get nt!MmPoolCodeEnd
    00020000

    CURRENT_IRQL: 0

    FAULTING_IP:
    hal+3e89
    823a4e89 ?? o_O

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

    BUGCHECK_STR: 0xA

    LAST_CONTROL_TRANSFER: from 823a4e89 to 8208fdc4

    STACK_TEXT:
    WARNING: Stack unwind information not available. Following frames may be wrong.
    9289fa58 823a4e89 badb0d00 00020000 00000000 nt+0x8fdc4
    9289faf0 829ea1cc 00000014 00000000 940e1bd8 hal+0x3e89
    9289fb30 89c0804a 00000718 00000000 0000011a NETIO+0x231cc
    9289fb60 8934c15c 87a33290 00000000 00000000 fwpkclnt+0x504a
    9289fba8 8934d1cc 92a17c80 00000005 023f9ea0 epfwwfpr+0x615c
    9289fbd4 8935631c 89359fe0 00000718 92a17c80 epfwwfpr+0x71cc
    9289fbfc 8935647a 8a2bdd38 023f9e88 00000018 epfwwfpr+0x1031c
    9289fc58 82189b21 8a2bdd38 00000001 023f9e88 epfwwfpr+0x1047a
    9289fd00 8218ee85 8cbed6c8 00000000 00000000 nt+0x189b21
    9289fd34 8208caea 000001f4 00000000 00000000 nt+0x18ee85
    9289fd64 779e0f34 badb0d00 023f9dac 00000000 nt+0x8caea
    9289fd68 badb0d00 023f9dac 00000000 00000000 0x779e0f34
    9289fd6c 023f9dac 00000000 00000000 00000000 0xbadb0d00
    9289fd70 00000000 00000000 00000000 00000000 0x23f9dac


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    NETIO+231cc
    829ea1cc ?? o_O

    SYMBOL_STACK_INDEX: 2

    SYMBOL_NAME: NETIO+231cc

    FOLLOWUP_NAME: MachineOwner

    IMAGE_NAME: NETIO.SYS

    BUCKET_ID: WRONG_SYMBOLS

    Followup: MachineOwner
    ---------

    kd> lmvm NETIO
    start end module name
    829c7000 82a00000 NETIO T (no symbols)
    Loaded symbol image file: NETIO.SYS
    Image path: \SystemRoot\system32\drivers\NETIO.SYS
    Image name: NETIO.SYS
    Timestamp: Fri Sep 28 08:31:49 2007 (46FC6B19)
    CheckSum: 00044709
    ImageSize: 00039000
    Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
    kd> lmvm nt
    start end module name
    82000000 823a1000 nt T (no symbols)
    Loaded symbol image file: ntkrnlpa.exe
    Image path: \SystemRoot\system32\ntkrnlpa.exe
    Image name: ntkrnlpa.exe
    Timestamp: Wed Oct 10 07:31:20 2007 (470C2EEC)
    CheckSum: 00366023
    ImageSize: 003A1000
    Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
    kd> lmvm NETIO
    start end module name
    829c7000 82a00000 NETIO T (no symbols)
    Loaded symbol image file: NETIO.SYS
    Image path: \SystemRoot\system32\drivers\NETIO.SYS
    Image name: NETIO.SYS
    Timestamp: Fri Sep 28 08:31:49 2007 (46FC6B19)
    CheckSum: 00044709
    ImageSize: 00039000
    Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
     
  4. Gamil

    Gamil Registered Member

    Joined:
    Apr 25, 2009
    Posts:
    9
    Out of curiosity, does your machine contain an Intel network adapter?

    If so, update the drivers from http://support.intel.com/ . I've seen a few machines recently which were throwing NETIO.sys bluescreens, and installing the latest drivers seemed to fix them (at least temporarily, they haven't acted up yet).

    It would be a good idea to try that regardless of chipset, but I can only confirm that it worked with the Intel-based adapters.

    *edit*

    While you're using windbg, you should set up the public symbol server:

    To use the Microsoft Symbol Server (slightly modified)

    1. Make sure you have installed the latest version of Debugging Tools for Windows.

    2. Start Windbg (Run As Administrator if you're using Vista)

    3. Decide where to store the downloaded symbols (the "downstream store"). This can be a local drive or a UNC path.

    4. Set the debugger symbol path as follows, substituting your downstream store path for DownstreamStore.

    SRV*DownstreamStore*http://msdl.microsoft.com/download/symbols

    For example, to download symbols to c:\websymbols, you would add the following to your symbol path:

    SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols

    5. Close Windbg and answer "Yes" when prompted to save.


    From now on, windbg will use the symbols downloaded to the symbol path every time you open it (it may take several minutes to download symbosl the first time you open a dump), and you'll get substantially more (and more valuable) information when you analyze the dump.

    If you get numerous "incorrect symbols" errors AFTER setting the symbol path, delete the symbols and allow windbg to reacquire them. Sometimes the server hiccups.
     
    Last edited: Apr 25, 2009
  5. megapixel

    megapixel Registered Member

    Joined:
    Apr 24, 2009
    Posts:
    3
    the sticker said "intel inside" but im not sure if it meant processor or the network adapter. anyways, did i forget to mention that i dont get the BSODs anymore since i uninstalled nod32 v4?
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you use Windows Vista and BSOD occurs with v. 4.0.424, too, make sure to install SP1.
     
  7. Gamil

    Gamil Registered Member

    Joined:
    Apr 25, 2009
    Posts:
    9
    I just installed NOD32 v4 on a Compaq desktop today (AMD, nForce board), same issue: Netio.sys bluescreens.

    Installed the current network drivers for the board, and the bluescreens haven't been back.

    This is one of those cases where the software appears to be causing the problem, but is really just exposing an underlying issue

    As another example, some people running machines with bad RAM may never notice the bad memory unless they install a different OS. It appears to be the fault of the new OS, but is really just the bad memory being exposed by different memory management (or error handling) routines.
     
  8. Delphinus

    Delphinus Registered Member

    Joined:
    Feb 3, 2009
    Posts:
    1
    Can confirm that running windows vista, installing NOD32 v4 results in a bluescreen after startup, NETIO.SYS. Seems to be when its trying to automatically pull down an update.
    Updating the Intel Pro/100 driver and installing SP1 resolved the issue.
    Had to start in safe mode, set the ESET service to manual, reboot, install updates, go back to safe mode, and set ESET service back to automatic.
     
Thread Status:
Not open for further replies.