NOD32 v4.2 Business crashing Windows 7

Discussion in 'ESET NOD32 Antivirus' started by vaskywire, Nov 22, 2011.

Thread Status:
Not open for further replies.
  1. vaskywire

    vaskywire Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    1
    Location:
    United States
    ESET32 v4.2 is crashing a client's Windows 7 workstation often. We have viewed all minidumps, and they are all the same. We've uninstalled ESET and reinstalled it with the current executable on the download page, but this hasn't stopped the crashing. Below you will find a bugcheck analysis of a minidump.
    Can someone please help us with this issue.

    ---------
    Unable to load image epfwtdir.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for epfwtdir.sys
    *** ERROR: Module load completed but symbols could not be loaded for epfwtdir.sys
    ERROR: FindPlugIns 80070005
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 10000050, {f7c04f94, 0, 8052b296, 0}


    Could not read faulting driver name
    Probably caused by : epfwtdir.sys ( epfwtdir+3350 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    ERROR: FindPlugIns 80070005
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced. This cannot be protected by try-except,
    it must be protected by a Probe. Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: f7c04f94, memory referenced.
    Arg2: 00000000, value 0 = read operation, 1 = write operation.
    Arg3: 8052b296, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 00000000, (reserved)

    Debugging Details:
    ------------------


    Could not read faulting driver name

    READ_ADDRESS: f7c04f94

    FAULTING_IP:
    nt!PsGetThreadProcessId+8
    8052b296 8b80ec010000 mov eax,dword ptr [eax+1ECh]

    MM_INTERNAL_CODE: 0

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 0x50

    PROCESS_NAME: svchost.exe

    LAST_CONTROL_TRANSFER: from a98ad350 to 8052b296

    STACK_TEXT:
    a94069bc a98ad350 f7c04da8 00cb80e9 ff885f90 nt!PsGetThreadProcessId+0x8
    WARNING: Stack unwind information not available. Following frames may be wrong.
    a9406a00 804ef19f 8a15f370 00000000 a9866bd8 epfwtdir+0x3350
    a9406a10 a98ed175 8326c768 8334c958 8326c698 nt!IopfCallDriver+0x31
    a9406a28 a98ec973 86626008 a9866bd8 8326c768 netbt!TdiConnect+0xae
    a9406a60 a98edf43 0026c698 c0a86e5c 8663c030 netbt!TcpSessionStart+0xb5
    a9406aa0 a98ee197 8326c602 00000000 00000000 netbt!SessionSetupContinue+0x1f7
    a9406ac4 a99050c9 a98eddc7 8663c030 00000000 netbt!CompleteClientReq+0x8d
    a9406b68 a98eec67 82ec9688 f7b7d644 00000001 netbt!NbtCompleteLmhSvcRequest+0x24c
    a9406ba8 a99049ac 8663cae8 f7b7d438 00000278 netbt!NtProcessLmHSvcIrp+0xe3
    a9406c00 a9903dbc 8663cae8 f7b7d438 00000278 netbt!DispatchIoctls+0x533
    a9406c40 804ef19f 8663cae8 8313add0 806e7410 netbt!NbtDispatchDevCtrl+0xcd
    a9406c50 8057f98e 8313ae40 8a2cc028 8313add0 nt!IopfCallDriver+0x31
    a9406c64 8058081d 8663cae8 8313add0 8a2cc028 nt!IopSynchronousServiceTail+0x70
    a9406d00 80579298 00000138 00000104 00000000 nt!IopXxxControlFile+0x5c5
    a9406d34 8054167c 00000138 00000104 00000000 nt!NtDeviceIoControlFile+0x2a
    a9406d34 7c90e514 00000138 00000104 00000000 nt!KiFastCallEntry+0xfc
    0067fb4c 00000000 00000000 00000000 00000000 0x7c90e514


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    epfwtdir+3350
    a98ad350 ?? o_O

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: epfwtdir+3350

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: epfwtdir

    IMAGE_NAME: epfwtdir.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 4d006838

    FAILURE_BUCKET_ID: 0x50_epfwtdir+3350

    BUCKET_ID: 0x50_epfwtdir+3350

    Followup: MachineOwner
    ---------​
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Epfwtdir should not be used on Windows 7 at all. Did you upgrade the OS from Windows XP without uninstalling and reinstalling ESET? Anyways, we'd be interested in receiving a kernel or complete memory dump from BSOD. Would it be possible for you to configure the system to generate kernel memory dumps, reproduce the crash and supply the dump to ESET for perusal?
     
Thread Status:
Not open for further replies.