Recurring BSODs point to eamon.sys

Discussion in 'ESET NOD32 Antivirus' started by gcckfam, Feb 26, 2009.

Thread Status:
Not open for further replies.
  1. gcckfam

    gcckfam Registered Member

    Joined:
    Feb 26, 2009
    Posts:
    3
    I was encouraged to post these problems to see if a potential solution is available. Any help would be great.

    Had three BSODs in the last couple months. Didn't know what to do with them until today. The first and second pointed to eamon.sys. Today's dump cited pool_corruption. I suspect that this error might still be from the eamon.sys, but didn't get far enough to dump the actual problem.

    I am running ESET NOD32 v3.0.657.0

    Here is the dump analyzer:
    Loading Dump File [C:\WINDOWS\Minidump\Mini020409-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    WARNING: Whitespace at end of path element
    WARNING: Whitespace at end of path element
    Symbol search path is: srv*C:\Symbols*http://msdl.microsoft.com/download/symbols




    Executable search path is: c:\windows\i386
    Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp_sp3_gdr.080814-1236
    Machine Name:
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
    Debug session time: Wed Feb 4 21:25:06.303 2009 (GMT-:cool:
    System Uptime: 0 days 0:01:58.896
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ...........
    Loading User Symbols
    Loading unloaded module list
    ..........
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 19, {20, e238e7b9, e238e7d9, c041708}

    *** WARNING: Unable to verify timestamp for eamon.sys
    *** ERROR: Module load completed but symbols could not be loaded for eamon.sys
    Unable to load image easdrv.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for easdrv.sys
    *** ERROR: Module load completed but symbols could not be loaded for easdrv.sys
    Probably caused by : eamon.sys ( eamon+3cae )

    Followup: MachineOwner
    ---------

    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    BAD_POOL_HEADER (19)
    The pool is already corrupt at the time of the current request.
    This may or may not be due to the caller.
    The internal pool links must be walked to figure out a possible cause of
    the problem, and then special pool applied to the suspect tags or the driver
    verifier to a suspect driver.
    Arguments:
    Arg1: 00000020, a pool block header size is corrupt.
    Arg2: e238e7b9, The pool entry we were looking for within the page.
    Arg3: e238e7d9, The next pool entry.
    Arg4: 0c041708, (reserved)

    Debugging Details:
    ------------------


    BUGCHECK_STR: 0x19_20

    POOL_ADDRESS: e238e7b9

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    PROCESS_NAME: ekrn.exe

    LAST_CONTROL_TRANSFER: from 8054b583 to 804f9f43

    STACK_TEXT:
    a4065564 8054b583 00000019 00000020 e238e7b9 nt!KeBugCheckEx+0x1b
    a40655b4 b9d3ab4b e238e7c1 00000000 b9d36198 nt!ExFreePoolWithTag+0x2a3
    a40655c0 b9d36198 002fa800 00000000 cdefa900 Ntfs!NtfsCommonCreate+0x1563
    a40657c4 b9d37f2d 89a13c18 88924c88 a406581c Ntfs!NtfsCommonCreate+0x14c0
    a40658a8 804ef19f 8a5c6020 88924c88 8897c0f8 Ntfs!NtfsFsdCreate+0x1dc
    a40658b8 b9de4876 88f15870 8a5bb7d0 89a14c60 nt!IopfCallDriver+0x31
    a4065904 804ef19f 8a621918 00000001 00000000 sr!SrCreate+0x150
    a4065914 a5577cae 88924c98 88e33f38 8897c0f8 nt!IopfCallDriver+0x31
    WARNING: Stack unwind information not available. Following frames may be wrong.
    a4065948 804ef19f 000006f4 88924c88 88924c88 eamon+0x3cae
    a4065958 805831fa 8a5ceb80 88a81274 a4065af0 nt!IopfCallDriver+0x31
    a4065a38 805bf450 8a5ceb98 00000000 88a811d0 nt!IopParseDevice+0xa12
    a4065ab0 805bb9dc 00000000 a4065af0 00000040 nt!ObpLookupObjectName+0x53c
    a4065b04 80576033 00000000 00000000 a14ba801 nt!ObOpenObjectByName+0xea
    a4065b80 805769aa 0479d4d8 80100080 0479d4f4 nt!IopCreateFile+0x407
    a4065bdc b289c739 0479d4d8 80100080 0479d4f4 nt!IoCreateFile+0x8e
    a4065c1c b289ca55 0479d440 a4b4d407 89067ed0 easdrv+0x2739
    a4065c5c 80580487 88e88400 00000001 0479d440 easdrv+0x2a55
    a4065d00 80579274 00000190 00000000 00000000 nt!IopXxxControlFile+0x255
    a4065d34 8054162c 00000190 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    a4065d34 7c90e4f4 00000190 00000000 00000000 nt!KiFastCallEntry+0xfc
    0479d3f0 00000000 00000000 00000000 00000000 0x7c90e4f4


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    eamon+3cae
    a5577cae ?? o_O

    SYMBOL_STACK_INDEX: 8

    SYMBOL_NAME: eamon+3cae

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: eamon

    IMAGE_NAME: eamon.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 480f2fc9

    FAILURE_BUCKET_ID: 0x19_20_eamon+3cae

    BUCKET_ID: 0x19_20_eamon+3cae

    Followup: MachineOwner
    ---------
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    First of all, please install the latest version of EAV 3.0.684 and restart the computer. Should the problem persist, we'll need to get a kernel or complete memory dump.
     
  3. gcckfam

    gcckfam Registered Member

    Joined:
    Feb 26, 2009
    Posts:
    3
    Checking back after updrading to version 3.0.684.

    Got another BSOD. This one also points to eamon.sys. I had changed the dump to a kernel memory dump, per your suggestion. How do I get that to you?

    Also, just to I ran MemTest over night a couple weeks ago. 12 passes and no errors.
     
  4. bodean

    bodean Registered Member

    Joined:
    Jun 22, 2007
    Posts:
    76
    It's not your memory, its ESET's software. I got it all the time too with V4. Had to go back to V3, as I wait with thousands of others from word on an updated/fixed version of V4.
     
Thread Status:
Not open for further replies.