A bsod

[eaglehorse]

On 20080825 I had a short series of BSOD's 3 to be exact the first one was caused by klif.sys (kasperskey) and was unexpected. The next one was after reboot and MBAM had loaded twice so I tried to exit and restart MBAM an I got another one of M$ lovely screens unfortunately this one was cause my MBAM.sys. Well after reboot the same set of events transpired and again I got to look at M$ nice screens again MBAM.sys

This one I have a mini dump. Here is the information

Loading Dump File [C:\WINDOWS\Minidump\Mini082508-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

Invalid directory table base value 0x0

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

"nt" was not found in the image list.

Debugger will attempt to load "nt" at given base 00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)

for more reliable results.Base address and size overrides can be given as

.reload <image.ext>=<base>,<size>.

Unable to load image nt, Win32 error 0n2

Unable to add module at 00000000

Debugger can not determine kernel base address

Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible

Product: WinNt

Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553fc0

Debug session time: Mon Aug 25 22:18:01.812 2008 (GMT-4)

System Uptime: 0 days 0:43:18.376

"nt" was not found in the image list.

Debugger will attempt to load "nt" at given base 00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)

for more reliable results.Base address and size overrides can be given as

.reload <image.ext>=<base>,<size>.

Unable to load image nt, Win32 error 0n2

Unable to add module at 00000000

Debugger can not determine kernel base address

Loading Kernel Symbols

Loading User Symbols

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D4, {ba59b938, ff, 1, 80542665}

***** Debugger could not find nt in module list, module list might be corrupt, error 0x80070057.

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner

---------

kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD (d4)

A driver unloaded without cancelling lookaside lists, DPCs, worker threads, etc.

The broken driver's name is displayed on the screen.

When possible, the guilty driver's name (Unicode string) is printed on

the bugcheck screen and saved in KiBugCheckDriver.

An attempt was made to access the driver at raised IRQL after it unloaded.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: ba59b938, memory referenced

Arg2: 000000ff, IRQL

Arg3: 00000001, value 0 = read operation, 1 = write operation

Arg4: 80542665, address which referenced memory

Debugging Details:

------------------

***** Debugger could not find nt in module list, module list might be corrupt, error 0x80070057.

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart

unable to get nt!MmSpecialPoolEnd

unable to get nt!MmPoolCodeStart

unable to get nt!MmPoolCodeEnd

ba59b938

CURRENT_IRQL: ff

FAULTING_IP:

+ffffffff80542665

80542665 8910 mov dword ptr [eax],edx

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD4

LAST_CONTROL_TRANSFER: from 00000000 to 80540683

STACK_TEXT:

f7a7c854 00000000 00000000 00000000 00000000 0x80540683

STACK_COMMAND: kb

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

BUCKET_ID: CORRUPT_MODULELIST

Followup: MachineOwner

---------

kd> lmvm Unknown_Module

start end module name

f7a7c854 00000000 00000000 00000000 00000000 0x80540683Start

^ Extra character error in '?? /s WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart unable to get nt!MmSpecialPoolEnd unable to get nt!MmPoolCodeStart unable to get nt!MmPoolCodeEnd ba59b938 CURRENT_IRQL: ff FAULTING_IP: +ffffffff80542665 80542665 8910 mov dword ptr [eax],edx CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD4 LAST_CONTROL_TRANSFER: from 00000000 to 80540683 STACK_TEXT: f7a7c854 00000000 00000000 00000000 00000000 0x80540683'

I hope this information helps. Any input by someone more intelligent than myself is appreciated.

Thank you for all you do.

[RubbeR DuckY]

Thanks, looking into the issue. Our new protection module should have this fixed.

[eaglehorse]

This happened using version 1.5 and I update MBAM at least 2x a day.

[JeanInMontana]

This happened using version 1.5 and I update MBAM at least 2x a day.

There is no version 1.5. The current version is 1.25 and what your updating is the definition data base not the program version.

[eaglehorse]

There is no version 1.5. The current version is 1.25 and what your updating is the definition data base not the program version.

I meant 1.25 I had an error between chair and keyboard, (me and Typos are best friends)Thank you for the info. because for some reason I had thought that it was possible to make minor program tweaks without updating the version. I learn more and more each day.

I think that this error is truely cause by KIS (Kasperskey) not allowing the driver to unload correctly but I just wanted to pass as much info along to the development team as I could. This is truely a great application that has made many waves.

Do you know of any good info on the Windows debuging tool. At a level that can help one understand it and then increase their knowledge of it.

[JeanInMontana]

There is an issue for a very few machines where the service doesn't unload properly. I am among that group and for now reason if I try to shut down MBAM it will BSOD. Soon there will be a version update that fixes this. There can be minor tweaks without updating the version, but this problem doesn't seem to be a minor tweak. I can't wait for it to be fixed.