BSOD@Boot IDSVia64.sys

Hi All,

 

I have a windows 7 laptop with norton 360 installed.

 

For the last couple of days when turning it on, windows loads upto the point of the login screen and then blue screens and reboots, the same applies for safe mode, and last known good config.

 

Windows StartUp Repair is unable to fix the problem.

chkdsk /r and sfc/scannow have been run from the command prompt after the start up repair has had it's attempt.

System Restore is offering no checkpoints, so either that is turned off or not working properly, so can't see if that will fix things.

 

I've managed to get the dump file off the laptop and looking at it on this machine, it suggests the crash is probably caused by IDSvia64.sys

 

I'm currently running the NBRT scan to see if it's a virus causing the issue.

 

Has anyone else come across this problem, and any ideas as to how to get around it.

 

Is there a way to uninstall N360 from the recovery console to rule out the software for the cause of the BSOD.

 

The result of the dump file is:

 

******************************************************************************* 
      •                    Bugcheck Analysis                                    * * * *******************************************************************************
        

Use !analyze -v to get detailed debugging information.

BugCheck D1, {fffffa80fffffa80, 2, 0, fffff88003ee412c}

Unable to load image ??\C:\ProgramData\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091111.001\IDSvia64.sys, Win32 error 0n2

*** WARNING: Unable to verify timestamp for IDSvia64.sys

*** ERROR: Module load completed but symbols could not be loaded for IDSvia64.sys Probably caused by : IDSvia64.sys ( IDSvia64+4512c )

Followup: MachineOwner ---------

0: kd> !analyze -v


*** Bugcheck Analysis *** *******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: fffffa80fffffa80, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000000, value 0 = read operation, 1 = write operation

Arg4: fffff88003ee412c, address which referenced memory

Debugging Details:


OVERLAPPED_MODULE: Address regions for ‘ENG64’ and ‘ENG64.SYS’ overlap

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002b0d0e0 fffffa80fffffa80

CURRENT_IRQL: 2

FAULTING_IP: IDSvia64+4512c fffff880`03ee412c 48833800 cmp qword ptr [rax],0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

TRAP_FRAME: fffff88002dc8f40 – (.trap 0xfffff88002dc8f40)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=fffffa80fffffa80 rbx=0000000000000000 rcx=fffffa80040ef014

rdx=0000000000000022 rsi=0000000000000000 rdi=0000000000000000

rip=fffff88003ee412c rsp=fffff88002dc90d0 rbp=ffffffffffffffff

r8=fffff88003e9f000 r9=00000000000000ab r10=fffffa80040ef75c

r11=0000000000000001 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei pl zr na po nc

IDSvia64+0x4512c:

fffff88003ee412c 48833800 cmp qword ptr [rax],0 ds:f79c:fffffa80fffffa80=???

Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800028d6469 to fffff800028d6f00

STACK_TEXT:

fffff88002dc8df8 fffff800028d6469 : 000000000000000a fffffa80fffffa80 0000000000000002 0000000000000000 : nt!KeBugCheckEx

fffff88002dc8e00 fffff800028d50e0 : 0000000000000000 fffffa8007ae84c0 fffffa80040ef434 fffffa8004202884 : nt!KiBugCheckDispatch+0x69

fffff88002dc8f40 fffff88003ee412c : fffff88002dc9260 fffff88002dc9280 fffffa800617bfb4 fffffa8005702004 : nt!KiPageFault+0x260

fffff88002dc90d0 fffff88002dc9260 : fffff88002dc9280 fffffa800617bfb4 fffffa8005702004 fffffa8080000000 : IDSvia64+0x4512c

fffff88002dc90d8 fffff88002dc9280 : fffffa800617bfb4 fffffa8005702004 fffffa8080000000 fffffa800566b194 : 0xfffff880`02dc9260

fffff88002dc90e0 fffffa800617bfb4 : fffffa8005702004 fffffa8080000000 fffffa800566b194 0000000000000004 : 0xfffff880`02dc9280

fffff88002dc90e8 fffffa8005702004 : fffffa8080000000 fffffa800566b194 0000000000000004 fffff88002dc9828 : 0xfffffa80`0617bfb4

fffff88002dc90f0 fffffa8080000000 : fffffa800566b194 0000000000000004 fffff88002dc9828 0000000000000000 : 0xfffffa80`05702004

fffff88002dc90f8 fffffa800566b194 : 0000000000000004 fffff88002dc9828 0000000000000000 fffffa800617bfbc : 0xfffffa80`80000000

fffff88002dc9100 0000000000000004 : fffff88002dc9828 0000000000000000 fffffa800617bfbc fffffa80040ef434 : 0xfffffa80`0566b194

fffff88002dc9108 fffff88002dc9828 : 0000000000000000 fffffa800617bfbc fffffa80040ef434 fffffa8000000000 : 0x4 fffff88002dc9110 0000000000000000 : fffffa800617bfbc fffffa80040ef434 fffffa8000000000 fffffa80040ef434 : 0xfffff880`02dc9828

STACK_COMMAND: kb

FOLLOWUP_IP: IDSvia64+4512c fffff880`03ee412c 48833800 cmp qword ptr [rax],0

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: IDSvia64+4512c

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: IDSvia64

IMAGE_NAME: IDSvia64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4ae76706

FAILURE_BUCKET_ID: X64_0xD1_IDSvia64+4512c

BUCKET_ID: X64_0xD1_IDSvia64+4512c

Followup: MachineOwner ---------