Hi All,
I have a windows 7 laptop with norton 360 installed.
For the last couple of days when turning it on, windows loads upto the point of the login screen and then blue screens and reboots, the same applies for safe mode, and last known good config.
Windows StartUp Repair is unable to fix the problem.
chkdsk /r and sfc/scannow have been run from the command prompt after the start up repair has had it's attempt.
System Restore is offering no checkpoints, so either that is turned off or not working properly, so can't see if that will fix things.
I've managed to get the dump file off the laptop and looking at it on this machine, it suggests the crash is probably caused by IDSvia64.sys
I'm currently running the NBRT scan to see if it's a virus causing the issue.
Has anyone else come across this problem, and any ideas as to how to get around it.
Is there a way to uninstall N360 from the recovery console to rule out the software for the cause of the BSOD.
The result of the dump file is:
*******************************************************************************
-
-
-
Bugcheck Analysis * * * *******************************************************************************
-
-
Use !analyze -v to get detailed debugging information.
BugCheck D1, {fffffa80fffffa80, 2, 0, fffff88003ee412c}
Unable to load image ??\C:\ProgramData\Norton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091111.001\IDSvia64.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for IDSvia64.sys
*** ERROR: Module load completed but symbols could not be loaded for IDSvia64.sys Probably caused by : IDSvia64.sys ( IDSvia64+4512c )
Followup: MachineOwner ---------
0: kd> !analyze -v
*** Bugcheck Analysis *** *******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffffa80fffffa80, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88003ee412c, address which referenced memory
Debugging Details:
OVERLAPPED_MODULE: Address regions for ‘ENG64’ and ‘ENG64.SYS’ overlap
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002b0d0e0 fffffa80fffffa80
CURRENT_IRQL: 2
FAULTING_IP: IDSvia64+4512c fffff880`03ee412c 48833800 cmp qword ptr [rax],0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: fffff88002dc8f40 – (.trap 0xfffff88002dc8f40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa80fffffa80 rbx=0000000000000000 rcx=fffffa80040ef014
rdx=0000000000000022 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88003ee412c rsp=fffff88002dc90d0 rbp=ffffffffffffffff
r8=fffff88003e9f000 r9=00000000000000ab r10=fffffa80040ef75c
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
IDSvia64+0x4512c:
fffff88003ee412c 48833800 cmp qword ptr [rax],0 ds:f79c:fffffa80
fffffa80=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800028d6469 to fffff800028d6f00
STACK_TEXT:
fffff88002dc8df8 fffff800
028d6469 : 000000000000000a fffffa80
fffffa80 0000000000000002 00000000
00000000 : nt!KeBugCheckEx
fffff88002dc8e00 fffff800
028d50e0 : 0000000000000000 fffffa80
07ae84c0 fffffa80040ef434 fffffa80
04202884 : nt!KiBugCheckDispatch+0x69
fffff88002dc8f40 fffff880
03ee412c : fffff88002dc9260 fffff880
02dc9280 fffffa800617bfb4 fffffa80
05702004 : nt!KiPageFault+0x260
fffff88002dc90d0 fffff880
02dc9260 : fffff88002dc9280 fffffa80
0617bfb4 fffffa8005702004 fffffa80
80000000 : IDSvia64+0x4512c
fffff88002dc90d8 fffff880
02dc9280 : fffffa800617bfb4 fffffa80
05702004 fffffa8080000000 fffffa80
0566b194 : 0xfffff880`02dc9260
fffff88002dc90e0 fffffa80
0617bfb4 : fffffa8005702004 fffffa80
80000000 fffffa800566b194 00000000
00000004 : 0xfffff880`02dc9280
fffff88002dc90e8 fffffa80
05702004 : fffffa8080000000 fffffa80
0566b194 0000000000000004 fffff880
02dc9828 : 0xfffffa80`0617bfb4
fffff88002dc90f0 fffffa80
80000000 : fffffa800566b194 00000000
00000004 fffff88002dc9828 00000000
00000000 : 0xfffffa80`05702004
fffff88002dc90f8 fffffa80
0566b194 : 0000000000000004 fffff880
02dc9828 0000000000000000 fffffa80
0617bfbc : 0xfffffa80`80000000
fffff88002dc9100 00000000
00000004 : fffff88002dc9828 00000000
00000000 fffffa800617bfbc fffffa80
040ef434 : 0xfffffa80`0566b194
fffff88002dc9108 fffff880
02dc9828 : 0000000000000000 fffffa80
0617bfbc fffffa80040ef434 fffffa80
00000000 : 0x4 fffff88002dc9110 00000000
00000000 : fffffa800617bfbc fffffa80
040ef434 fffffa8000000000 fffffa80
040ef434 : 0xfffff880`02dc9828
STACK_COMMAND: kb
FOLLOWUP_IP: IDSvia64+4512c fffff880`03ee412c 48833800 cmp qword ptr [rax],0
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: IDSvia64+4512c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: IDSvia64
IMAGE_NAME: IDSvia64.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4ae76706
FAILURE_BUCKET_ID: X64_0xD1_IDSvia64+4512c
BUCKET_ID: X64_0xD1_IDSvia64+4512c
Followup: MachineOwner ---------