SYMEVENT.SYS causing BSOD

Archive
1

I have a useres comptuer that keeps getting the BSOD, runing windows debugger leads me to belive its symevent.sys causing the problem, I have since uninstalled s ymantec, rebooted and reinstalled and the same error occoured. Below is a extract from the windows debugger.

 


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Thu Jun 11 15:11:06.011 2009 (GMT-4)
System Uptime: 0 days 0:32:49.093
Loading Kernel Symbols
...............................................................
................................................................
..................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
Loading unloaded module list
.....................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 35, {84f6edb8, 0, 0, 0}

*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
Probably caused by : SYMEVENT.SYS ( SYMEVENT+7602 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

NO_MORE_IRP_STACK_LOCATIONS (35)
A higher level driver has attempted to call a lower level driver through
the IoCallDriver() interface, but there are no more stack locations in the
packet, hence, the lower level driver would not be able to access its
parameters, as there are no parameters for it.  This is a disasterous
situation, since the higher level driver "thinks" it has filled in the
parameters for the lower level driver (something it MUST do before it calls
it), but since there is no stack location for the latter driver, the former
has written off of the end of the packet.  This means that some other memory
has probably been trashed at this point.
Arguments:
Arg1: 84f6edb8, Address of the IRP
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffda00c).  Type ".hh dbgerr001" for details

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x35

PROCESS_NAME:  EXCEL.EXE

LAST_CONTROL_TRANSFER:  from 804ef186 to 804f9f43

STACK_TEXT: 
a7785a98 804ef186 00000035 84f6edb8 00000000 nt!KeBugCheckEx+0x1b
a7785ab0 b9e20bb2 85495200 84f6edb8 85492008 nt!IopfCallDriver+0x18
a7785ac4 b9e21059 a7785adc a7785b30 8aa90030 fltMgr!FltpPassThrough+0x12c
a7785af4 804ef19f 85495200 84f6edb8 84f6ee68 fltMgr!FltpDispatch+0x10d
a7785b04 b9e20bb2 85228ee8 84f6edb8 85205bf0 nt!IopfCallDriver+0x31
a7785b18 b9e21059 a7785b30 a7785ba8 8aa90030 fltMgr!FltpPassThrough+0x12c
a7785b48 804ef19f 85228ee8 84f6edb8 804f0054 fltMgr!FltpDispatch+0x10d
a7785b58 acd92602 84f6ee70 84f6ee94 a7785ba8 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
a7785b70 acd99750 85228ee8 84f6ee8c a7785ba8 SYMEVENT+0x7602
a7785b8c acd92769 a7785ba8 804f0054 acd9282a SYMEVENT+0xe750
a7785bc8 804ef19f 8527c570 84f6edb8 84f6eeb0 SYMEVENT+0x7769
a7785cc0 8057b543 a7785d64 035ce770 8057b010 nt!IopfCallDriver+0x31
a7785d48 8054162c 00000324 035ce8fc 001a5288 nt!NtSetInformationFile+0x533
a7785d48 7c90e514 00000324 035ce8fc 001a5288 nt!KiFastCallEntry+0xfc
035ceb78 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP:
SYMEVENT+7602
acd92602 894318          mov     dword ptr [ebx+18h],eax

SYMBOL_STACK_INDEX:  8

SYMBOL_NAME:  SYMEVENT+7602

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SYMEVENT

IMAGE_NAME:  SYMEVENT.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  43cc07de

FAILURE_BUCKET_ID:  0x35_SYMEVENT+7602

BUCKET_ID:  0x35_SYMEVENT+7602

Followup: MachineOwner
---------