Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Netbt.sys BSOD

Posted on 2011-02-16
10
1,494 Views
Last Modified: 2012-05-11
I have a Windows XP (SP3) PC that gets a blue screen on a semi regular basis (any ideas?):
 
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: b8795ca0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: b4bffa1b, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  b8795ca0 

CURRENT_IRQL:  2

FAULTING_IP: 
netbt!DisconnectHndlrNotOs+74f
b4bffa1b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

LAST_CONTROL_TRANSFER:  from b4bfe42f to b4bffa1b

STACK_TEXT:  
b4256abc b4bfe42f 89a0ca18 000001fe 89c158a8 netbt!DisconnectHndlrNotOs+0x74f
b4256b18 b4bfd8c9 00000000 b4b2cbd8 8aaad7f8 netbt!RejectSession+0x32b
b4256b34 b4bfe04c b4256b58 b4b2cbd8 8b012ca8 netbt!Outbound+0x8a9
b4256b84 b4bfacdc 8aa52d30 89890008 8b012c98 netbt!GetIrpIfNotCancelled+0x68
b4256ba0 804ef19f e0a52d30 898900c0 00000000 netbt!AddToHashTable+0x920
b4256bc8 b4bfe0bb 00000000 89890008 00000000 nt!MiFlushSectionInternal+0x256
b4256c18 b4bfacdc 8aa52d30 898f0008 8a83c154 netbt!GetIrpIfNotCancelled+0xd7
b4256c34 804ef19f e0a52d30 898f00c0 898f0008 netbt!AddToHashTable+0x920
b4256c8c b4b26e3d 00000000 00000003 89960a58 nt!MiFlushSectionInternal+0x256
b4256ca4 b4b38479 01936e28 00000000 8993b8f0 rdbss!WPP_SF_qc+0x11
b4256d00 b4ae2b5f 8abe34a0 00000000 00000002 rdbss!WPP_SF_qxxqq+0x39
b4256d50 b4ab94ca 89a6d318 8abe34a0 b4b2cfc0 mrxsmb!_NULL_IMPORT_DESCRIPTOR <PERF> (mrxsmb+0x2fb5f)
b4256d6c b4b234b1 89a6d318 00000000 89ae8b40 mrxsmb!SmbCeResumeSuspendedExchangesLite+0x192
b4256d9c b4b2d957 00b2cfc0 b4b2d240 b4256ddc rdbss!WPP_SF_Lq <PERF> (rdbss+0x4b1)
b4256dac 805cffa8 b4b2cfc0 00000000 00000000 rdbss!WPP_SF_Dxqqqd+0x33
b4256ddc 8054615e b4b2d93d b4b2cfc0 00000000 nt!IopQueryReconfiguration+0x76
b4256df0 00000000 00000000 00000000 00000000 nt!ExpFindAndRemoveTagBigPages+0x1c


STACK_COMMAND:  kb

FOLLOWUP_IP: 
netbt!DisconnectHndlrNotOs+74f
b4bffa1b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  netbt!DisconnectHndlrNotOs+74f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: netbt

IMAGE_NAME:  netbt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  48025d1b

FAILURE_BUCKET_ID:  0xD1_netbt!DisconnectHndlrNotOs+74f

BUCKET_ID:  0xD1_netbt!DisconnectHndlrNotOs+74f

Followup: MachineOwner
---------

0: kd> lmvm netbt
start    end        module name
b4bf9000 b4c20c00   netbt    M (pdb symbols)          q:\debuggingtools\symbols\netbt.pdb\1626402455904865A529CF25011A28871\netbt.pdb
    Loaded symbol image file: netbt.sys
    Image path: netbt.sys
    Image name: netbt.sys
    Timestamp:        Sun Apr 13 14:20:59 2008 (48025D1B)
    CheckSum:         0002FE7A
    ImageSize:        00027C00
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Open in new window


Thanks!
0
Comment
Question by:IT_Crowd
  • 5
  • 3
10 Comments
 
LVL 3

Expert Comment

by:rabindrajha
ID: 34907526
0
 
LVL 22

Expert Comment

by:optoma
ID: 34907896
Could be patched
Run these on machine and post logs if needed :)
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro
0
 
LVL 13

Author Comment

by:IT_Crowd
ID: 34910561
Do you think it is a malware infection vs a corrupted driver?
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 13

Author Comment

by:IT_Crowd
ID: 34910605
I will run those and let you know.
0
 
LVL 13

Author Comment

by:IT_Crowd
ID: 34910851
All scans passed - no problems found
0
 
LVL 22

Accepted Solution

by:
optoma earned 500 total points
ID: 34910861
More so these days a corrupted driver is due to it being patched :)
0
 
LVL 22

Expert Comment

by:optoma
ID: 34911060
Ok.
1> Can you attach TdssKiller's log from c:\ and the three recent actual minidump files from c:\windows\minidump

2>Run autoruns.
In Autoruns:
Hit options and check "verify code signatures" and rescan (F5 key)
Don't make any other changes...

Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn)

Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

3>Anything in event viewer, red ball errors regarding anything network related?

4>How long has this been happening? Any recent change in AV or FW software or hardware.

5>No recent virus etc.. detected?

0
 
LVL 13

Author Comment

by:IT_Crowd
ID: 35129847
Objection - issue has been solved. I would like to assign a solution.
0
 
LVL 13

Author Closing Comment

by:IT_Crowd
ID: 35189115
Good idea - NIC driver was corrupted.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Hyper V vm 4 133
RemoteApp Printing 5 101
"This device cannot find enough free resources that it can use" after virtualization... 10 83
Computer software inventory 5 108
Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question