Solved

Netbt.sys BSOD

Posted on 2011-02-16
10
1,460 Views
Last Modified: 2012-05-11
I have a Windows XP (SP3) PC that gets a blue screen on a semi regular basis (any ideas?):
 
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: b8795ca0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: b4bffa1b, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  b8795ca0 

CURRENT_IRQL:  2

FAULTING_IP: 
netbt!DisconnectHndlrNotOs+74f
b4bffa1b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

LAST_CONTROL_TRANSFER:  from b4bfe42f to b4bffa1b

STACK_TEXT:  
b4256abc b4bfe42f 89a0ca18 000001fe 89c158a8 netbt!DisconnectHndlrNotOs+0x74f
b4256b18 b4bfd8c9 00000000 b4b2cbd8 8aaad7f8 netbt!RejectSession+0x32b
b4256b34 b4bfe04c b4256b58 b4b2cbd8 8b012ca8 netbt!Outbound+0x8a9
b4256b84 b4bfacdc 8aa52d30 89890008 8b012c98 netbt!GetIrpIfNotCancelled+0x68
b4256ba0 804ef19f e0a52d30 898900c0 00000000 netbt!AddToHashTable+0x920
b4256bc8 b4bfe0bb 00000000 89890008 00000000 nt!MiFlushSectionInternal+0x256
b4256c18 b4bfacdc 8aa52d30 898f0008 8a83c154 netbt!GetIrpIfNotCancelled+0xd7
b4256c34 804ef19f e0a52d30 898f00c0 898f0008 netbt!AddToHashTable+0x920
b4256c8c b4b26e3d 00000000 00000003 89960a58 nt!MiFlushSectionInternal+0x256
b4256ca4 b4b38479 01936e28 00000000 8993b8f0 rdbss!WPP_SF_qc+0x11
b4256d00 b4ae2b5f 8abe34a0 00000000 00000002 rdbss!WPP_SF_qxxqq+0x39
b4256d50 b4ab94ca 89a6d318 8abe34a0 b4b2cfc0 mrxsmb!_NULL_IMPORT_DESCRIPTOR <PERF> (mrxsmb+0x2fb5f)
b4256d6c b4b234b1 89a6d318 00000000 89ae8b40 mrxsmb!SmbCeResumeSuspendedExchangesLite+0x192
b4256d9c b4b2d957 00b2cfc0 b4b2d240 b4256ddc rdbss!WPP_SF_Lq <PERF> (rdbss+0x4b1)
b4256dac 805cffa8 b4b2cfc0 00000000 00000000 rdbss!WPP_SF_Dxqqqd+0x33
b4256ddc 8054615e b4b2d93d b4b2cfc0 00000000 nt!IopQueryReconfiguration+0x76
b4256df0 00000000 00000000 00000000 00000000 nt!ExpFindAndRemoveTagBigPages+0x1c


STACK_COMMAND:  kb

FOLLOWUP_IP: 
netbt!DisconnectHndlrNotOs+74f
b4bffa1b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  netbt!DisconnectHndlrNotOs+74f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: netbt

IMAGE_NAME:  netbt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  48025d1b

FAILURE_BUCKET_ID:  0xD1_netbt!DisconnectHndlrNotOs+74f

BUCKET_ID:  0xD1_netbt!DisconnectHndlrNotOs+74f

Followup: MachineOwner
---------

0: kd> lmvm netbt
start    end        module name
b4bf9000 b4c20c00   netbt    M (pdb symbols)          q:\debuggingtools\symbols\netbt.pdb\1626402455904865A529CF25011A28871\netbt.pdb
    Loaded symbol image file: netbt.sys
    Image path: netbt.sys
    Image name: netbt.sys
    Timestamp:        Sun Apr 13 14:20:59 2008 (48025D1B)
    CheckSum:         0002FE7A
    ImageSize:        00027C00
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Open in new window


Thanks!
0
Comment
Question by:IT_Crowd
  • 5
  • 3
10 Comments
 
LVL 3

Expert Comment

by:rabindrajha
ID: 34907526
0
 
LVL 22

Expert Comment

by:optoma
ID: 34907896
Could be patched
Run these on machine and post logs if needed :)
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro
0
 
LVL 13

Author Comment

by:IT_Crowd
ID: 34910561
Do you think it is a malware infection vs a corrupted driver?
0
 
LVL 13

Author Comment

by:IT_Crowd
ID: 34910605
I will run those and let you know.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 13

Author Comment

by:IT_Crowd
ID: 34910851
All scans passed - no problems found
0
 
LVL 22

Accepted Solution

by:
optoma earned 500 total points
ID: 34910861
More so these days a corrupted driver is due to it being patched :)
0
 
LVL 22

Expert Comment

by:optoma
ID: 34911060
Ok.
1> Can you attach TdssKiller's log from c:\ and the three recent actual minidump files from c:\windows\minidump

2>Run autoruns.
In Autoruns:
Hit options and check "verify code signatures" and rescan (F5 key)
Don't make any other changes...

Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn)

Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

3>Anything in event viewer, red ball errors regarding anything network related?

4>How long has this been happening? Any recent change in AV or FW software or hardware.

5>No recent virus etc.. detected?

0
 
LVL 13

Author Comment

by:IT_Crowd
ID: 35129847
Objection - issue has been solved. I would like to assign a solution.
0
 
LVL 13

Author Closing Comment

by:IT_Crowd
ID: 35189115
Good idea - NIC driver was corrupted.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
Edureka is one of the fastest growing and most effective online learning sites.  We are here to help you succeed.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now