• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1646
  • Last Modified:

Netbt.sys BSOD

I have a Windows XP (SP3) PC that gets a blue screen on a semi regular basis (any ideas?):
 
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: b8795ca0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: b4bffa1b, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  b8795ca0 

CURRENT_IRQL:  2

FAULTING_IP: 
netbt!DisconnectHndlrNotOs+74f
b4bffa1b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

LAST_CONTROL_TRANSFER:  from b4bfe42f to b4bffa1b

STACK_TEXT:  
b4256abc b4bfe42f 89a0ca18 000001fe 89c158a8 netbt!DisconnectHndlrNotOs+0x74f
b4256b18 b4bfd8c9 00000000 b4b2cbd8 8aaad7f8 netbt!RejectSession+0x32b
b4256b34 b4bfe04c b4256b58 b4b2cbd8 8b012ca8 netbt!Outbound+0x8a9
b4256b84 b4bfacdc 8aa52d30 89890008 8b012c98 netbt!GetIrpIfNotCancelled+0x68
b4256ba0 804ef19f e0a52d30 898900c0 00000000 netbt!AddToHashTable+0x920
b4256bc8 b4bfe0bb 00000000 89890008 00000000 nt!MiFlushSectionInternal+0x256
b4256c18 b4bfacdc 8aa52d30 898f0008 8a83c154 netbt!GetIrpIfNotCancelled+0xd7
b4256c34 804ef19f e0a52d30 898f00c0 898f0008 netbt!AddToHashTable+0x920
b4256c8c b4b26e3d 00000000 00000003 89960a58 nt!MiFlushSectionInternal+0x256
b4256ca4 b4b38479 01936e28 00000000 8993b8f0 rdbss!WPP_SF_qc+0x11
b4256d00 b4ae2b5f 8abe34a0 00000000 00000002 rdbss!WPP_SF_qxxqq+0x39
b4256d50 b4ab94ca 89a6d318 8abe34a0 b4b2cfc0 mrxsmb!_NULL_IMPORT_DESCRIPTOR <PERF> (mrxsmb+0x2fb5f)
b4256d6c b4b234b1 89a6d318 00000000 89ae8b40 mrxsmb!SmbCeResumeSuspendedExchangesLite+0x192
b4256d9c b4b2d957 00b2cfc0 b4b2d240 b4256ddc rdbss!WPP_SF_Lq <PERF> (rdbss+0x4b1)
b4256dac 805cffa8 b4b2cfc0 00000000 00000000 rdbss!WPP_SF_Dxqqqd+0x33
b4256ddc 8054615e b4b2d93d b4b2cfc0 00000000 nt!IopQueryReconfiguration+0x76
b4256df0 00000000 00000000 00000000 00000000 nt!ExpFindAndRemoveTagBigPages+0x1c


STACK_COMMAND:  kb

FOLLOWUP_IP: 
netbt!DisconnectHndlrNotOs+74f
b4bffa1b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  netbt!DisconnectHndlrNotOs+74f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: netbt

IMAGE_NAME:  netbt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  48025d1b

FAILURE_BUCKET_ID:  0xD1_netbt!DisconnectHndlrNotOs+74f

BUCKET_ID:  0xD1_netbt!DisconnectHndlrNotOs+74f

Followup: MachineOwner
---------

0: kd> lmvm netbt
start    end        module name
b4bf9000 b4c20c00   netbt    M (pdb symbols)          q:\debuggingtools\symbols\netbt.pdb\1626402455904865A529CF25011A28871\netbt.pdb
    Loaded symbol image file: netbt.sys
    Image path: netbt.sys
    Image name: netbt.sys
    Timestamp:        Sun Apr 13 14:20:59 2008 (48025D1B)
    CheckSum:         0002FE7A
    ImageSize:        00027C00
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Open in new window


Thanks!
0
IT_Crowd
Asked:
IT_Crowd
  • 5
  • 3
1 Solution
 
optomaCommented:
Could be patched
Run these on machine and post logs if needed :)
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro
0
 
IT_CrowdAuthor Commented:
Do you think it is a malware infection vs a corrupted driver?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
IT_CrowdAuthor Commented:
I will run those and let you know.
0
 
IT_CrowdAuthor Commented:
All scans passed - no problems found
0
 
optomaCommented:
More so these days a corrupted driver is due to it being patched :)
0
 
optomaCommented:
Ok.
1> Can you attach TdssKiller's log from c:\ and the three recent actual minidump files from c:\windows\minidump

2>Run autoruns.
In Autoruns:
Hit options and check "verify code signatures" and rescan (F5 key)
Don't make any other changes...

Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn)

Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

3>Anything in event viewer, red ball errors regarding anything network related?

4>How long has this been happening? Any recent change in AV or FW software or hardware.

5>No recent virus etc.. detected?

0
 
IT_CrowdAuthor Commented:
Objection - issue has been solved. I would like to assign a solution.
0
 
IT_CrowdAuthor Commented:
Good idea - NIC driver was corrupted.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now