[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 777
  • Last Modified:

BSOD on XP-pro Code: 027, Kaspersky at fault?

Hi

A client has been plagued by a recurring BSOD either during or shortly after boot.

The analysis from the minidump is below.  I think I did this right...

If seems to me that a Kasperky-based file kltdi.sys is at fault, based on the dump analysis, but I can't see how, or what exactly to do other than removing the file.

Can anyone confirm my conclusions or add any additional input to clarify my approach to take care of this?  I'm not very experienced in dump analysis. Thanks so much.

The dump analysis is below and the dump file attached


file is attached

************************


Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [c:\Mini0513.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: c:\windows\symbols
Executable search path is: f:\I386
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Mon May 13 13:35:09.562 2013 (UTC - 5:00)
System Uptime: 0 days 0:02:55.218
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
.....
Loading User Symbols
Loading unloaded module list
...............
Unable to load image rdbss.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for rdbss.sys
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 27, {baad00a3, a7c01258, a7c00f54, 8a5a9b20}

*** WARNING: Unable to verify timestamp for mfetdik.sys
*** ERROR: Module load completed but symbols could not be loaded for mfetdik.sys
*** WARNING: Unable to verify timestamp for netbt.sys
*** WARNING: Unable to verify timestamp for mrxsmb.sys
Unable to load image nlem32nt.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nlem32nt.sys
*** ERROR: Module load completed but symbols could not be loaded for nlem32nt.sys
Probably caused by : kltdi.sys ( kltdi+1391 )

Followup: MachineOwner
---------

1: kd> !analyze -y

Unknown option '-y'
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 27, {baad00a3, a7c01258, a7c00f54, 8a5a9b20}

Probably caused by : kltdi.sys ( kltdi+1391 )

Followup: MachineOwner
---------
Mini0513.dmp
0
mlitin
Asked:
mlitin
  • 3
  • 2
1 Solution
 
Rob MinersCommented:
You have two Antivirus Programs installed. I would uninstall both and install Microsoft Security Essentials.

http://www.microsoft.com/download/en/details.aspx?id=5201

kltdi.sys Kaspersky

mfetdik.sys McAfee

nlem32nt.sys driver, which supports the USB thumb drive under pre-Windows 2000 operating systems.

Since the system is running Windows XP, the NLEM32NT.SYS driver is not necessary. Boot into Windows Safe Mode, and then rename c:\Windows\System32\NLEM32NT.SYS to NLEM32NT.OLD. Restart the computer.

http://forum.sysinternals.com/nlem32ntsys-causes-reboots_topic7012.html
0
 
mlitinAuthor Commented:
Thanks for the excellent observation and suggestions.  l'm surprised that Kaspersky would have permitted installation with another AV present.

I'll make these changes and write back.

Thanks!
0
 
mlitinAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for mlitin's comment #a39163361

for the following reason:

Thanks.  Evidently, Kaspersky allowed itself to be installed with remnants of McAfee still there.  I removed Kaspersky and renamed the MacAfee file, and all was better.

Thanks for the tip.
0
 
mlitinAuthor Commented:
Kaspersky and McAfee remnant were in fact the bad guys.

Thanks for the the tip!
0
 
Rob MinersCommented:
Your welcome and it's good to see that your up and running :)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now