Daylight

OAmon.sys Blue Screen of Death

Recommended Posts

I have been receiving Blue Screens of Death lately. Been going on for about 1-3 weeks. I know, kind of a big gap. But I've been going through some "legal" issues and my brain is so messed up right now I can't think strait...anywho...

I will supply as much info as I can on this. Been looking into this all day and so far, this is what I have gathered: **NOTE** All info in these images came from the application called "BlueScreenView".

d078a6.png

bd629d.png

8ccbc2.png

59b984.png

I installed "WinDbg.exe" from Microsofts website and used the command !analyze -v. This is what it ends up saying for first BSOD (image #1):

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 4E, {7, 12d27e, 1, 0}

Probably caused by : tcpip.sys ( tcpip!TcpTcbReceive+2d3 )

Followup: MachineOwner

---------

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

PFN_LIST_CORRUPT (4e)

Typically caused by drivers passing bad memory descriptor lists (ie: calling

MmUnlockPages twice with the same list, etc). If a kernel debugger is

available get the stack trace.

Arguments:

Arg1: 0000000000000007, A driver has unlocked a page more times than it locked it

Arg2: 000000000012d27e, page frame number

Arg3: 0000000000000001, current share count

Arg4: 0000000000000000, 0

Debugging Details:

------------------

BUGCHECK_STR: 0x4E_7

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff800034f02c8 to fffff80003491640

STACK_TEXT:

fffff880`09b91aa8 fffff800`034f02c8 : 00000000`0000004e 00000000`00000007 00000000`0012d27e 00000000`00000001 : nt!KeBugCheckEx

fffff880`09b91ab0 fffff800`035006d6 : fffff880`00009370 fffffa80`00000000 00000000`0871c310 00000000`0000d9a8 : nt! ?? ::FNODOBFM::`string'+0x175b6

fffff880`09b91af0 fffff800`03494848 : fffff880`09b90004 00000000`00000000 00000000`00000002 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x37875

fffff880`09b91b80 fffff880`0187b903 : fffffa80`06073aa0 fffff880`09b91c02 fffffa80`06073470 00000000`00000000 : nt!IopfCompleteRequest+0x168

fffff880`09b91c60 fffff880`0187a5ea : fffffa80`0486e410 fffff880`01872a00 fffffa80`0482ea01 00000000`00000000 : tcpip!TcpTcbReceive+0x2d3

fffff880`09b91e50 fffff880`0187c2ab : fffffa80`041e2852 00000000`00000000 00000000`00000000 fffff880`09b92200 : tcpip!TcpMatchReceive+0x1fa

fffff880`09b91fa0 fffff880`01873137 : fffffa80`0486e410 fffffa80`048730fa fffffa80`000068d3 00000000`000068d3 : tcpip!TcpPreValidatedReceive+0x36b

fffff880`09b92070 fffff880`01872caa : 00000000`00000000 fffff880`019879a0 fffff880`09b92230 00000000`00000000 : tcpip!IppDeliverListToProtocol+0x97

fffff880`09b92130 fffff880`018722a9 : fffffa80`040ab000 fffff880`01513ac0 fffffa80`0553bc90 fffff880`09b92220 : tcpip!IppProcessDeliverList+0x5a

fffff880`09b921d0 fffff880`0186ffff : 00000000`00000000 fffffa80`04861000 fffff880`019879a0 00000000`05636001 : tcpip!IppReceiveHeaderBatch+0x23a

fffff880`09b922b0 fffff880`0186f5f2 : fffffa80`0563f3a0 00000000`00000000 fffffa80`05636001 fffff880`00000001 : tcpip!IpFlcReceivePackets+0x64f

fffff880`09b924b0 fffff880`0186ea8a : fffffa80`05636010 fffff880`09b925e0 fffffa80`05636010 00000000`00000000 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x2b2

fffff880`09b92590 fffff800`0349e078 : fffffa80`07f12d60 00000000`00004800 fffffa80`07962960 00000000`00000000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xda

fffff880`09b925e0 fffff880`0186f152 : fffff880`0186e9b0 fffff880`015d0395 fffff880`09b92a02 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0xd8

fffff880`09b926c0 fffff880`015c70eb : fffffa80`05654700 00000000`00000000 fffffa80`051611a0 fffff880`01511e66 : tcpip!FlReceiveNetBufferListChain+0xb2

fffff880`09b92730 fffff880`01590ad6 : fffffa80`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisMIndicateNetBufferListsToOpen+0xdb

fffff880`09b927a0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisMDispatchReceiveNetBufferLists+0x1d6

STACK_COMMAND: kb

FOLLOWUP_IP:

tcpip!TcpTcbReceive+2d3

fffff880`0187b903 488b4b48 mov rcx,qword ptr [rbx+48h]

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: tcpip!TcpTcbReceive+2d3

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: tcpip

IMAGE_NAME: tcpip.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4ce79420

FAILURE_BUCKET_ID: X64_0x4E_7_tcpip!TcpTcbReceive+2d3

BUCKET_ID: X64_0x4E_7_tcpip!TcpTcbReceive+2d3

Followup: MachineOwner

---------

And this is what I got with for the second BSOD (image #2): **NOTE** I will post in reply to this. Too many character in this post.

I'm assuming that BOTH were caused by Online Armor. Even though the first one doesn't say anything about OA.

Also, in case you need to know, I am using paid OA++ with Windows 7 Ultimate x64. If you need anymore info or a copy of the crash dumps, just say so and I will do whatever it is you need me to do...tomorrow cause its almost 2am where im at :P

My subscription is about run out and I would like renew it. But I'm not sure if I should if this problem persists. Thank you and I hope to see this fixed soon!

Sincerely,

Randy

Share this post


Link to post
Share on other sites

And here is the 2nd windbg info as promised!

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 4E, {7, 628e9, 1, 0}

Probably caused by : tcpip.sys ( tcpip!TcpTcbReceive+2d3 )

Followup: MachineOwner

---------

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

PFN_LIST_CORRUPT (4e)

Typically caused by drivers passing bad memory descriptor lists (ie: calling

MmUnlockPages twice with the same list, etc). If a kernel debugger is

available get the stack trace.

Arguments:

Arg1: 0000000000000007, A driver has unlocked a page more times than it locked it

Arg2: 00000000000628e9, page frame number

Arg3: 0000000000000001, current share count

Arg4: 0000000000000000, 0

Debugging Details:

------------------

BUGCHECK_STR: 0x4E_7

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: oasrv.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff800034f92c8 to fffff8000349a640

STACK_TEXT:

fffff880`0b627418 fffff800`034f92c8 : 00000000`0000004e 00000000`00000007 00000000`000628e9 00000000`00000001 : nt!KeBugCheckEx

fffff880`0b627420 fffff800`035096d6 : fffff880`0000006c fffffa80`00000000 fffffa80`074e6420 00000000`00000001 : nt! ?? ::FNODOBFM::`string'+0x175b6

fffff880`0b627460 fffff800`0349d848 : 00000000`00000004 00000000`00000000 00000000`00000002 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x37875

fffff880`0b6274f0 fffff880`016e9903 : fffffa80`07e0ef20 fffffa80`07e0e102 fffffa80`07e0e860 00000000`00000000 : nt!IopfCompleteRequest+0x168

fffff880`0b6275d0 fffff880`016e85ea : fffffa80`0486d900 fffff880`016e0a00 fffffa80`047f7e01 00000000`00000000 : tcpip!TcpTcbReceive+0x2d3

fffff880`0b6277c0 fffff880`016ea2ab : fffffa80`063630a2 00000000`00000000 00000000`00000000 fffff880`0b627b00 : tcpip!TcpMatchReceive+0x1fa

fffff880`0b627910 fffff880`016e1137 : fffffa80`0486d900 fffffa80`048625c6 fffffa80`000070ea 00000000`000070ea : tcpip!TcpPreValidatedReceive+0x36b

fffff880`0b6279e0 fffff880`016e0caa : 00000000`00000000 fffff880`017f59a0 fffff880`0b627ba0 00001f80`00b100e0 : tcpip!IppDeliverListToProtocol+0x97

fffff880`0b627aa0 fffff880`016e02a9 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff880`0b627b90 : tcpip!IppProcessDeliverList+0x5a

fffff880`0b627b40 fffff880`016ddfff : 00000000`faffffef fffffa80`0487f000 fffff880`017f59a0 00000000`00000000 : tcpip!IppReceiveHeaderBatch+0x23a

fffff880`0b627c20 fffff880`016dd5f2 : fffffa80`05cd15b0 00000000`00000000 00000000`00000000 00000000`00000001 : tcpip!IpFlcReceivePackets+0x64f

fffff880`0b627e20 fffff880`0175175a : fffffa80`0455c700 0000002a`00000000 fffffa80`05cd1ba0 fffff880`0b628200 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x2b2

fffff880`0b627f00 fffff800`034a7078 : 03000000`00000101 fffffa80`00000000 fffffa80`04090660 00000000`00000001 : tcpip! ?? ::FNODOBFM::`string'+0x56e52

fffff880`0b627f50 fffff880`016dd152 : fffff880`016dc9b0 00000000`00000000 fffff880`00000000 00000000`00000001 : nt!KeExpandKernelStackAndCalloutEx+0xd8

fffff880`0b628030 fffff880`015970eb : fffffa80`05cd2010 00000000`00000000 fffffa80`044a51a0 fffffa80`044a51a0 : tcpip!FlReceiveNetBufferListChain+0xb2

fffff880`0b6280a0 fffff880`0157602c : fffffa80`00000000 00000000`00000000 00000000`00000001 00000000`c000009a : ndis!ndisMIndicateNetBufferListsToOpen+0xdb

fffff880`0b628110 fffff880`01566586 : fffffa80`05cbb010 fffff880`0b628268 00000000`00000000 00000000`00000001 : ndis!ndisIndicateAllNetBufferLists+0x6c

fffff880`0b628170 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis! ?? ::DKGKHJNI::`string'+0x4050

STACK_COMMAND: kb

FOLLOWUP_IP:

tcpip!TcpTcbReceive+2d3

fffff880`016e9903 488b4b48 mov rcx,qword ptr [rbx+48h]

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: tcpip!TcpTcbReceive+2d3

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: tcpip

IMAGE_NAME: tcpip.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4ce79420

FAILURE_BUCKET_ID: X64_0x4E_7_tcpip!TcpTcbReceive+2d3

BUCKET_ID: X64_0x4E_7_tcpip!TcpTcbReceive+2d3

Followup: MachineOwner

---------

Share this post


Link to post
Share on other sites

Can you please attach the actual minidumps to your posting? Thanks.

No problem. Just wanted to give a little update on things. I read up on "PFN_LIST_CORRUPT" and found that some people had to replace their RAM in order to fix the issue. So I decided to run Memtest86+ 4.20 over night (for 10 hours) and no errors showed up. Someone else on another forum said to run a test on my hard drive. I will be doing so tonight before I go to bed. They also stated that high temps inside my PC could be the culprit because of there are two different errors. I am monitoring my temps right now and so far, everything seems fine.

I'm pretty sure the BSOD is being caused by OA++ due to the fact that I had gotten them in a previous version a while back (last year sometime). Then after a version update, I wasn't getting them no more. And now its back haunting me again :(

Here are both dumps. I really do appreciate you or whoever looking at these.

Thank you,

Randy

EDIT: I got an error that says, "You aren't permitted to upload this kind of file". The file extension was .dmp. So I'm uploading them to a file host.

EDIT2: I also uploaded both dumps in a ZIP folder to mediafire. The download can be found here: http://www.mediafire.com/?89zfk7qw8i1u2sz

Share this post


Link to post
Share on other sites

Sorry for double post. The forum ended up giving me an error after posting. "Browser sent bad data" or something like that so I tried to repost and it just kept loading. Meanwhile it was already posted while it was still loading? Strange....

EDIT: Could have been that Firefox automatically updated to 3.6.14 today?

Share this post


Link to post
Share on other sites

Are you running the latest version of OA, 4.5.1.431? I wondered because one of your screenshots shows the file version as being 4.1.0.0.

Yes, I am running Emsisoft Online Armor version 4.5.1.431. Antivirus Engine version 5.0.0.46, 1.1.88.0

That is kind of strange that it mentions the version 4.1.0.0. I didn't even give that a second thought when I first seen it. Does OAmon.sys have a version number of its own?

Share this post


Link to post
Share on other sites

I checked some more and it seems to be normal for oamon (I think this is the driver your report refers to as being this version). Some of the other drivers use a later version, but not oamon. So nothing to worry about :) Sorry for the confusion.

Share this post


Link to post
Share on other sites

No problem. Just glad to see I'm getting help on this issue :)

Also, I just got news that my internet may be shut off tomorrow. I wont be able to get it back on until I get paid Friday/Saturday. I'm going to contact my ISP to see if they can keep it on till then. So, don't think I'm giving up on this if I do not reply back in a couple days. I'll be checking back frequently all of today to see if any more info needs to be supplied.

Share this post


Link to post
Share on other sites

No problem. Just glad to see I'm getting help on this issue :)

Also, I just got news that my internet may be shut off tomorrow. I wont be able to get it back on until I get paid Friday/Saturday. I'm going to contact my ISP to see if they can keep it on till then. So, don't think I'm giving up on this if I do not reply back in a couple days. I'll be checking back frequently all of today to see if any more info needs to be supplied.

Hmmm...I don't have an "EDIT" button no more :blink:

Anyway, just wanted to say that I got an extension on the internet for 3 weeks. So I'll be here if any info is needed. Thank you, again, for help on this issue B)

Share this post


Link to post
Share on other sites

Hi Daylight,

The mini dumps didn't give any obvious clues that I was able to find. We fixed several possible BSODs for version 5.0. Would it be ok for you if I send you a 5.0 pre-release so you can see if the problem still occurs?

Share this post


Link to post
Share on other sites

Hi Daylight,

The mini dumps didn't give any obvious clues that I was able to find. We fixed several possible BSODs for version 5.0. Would it be ok for you if I send you a 5.0 pre-release so you can see if the problem still occurs?

That would be fine. Should I backup my current OA++ settings and restore in the 5.0 pre-release, or start from scratch? Either way is fine with me.

I have mentioned in an earlier post that I would be running a test on my hard drive and monitoring my system temperatures. I have done so and no issues were shown in the hard drive test and my temps seem to be pretty good. There was one other test that I haven't really got around to yet which is testing one (of the 2x2GB) RAM stick at a time and try to produce the BSOD.

One thing I have noticed the last few times I got the BSODs, was that I had uTorrent (v2.2 Build 24402) running in the background. I have left my computer on for almost two days now without uTorrent running and have not gotten the BSOD. So my guess would be, its just a uTorrent issue, a conflict between uTorrent and OA++ (at this point I really doubt it), or an issue with my RAM.

I would like to Thank You for taking the time to look at the mini dumps. If this problem had nothing to do with OA++, I apologize for wasting your time. Once I seen "OAmon.sys", I assumed the problem had to be that since, in a previous version, I was getting BSODs because of oamon till I updated. I will continue my testing and will be sure to update this thread once I find out more info.

Things I will be testing:

- Newer uTorrent version.

- Using only one RAM stick in computer.

- If all else fails, will test if there is conflict between uTorrent and OA.

If you feel I should test anything else with the pre-release, just mention and I will do so.

Thank you,

Randy

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.