cluberti Posted August 21, 2008 Share Posted August 21, 2008 Hi,Ok thank... btw if i only disable ZA can? or must full uninstall?thankgOberTo remove filter drivers, you MUST uninstall. Disabling leaves the drivers intact and enabled, just without any work to do from the controlling application in user-mode. Since the problem with a filter driver can happen regardless of whether the app is enabled or not, you have to actually uninstall to do a valid test. Link to comment Share on other sites More sharing options...
gOber Posted August 21, 2008 Author Share Posted August 21, 2008 Hi,Ok thank... btw if i only disable ZA can? or must full uninstall?thankgOberTo remove filter drivers, you MUST uninstall. Disabling leaves the drivers intact and enabled, just without any work to do from the controlling application in user-mode. Since the problem with a filter driver can happen regardless of whether the app is enabled or not, you have to actually uninstall to do a valid test.Hello,Ok thank you for your respond.. Maybe i will try uninstall Vmware then let see tomorrow i will report to you.thankgOber Link to comment Share on other sites More sharing options...
gOber Posted August 26, 2008 Author Share Posted August 26, 2008 Hello Again,I already uninstall vmware and still got BSOD but i still keep my firewall coz im still waiting email from microsoft to see my dump report.I will give report again later..thanksAnton Link to comment Share on other sites More sharing options...
gOber Posted August 26, 2008 Author Share Posted August 26, 2008 Hi Mr Snrub,Could you please check my last mini dump file? Please download my attachedthank yougOberMini082608_01.rar Link to comment Share on other sites More sharing options...
Mr Snrub Posted August 26, 2008 Share Posted August 26, 2008 Only a minidump, so not much info to extract, but it's the same bugcheck and underlying reason - an attempt to free a memory allocation which has already been freed.Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatibleProduct: WinNt, suite: TerminalServer SingleUserTSBuilt by: 2600.xpsp.080413-2111Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720Debug session time: Tue Aug 26 16:14:51.406 2008 (GMT+2)System Uptime: 0 days 4:47:58.968BAD_POOL_CALLER (c2)The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.Arguments:Arg1: 00000007, Attempt to free pool which was already freedArg2: 00000cd4, (reserved)Arg3: 02130007, Memory contents of the pool blockArg4: 88c100d8, Address of the block of pool being deallocatedSTACK_TEXT: bacebcd4 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1bbacebd24 805c1014 88c100d8 00000000 88e84ee0 nt!ExFreePoolWithTag+0x2a3bacebd4c 805bb46e 00000000 88e84ef8 00000001 nt!ObpFreeObject+0x142bacebd64 805bb8b8 88e84ef8 00000001 80562f20 nt!ObpRemoveObjectRoutine+0xe8bacebd7c 8053876d 00000000 00000000 8a5bd020 nt!ObpProcessRemoveObjectQueue+0x36bacebdac 805cff64 00000000 00000000 00000000 nt!ExpWorkerThread+0xefbacebddc 805460de 8053867e 00000000 00000000 nt!PspSystemThreadStartup+0x3400000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x161: kd> !pool 88c100d8Pool page 88c100d8 region is Unknown 88c10000 size: 98 previous size: 0 (Allocated) File (Protected) 88c10098 size: 38 previous size: 98 (Free) ....*88c100d0 size: 98 previous size: 38 (Free ) *File (Protected) Pooltag File : File objects 88c10168 size: a0 previous size: 98 (Free ) AfdC (Protected) 88c10208 size: 20 previous size: a0 (Allocated) ReTa...// Here is the raw dump of the problematic pool allocation:1: kd> dc 88c100d0 88c10168-188c100d0 02130007 e56c6946 88b72330 00000000 ....Fil.0#......88c100e0 00000000 00000000 bad0b0b0 c2000800 ................88c100f0 00000000 00000000 00700005 8a077cf0 ..........p..|..88c10100 00000000 88cdb350 00000002 00000000 ....P...........88c10110 00000000 00000000 00000000 00000000 ................88c10120 00000000 00040000 00000000 00000000 ................88c10130 00000000 00000000 00000000 00000000 ................88c10140 00000000 00000000 00000000 00000000 ................88c10150 00000000 00040000 00000000 88c1015c ............\...88c10160 88c1015c 00000000// The pool allocation immediately before is also freed (looks like some USB communication driver allocation), but doesn't appear to have been a typical overrun as the header after is still intact:1: kd> dc 88c10098 88c100d0-188c10098 00070013 00000000 89373c88 89309c50 .........<7.P.0.88c100a8 88b9c748 00000000 00000010 88d816a0 H...............88c100b8 022a0004 70627375 8a5246a8 0000020e ..*.usbp.FR.....88c100c8 00000144 00000100 D.......Can't see from this dump what driver was freeing the memory, but as before it could be the victim not the cause - this allocation was last used for a File object, where before it was related to networking (TCP).The following driver I thought was installed by VMWare for its emulated NIC, but it is still loaded in this dump, and look at the date on it...1: kd> lmvm el90xbc5start end module nameb94dd000 b94ed400 el90xbc5 (deferred) Image path: el90xbc5.sys Image name: el90xbc5.sys Timestamp: Tue Jul 17 01:40:19 2001 (3B537B63) CheckSum: 0001DD13 ImageSize: 00010400 File version: 4.5.0.0 Product version: 5.0.0.0 File flags: 8 (Mask 3F) Private File OS: 40004 NT Win32 File type: 3.6 Driver File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: 3Com Corporation ProductName: 3Com EtherLink PCI InternalName: EL90XBC5.SYS OriginalFilename: EL90XBC5.SYS ProductVersion: 5.00 FileVersion: 4.05.00.0000 FileDescription: 3Com EtherLink PCI Driver LegalCopyright: Copyright 1994-2001, 3Com Corporation.I don't think this is an onboard device from the last time I checked the specs, so if you don't have one of these installed it may be a good idea to see if it's in Device Manager, and maybe even rename/delete the file on disk to prevent it being loaded.Though it's not a filter driver so I don't see how it should be interfering... I'd stick with the ZoneAlarm plan for now. Link to comment Share on other sites More sharing options...
gOber Posted August 26, 2008 Author Share Posted August 26, 2008 Only a minidump, so not much info to extract, but it's the same bugcheck and underlying reason - an attempt to free a memory allocation which has already been freed.Thank but microsoft support ask to me to do minidump. But i still waiting reply from microsoftWindows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatibleProduct: WinNt, suite: TerminalServer SingleUserTSBuilt by: 2600.xpsp.080413-2111Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720Debug session time: Tue Aug 26 16:14:51.406 2008 (GMT+2)System Uptime: 0 days 4:47:58.968BAD_POOL_CALLER (c2)The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.Arguments:Arg1: 00000007, Attempt to free pool which was already freedArg2: 00000cd4, (reserved)Arg3: 02130007, Memory contents of the pool blockArg4: 88c100d8, Address of the block of pool being deallocatedSTACK_TEXT: bacebcd4 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1bbacebd24 805c1014 88c100d8 00000000 88e84ee0 nt!ExFreePoolWithTag+0x2a3bacebd4c 805bb46e 00000000 88e84ef8 00000001 nt!ObpFreeObject+0x142bacebd64 805bb8b8 88e84ef8 00000001 80562f20 nt!ObpRemoveObjectRoutine+0xe8bacebd7c 8053876d 00000000 00000000 8a5bd020 nt!ObpProcessRemoveObjectQueue+0x36bacebdac 805cff64 00000000 00000000 00000000 nt!ExpWorkerThread+0xefbacebddc 805460de 8053867e 00000000 00000000 nt!PspSystemThreadStartup+0x3400000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x161: kd> !pool 88c100d8Pool page 88c100d8 region is Unknown 88c10000 size: 98 previous size: 0 (Allocated) File (Protected) 88c10098 size: 38 previous size: 98 (Free) ....*88c100d0 size: 98 previous size: 38 (Free ) *File (Protected) Pooltag File : File objects 88c10168 size: a0 previous size: 98 (Free ) AfdC (Protected) 88c10208 size: 20 previous size: a0 (Allocated) ReTa...// Here is the raw dump of the problematic pool allocation:1: kd> dc 88c100d0 88c10168-188c100d0 02130007 e56c6946 88b72330 00000000 ....Fil.0#......88c100e0 00000000 00000000 bad0b0b0 c2000800 ................88c100f0 00000000 00000000 00700005 8a077cf0 ..........p..|..88c10100 00000000 88cdb350 00000002 00000000 ....P...........88c10110 00000000 00000000 00000000 00000000 ................88c10120 00000000 00040000 00000000 00000000 ................88c10130 00000000 00000000 00000000 00000000 ................88c10140 00000000 00000000 00000000 00000000 ................88c10150 00000000 00040000 00000000 88c1015c ............\...88c10160 88c1015c 00000000// The pool allocation immediately before is also freed (looks like some USB communication driver allocation), but doesn't appear to have been a typical overrun as the header after is still intact:1: kd> dc 88c10098 88c100d0-188c10098 00070013 00000000 89373c88 89309c50 .........<7.P.0.88c100a8 88b9c748 00000000 00000010 88d816a0 H...............88c100b8 022a0004 70627375 8a5246a8 0000020e ..*.usbp.FR.....88c100c8 00000144 00000100 D.......Can't see from this dump what driver was freeing the memory, but as before it could be the victim not the cause - this allocation was last used for a File object, where before it was related to networking (TCP).The following driver I thought was installed by VMWare for its emulated NIC, but it is still loaded in this dump, and look at the date on it...font="Courier New"]1: kd> lmvm el90xbc5start end module nameb94dd000 b94ed400 el90xbc5 (deferred) Image path: el90xbc5.sys Image name: el90xbc5.sys Timestamp: Tue Jul 17 01:40:19 2001 (3B537B63) CheckSum: 0001DD13 ImageSize: 00010400 File version: 4.5.0.0 Product version: 5.0.0.0 File flags: 8 (Mask 3F) Private File OS: 40004 NT Win32 File type: 3.6 Driver File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: 3Com Corporation ProductName: 3Com EtherLink PCI InternalName: EL90XBC5.SYS OriginalFilename: EL90XBC5.SYS ProductVersion: 5.00 FileVersion: 4.05.00.0000 FileDescription: 3Com EtherLink PCI Driver LegalCopyright: Copyright 1994-2001, 3Com Corporation.I don't think this is an onboard device from the last time I checked the specs, so if you don't have one of these installed it may be a good idea to see if it's in Device Manager, and maybe even rename/delete the file on disk to prevent it being loaded.Though it's not a filter driver so I don't see how it should be interfering... I'd stick with the ZoneAlarm plan for now.Yes 3com is not onboard device.. that for my LAN network but i never use again. i use onboard network for internet connection.Ok i will try uninstall ZA later after get email from microsoft.....Btw do you have other option be sides ZoneAlarm?ThanksgOber Link to comment Share on other sites More sharing options...
Mr Snrub Posted August 26, 2008 Share Posted August 26, 2008 I used Zone Alarm Pro years ago, but found that it got slower and filled with more features that I didn't want in a personal firewall solution and so dumped it once the license expired.Now I just use the built-in Windows Firewall, and rely on:- NAT router to drop external attack attempts before they even reach any clients- Windows Defender and anti-virus for malware detection- UAC to prompt when a program is trying to do "something administrative" (I use Vista)- common sense when browsing, downloading & receiving emails with attachments I don't expect or recognise(As the NAT router takes care of the perimeter, the Windows Firewall is just protecting each client from its peers, just in case something managed to get in and hit one of the clients.) Link to comment Share on other sites More sharing options...
gOber Posted August 26, 2008 Author Share Posted August 26, 2008 I used Zone Alarm Pro years ago, but found that it got slower and filled with more features that I didn't want in a personal firewall solution and so dumped it once the license expired.Now I just use the built-in Windows Firewall, and rely on:- NAT router to drop external attack attempts before they even reach any clients- Windows Defender and anti-virus for malware detection- UAC to prompt when a program is trying to do "something administrative" (I use Vista)- common sense when browsing, downloading & receiving emails with attachments I don't expect or recognise(As the NAT router takes care of the perimeter, the Windows Firewall is just protecting each client from its peers, just in case something managed to get in and hit one of the clients.)Thank for your information sir... but i dont have router... only normal modem....Ok i will report u again later Snrub.... sorry if my language english to bad...Thank againgOber Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now