BSOD browsing Internet, ndis.sys D1 - may it be Agnitum Outpost?

andropol · 23 Mar 2012

Windows 7 Pro SP1 64bit original full-retail, all stuff baught October 2011

BSOD 3rd time. May it be due to Outpost Pro 7.5.1 or it is driver problem?

Summary:

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
Arguments:
Arg1: 0000000000000008, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88001afe5ab, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003509100
0000000000000008

CURRENT_IRQL: 2

FAULTING_IP:
ndis!NdisAllocateCloneNetBufferList+1ab
fffff880`01afe5ab 498b5e08 mov rbx,qword ptr [r14+8]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: chrome.exe

Thanks!

writhziden · 23 Mar 2012

Code:


Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [D:\Kingston\BSODDmpFiles\andropol\032312-22198-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17727.amd64fre.win7sp1_gdr.111118-2330
Machine Name:
Kernel base = 0xfffff800`0325b000 PsLoadedModuleList = 0xfffff800`0349f650
Debug session time: Fri Mar 23 09:54:43.174 2012 (UTC - 6:00)
System Uptime: 5 days 22:34:13.002
Loading Kernel Symbols
...............................................................
................................................................
................................................
Loading User Symbols
Loading unloaded module list
.........................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {8, 2, 0, fffff88001afe5ab}

Probably caused by : NETIO.SYS ( NETIO!NetioAllocateAndReferenceCloneNetBufferList+32 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000008, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88001afe5ab, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003509100
 0000000000000008 

CURRENT_IRQL:  2

FAULTING_IP: 
ndis!NdisAllocateCloneNetBufferList+1ab
fffff880`01afe5ab 498b5e08        mov     rbx,qword ptr [r14+8]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  chrome.exe

TRAP_FRAME:  fffff80000ba2b20 -- (.trap 0xfffff80000ba2b20)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa800c81cd40 rbx=0000000000000000 rcx=fffffa800c81cdf0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88001afe5ab rsp=fffff80000ba2cb0 rbp=fffffa800c81cc10
 r8=0000000000000000  r9=0000000000000000 r10=fffffa80082cc200
r11=0000000000004ffb r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
ndis!NdisAllocateCloneNetBufferList+0x1ab:
fffff880`01afe5ab 498b5e08        mov     rbx,qword ptr [r14+8] ds:3b90:00000000`00000008=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800032d72e9 to fffff800032d7d40

STACK_TEXT:  
fffff800`00ba29d8 fffff800`032d72e9 : 00000000`0000000a 00000000`00000008 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`00ba29e0 fffff800`032d5f60 : fffff880`01fe5110 00000000`ffffffff fffffa80`0a8c5060 fffffa80`0c81cd40 : nt!KiBugCheckDispatch+0x69
fffff800`00ba2b20 fffff880`01afe5ab : 00000000`000000ff fffffa80`0c0653f8 fffffa80`10f24e20 fffff800`00ba2d00 : nt!KiPageFault+0x260
fffff800`00ba2cb0 fffff880`01a08b22 : fffffa80`0c078901 fffff880`06afda13 fffffa80`0c040cb0 fffffa80`0df411a0 : ndis!NdisAllocateCloneNetBufferList+0x1ab
fffff800`00ba2dc0 fffff880`01a363df : fffffa80`0df411a0 fffffa80`0df411a0 00000000`00000000 00000000`00000000 : NETIO!NetioAllocateAndReferenceCloneNetBufferList+0x32
fffff800`00ba2df0 fffff880`01a39f40 : 00000000`00000000 fffff880`01af6b51 00000000`00004ffb fffffa80`10f27e20 : NETIO!StreamDataTruncateAfterDataLength+0x4f
fffff800`00ba2e60 fffff880`01a3b6b4 : fffffa80`0df411a0 00000000`00000000 fffffa80`0df411a0 00000000`00000000 : NETIO!StreamPermitDataHelper+0x40
fffff800`00ba2e90 fffff800`032e251c : fffff800`0344ce80 fffffa80`0f857440 fffffa80`0f857440 00000000`00000000 : NETIO!StreamPermitRemoveDataDpc+0x84
fffff800`00ba2f00 fffff800`032daf15 : 00000000`00000000 fffffa80`0de10b60 00000000`00000000 fffff880`01a3b630 : nt!KiRetireDpcList+0x1bc
fffff800`00ba2fb0 fffff800`032dad2c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KyRetireDpcList+0x5
fffff880`0c7581e0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchInterruptContinue


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!NetioAllocateAndReferenceCloneNetBufferList+32
fffff880`01a08b22 488bd8          mov     rbx,rax

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  NETIO!NetioAllocateAndReferenceCloneNetBufferList+32

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce79381

FAILURE_BUCKET_ID:  X64_0xD1_NETIO!NetioAllocateAndReferenceCloneNetBufferList+32

BUCKET_ID:  X64_0xD1_NETIO!NetioAllocateAndReferenceCloneNetBufferList+32

Followup: MachineOwner
---------

Loading Dump File [D:\Kingston\BSODDmpFiles\andropol\031712-24866-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17727.amd64fre.win7sp1_gdr.111118-2330
Machine Name:
Kernel base = 0xfffff800`03250000 PsLoadedModuleList = 0xfffff800`03494650
Debug session time: Fri Mar 16 12:14:11.220 2012 (UTC - 6:00)
System Uptime: 1 days 11:08:26.437
Loading Kernel Symbols
...............................................................
................................................................
........................................
Loading User Symbols
Loading unloaded module list
.............................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {8, 2, 0, fffff880014095ab}

Probably caused by : NETIO.SYS ( NETIO!NetioAllocateAndReferenceCloneNetBufferList+32 )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000008, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff880014095ab, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800034fe100
 0000000000000008 

CURRENT_IRQL:  2

FAULTING_IP: 
ndis!NdisAllocateCloneNetBufferList+1ab
fffff880`014095ab 498b5e08        mov     rbx,qword ptr [r14+8]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  chrome.exe

TRAP_FRAME:  fffff88003594b20 -- (.trap 0xfffff88003594b20)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa80080a9160 rbx=0000000000000000 rcx=fffffa80080a9210
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880014095ab rsp=fffff88003594cb0 rbp=fffffa80080a9030
 r8=0000000000000000  r9=0000000000000000 r10=fffffa800a658e00
r11=0000000000001ad0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
ndis!NdisAllocateCloneNetBufferList+0x1ab:
fffff880`014095ab 498b5e08        mov     rbx,qword ptr [r14+8] ds:e2d4:00000000`00000008=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800032cc2e9 to fffff800032ccd40

STACK_TEXT:  
fffff880`035949d8 fffff800`032cc2e9 : 00000000`0000000a 00000000`00000008 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`035949e0 fffff800`032caf60 : fffff880`03565180 fffff800`032d7b00 ffffffff`fffe7960 fffffa80`080a9160 : nt!KiBugCheckDispatch+0x69
fffff880`03594b20 fffff880`014095ab : fffffa80`108ed7f0 00000000`00c101e5 00000000`00000000 fffff800`03367e07 : nt!KiPageFault+0x260
fffff880`03594cb0 fffff880`01aaeb22 : fffff880`03594e40 fffff880`03594e70 fffff880`03594e50 fffffa80`0808c920 : ndis!NdisAllocateCloneNetBufferList+0x1ab
fffff880`03594dc0 fffff880`01adc3df : fffffa80`0808c920 fffffa80`0808c920 00000000`00000000 00000000`00000000 : NETIO!NetioAllocateAndReferenceCloneNetBufferList+0x32
fffff880`03594df0 fffff880`01adff40 : 00000000`00000000 fffff880`03594e88 00000000`00001ad0 fffffa80`0fd55b20 : NETIO!StreamDataTruncateAfterDataLength+0x4f
fffff880`03594e60 fffff880`01ae16b4 : fffffa80`0808c920 00000000`00000000 fffffa80`0808c920 00000000`00000000 : NETIO!StreamPermitDataHelper+0x40
fffff880`03594e90 fffff800`032d751c : fffff880`03565180 fffffa80`0e6c2ce0 fffffa80`0e6c2ce0 00000000`00000000 : NETIO!StreamPermitRemoveDataDpc+0x84
fffff880`03594f00 fffff800`032cff15 : 00000000`00000000 fffffa80`07c07a10 00000000`00000000 fffff880`01ae1630 : nt!KiRetireDpcList+0x1bc
fffff880`03594fb0 fffff800`032cfd2c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KyRetireDpcList+0x5
fffff880`0c998f80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchInterruptContinue


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!NetioAllocateAndReferenceCloneNetBufferList+32
fffff880`01aaeb22 488bd8          mov     rbx,rax

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  NETIO!NetioAllocateAndReferenceCloneNetBufferList+32

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce79381

FAILURE_BUCKET_ID:  X64_0xD1_NETIO!NetioAllocateAndReferenceCloneNetBufferList+32

BUCKET_ID:  X64_0xD1_NETIO!NetioAllocateAndReferenceCloneNetBufferList+32

Followup: MachineOwner
---------

This crash is usually due to out of date/corrupted network adapter drivers, bad security software (antivirus or firewall), or corrupted security software.
Essentially a variant of 1.

All three crashes point to the same thing: Network related. First things to do are visit Sony eSupport - Electronics and download the appropriate updated network adapter drivers for your VAIO. If that does not resolve the crashes, uninstall and re-install all security software (antivirus and firewall programs). If you continue to have problems after doing those two steps, begin removing and replacing your security software with known stable programs:

Good and Free system security combination.

The above is a good place to start...

Roderunner · 23 Mar 2012

The latest version of Outpost has been released. 7.5.2

Condover · 23 Mar 2012

I have had a similar problem today. Acer laptop, BSOD occurs after AVG install and restart. driver_irql_not_less_or_equal Stop D1, ndis.sys file named as culprit. It will start up in Safe mode (but avoid networking as ndis is a network component). So run AVG remover. I also had to remove the Network device driver which in my case is an Atheros AR8132PCI-E Fast Ethernet controller. The AVG removal tool warns that you may have to restart and run multiple times. I had to do this three times before I could get the system to restart in normal mode. On the third time the AVG remover asked to run and it finally did its job. (if the AVG installer asks to run do not let it as this brings the crash on immediately).
The AVG removal tool is not great as only the x64 tool will run but AVG has a folder in the x32 program directory as well which I deleted manually.
The worst problem I have ever had (cost me a customer and too many hours) involved Acer software and AVG in 2007 so this was familiar to me but this was driver related not software related but funny it was Acer and AVG again!

andropol · 24 Mar 2012

Thanks, guys
On sony e-support I found new WLAN driver released from Intel, so i'll update it. I will also update Outpost.
I dont use AVG.

writhziden · 24 Mar 2012

You're welcome. Let us know how the system responds after those steps.

andropol · 26 Mar 2012

Upgrade to Outpost 7.5.2 alone didnt help as i got BSOD after it and before WLAN update.
Just upgraded to Intel Wireless LAN Driver 14.3.1.1. Will see...

andropol · 20 Apr 2012

Yesterday got BSOD again. With all the same stuff as before. So that means that latest WLAN driver update didn't help. I'm going to disable Agnitum just in case but i suspect this won't help either.

Colleagues, are there any ideas on what else i can do? Like reinstall some driver or may be reinstall Windows completely?

Thanks

zigzag3143 · 20 Apr 2012

NETIO issues often are as the result of the installed malware application and in your case it is Agnitum, I would remove it and replace with Microsoft Security Essentials (at least to test) you can always re-install it later

http://www.microsoft.com/security_essentials/

writhziden · 20 Apr 2012

In addition to zigzag3143's suggestion, please provide us with a little more information about your system.

Can you upload your msinfo32.nfo file? To get this: Start Menu -> Type msinfo32 into the Search programs and files box -> When it opens, go to File, Save -> Save as msinfo32.nfo and save in a place you will remember -> Let it finish the process of gathering and saving the system info -> Right click the .nfo file, click send to compressed (zipped) folder -> Upload the .zip file here.