Bad driver? (Dump data included)

Hi, I've been having trouble with a my computer randomly crashing since late last year. I posted previously
(http://www.windowsbbs.com/showthread.php?t=43027) but never got to the bottom of it. Some months ago I got so fed up that I replaced motherboard, cpu, ram and powersupply - basically a new PC except for graphics card, harddrives and DVD drives. I also bought a UPS in case it was being caused by power fluctuations. Unfortunately it still kept crashing, so I figured maybe it was related to the graphics card. I replaced the graphics card but it's crashed again... I've recently formatted the harddrives and reinstalled everything fresh, and I'm not running any dodgy shareware or hacked software. I thought I'd come back here are post the latest dump in case anyone can see anything. I've got the special pool enabled. Any feedback would be appreciated!

Mark

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\MEMORY 050626_1702.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINNT;C:\WINNT\system32;C:\WINNT\system32\drivers
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Product: WinNt
Kernel base = 0x80400000 PsLoadedModuleList = 0x804814c0
Debug session time: Sun Jun 26 15:58:17.156 2005 (GMT+12)
System Uptime: 0 days 16:38:11.832
Loading Kernel Symbols
.............................................................................................................
Loading unloaded module list
.............
Loading User Symbols
......................................................................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck DE, {2, e4220b74, e4220b7c, 1dee98c6}

*** ERROR: Symbol file could not be found. Defaulted to export symbols for SYMEVENT.SYS -
Probably caused by : Cdfs.SYS ( Cdfs!CdPurgeVolume+cb )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

POOL_CORRUPTION_IN_FILE_AREA (de)
A driver corrupted pool memory used for holding pages destined for disk.
This was discovered by the memory manager when dereferencing the file.
Arguments:
Arg1: 00000002
Arg2: e4220b74
Arg3: e4220b7c
Arg4: 1dee98c6

Debugging Details:
------------------


OVERLAPPED_MODULE: nv4_disp

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xDE

LAST_CONTROL_TRANSFER: from 80410daf to 8043e220

STACK_TEXT:
ae59aa00 80410daf 88998ec0 00000000 00000001 nt!MmPurgeSection+0x2c4
ae59aa68 ae6bce58 8891ea4c 00000000 00000000 nt!CcPurgeCacheSection+0xeb
ae59aa9c ae6bd161 b1b9efc8 ba7f4e01 00000000 Cdfs!CdPurgeVolume+0xcb
ae59aaf4 ae6ba513 b1b9efc8 bd45ce70 ba7f4dc0 Cdfs!CdCommonCleanup+0x241
ae59ab48 80529104 ba7f4dc0 bd45ce70 00000000 Cdfs!CdFsdDispatch+0x13d
ae59ab94 afdda264 00000000 ae59abdc 88a24888 nt!IovSpecialIrpCallDriver+0xcd
WARNING: Stack unwind information not available. Following frames may be wrong.
ae59ac44 804c04d4 80064fac b205cf50 00000001 SYMEVENT+0x6264
ae59ac78 804d6ff0 b1c1ad70 88b1ff20 00100001 nt!IopCloseFile+0x2b4
ae59aca4 8044ecb8 b1c1ad70 889f42d4 889f42e8 nt!ObpDecrementHandleCount+0x13c
ae59ad58 80464f84 00000834 0b0b0b0b 0b0b0b0b nt!NtClose+0x1f0
ae59ad58 77f828d3 00000834 0b0b0b0b 0b0b0b0b nt!KiSystemService+0xc4
00f7fc1c 7c577ebc 00000834 00f7fe68 7c5a363c ntdll!NtClose+0xb
00f7fc28 7c5a363c 00000834 7834a6e5 00000834 KERNEL32!CloseHandle+0x4f
00f7fc30 7834a6e5 00000834 0009d598 7834a86d KERNEL32!FindVolumeMountPointClose+0x9
00f7fc3c 7834a86d 0009d598 00000001 00000168 SHELL32!FSNDestructIntClient+0x18
00f7fe68 7832a6c8 00f7fed0 00000001 00000047 SHELL32!FSNBuildEventList+0xea
00f7ffb4 7c57b388 00000000 00000047 0008f220 SHELL32!FSNotifyThreadProc+0xc2
00f7ffec 00000000 7832a606 00000000 00000000 KERNEL32!BaseThreadStart+0x52


FOLLOWUP_IP:
Cdfs!CdPurgeVolume+cb
ae6bce58 84c0 test al,al

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: Cdfs!CdPurgeVolume+cb

MODULE_NAME: Cdfs

IMAGE_NAME: Cdfs.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 3e9cd4fd

STACK_COMMAND: kb

FAILURE_BUCKET_ID: 0xDE_Cdfs!CdPurgeVolume+cb

BUCKET_ID: 0xDE_Cdfs!CdPurgeVolume+cb

Followup: MachineOwner
---------

eax=ffdff13c ebx=000000de ecx=f8feecd0 edx=00000400 esi=88998ec0 edi=893685d8
eip=8043e220 esp=ae59a9c0 ebp=ae59aa00 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!MmPurgeSection+0x2c4:
8043e220 8b470c mov eax,[edi+0xc] ds:0023:893685e4=00000208
ChildEBP RetAddr Args to Child
ae59aa00 80410daf 88998ec0 00000000 00000001 nt!MmPurgeSection+0x2c4 (FPO: [Non-Fpo])
ae59aa68 ae6bce58 8891ea4c 00000000 00000000 nt!CcPurgeCacheSection+0xeb (FPO: [Non-Fpo])
ae59aa9c ae6bd161 b1b9efc8 ba7f4e01 00000000 Cdfs!CdPurgeVolume+0xcb (FPO: [Non-Fpo])
ae59aaf4 ae6ba513 b1b9efc8 bd45ce70 ba7f4dc0 Cdfs!CdCommonCleanup+0x241 (FPO: [Non-Fpo])
ae59ab48 80529104 ba7f4dc0 bd45ce70 00000000 Cdfs!CdFsdDispatch+0x13d (FPO: [Non-Fpo])
ae59ab94 afdda264 00000000 ae59abdc 88a24888 nt!IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
ae59ac44 804c04d4 80064fac b205cf50 00000001 SYMEVENT+0x6264
ae59ac78 804d6ff0 b1c1ad70 88b1ff20 00100001 nt!IopCloseFile+0x2b4 (FPO: [Non-Fpo])
ae59aca4 8044ecb8 b1c1ad70 889f42d4 889f42e8 nt!ObpDecrementHandleCount+0x13c (FPO: [Non-Fpo])
ae59ad58 80464f84 00000834 0b0b0b0b 0b0b0b0b nt!NtClose+0x1f0 (FPO: [Non-Fpo])
ae59ad58 77f828d3 00000834 0b0b0b0b 0b0b0b0b nt!KiSystemService+0xc4 (FPO: [0,0] TrapFrame @ ae59ad64)
00f7fc1c 7c577ebc 00000834 00f7fe68 7c5a363c ntdll!NtClose+0xb (FPO: [1,0,0])
00f7fc28 7c5a363c 00000834 7834a6e5 00000834 KERNEL32!CloseHandle+0x4f (FPO: [Non-Fpo])
00f7fc30 7834a6e5 00000834 0009d598 7834a86d KERNEL32!FindVolumeMountPointClose+0x9 (FPO: [1,0,0])
00f7fc3c 7834a86d 0009d598 00000001 00000168 SHELL32!FSNDestructIntClient+0x18 (FPO: [2,0,1])
00f7fe68 7832a6c8 00f7fed0 00000001 00000047 SHELL32!FSNBuildEventList+0xea (FPO: [Non-Fpo])
00f7ffb4 7c57b388 00000000 00000047 0008f220 SHELL32!FSNotifyThreadProc+0xc2 (FPO: [EBP 0x00f7ffec] [1,76,4])
00f7ffec 00000000 7832a606 00000000 00000000 KERNEL32!BaseThreadStart+0x52 (FPO: [Non-Fpo])
start end module name

 

Hi Arnie,

I already have the special pool enabled with the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ Memory Management

Value Name: PoolTag
Data Type: REG_DWORD
Data: 0x2A

Value Name: PoolTagOverruns
Data Type: REG_DWORD
Data: 1

Trouble is I don't know how to read the dump data to determine which driver is responsible for the pool damage. Also (in case it's relevant) the crashes aren't always 0xDE. For example the one previous was 0x1E.

Mark

 

From the stack trace, I find SYMEVENT and it is Norton AV. Upgrade or de-install Norton AV may resolve your problem.

Hope it can help you,
cpc2004

 

Thanks very much for your advice. I was running Norton AV 2002. I've now uninstalled it and I'll see if that makes a difference. So far no crashes (in the last 6 hours), but I'll give it a week before I celebrate!

By the way, could you explain to me how you came to SYMEVENT and Notron AV from the dump data?

Mark