XP Minidump

Hello,

At work yesterday, I was given the assignment to look into this minidump file off of one of our (XP) machines running a Symantec 10 management console. I believe that the issue is Symantec, but I want confirmation. Here is the minidump info:

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001902fe
Arg2: b099c258
Arg3: b099bf54
Arg4: f7b7368c

Debugging Details:
------------------


EXCEPTION_RECORD: b099c258 -- (.exr 0xffffffffb099c258)
ExceptionAddress: f7b7368c (Ntfs!LfsWrite+0x0000007d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00007f74
Attempt to read from address 00007f74

CONTEXT: b099bf54 -- (.cxr 0xffffffffb099bf54)
eax=00007f60 ebx=c0000022 ecx=00000000 edx=00000000 esi=e144aa90 edi=e1021890
eip=f7b7368c esp=b099c320 ebp=b099c3c0 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
Ntfs!LfsWrite+0x7d:
f7b7368c 663b540814 cmp dx,word ptr [eax+ecx+14h] ds:0023:00007f74=????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: Rtvscan.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00007f74

READ_ADDRESS: 00007f74

FOLLOWUP_IP:
Ntfs!LfsWrite+7d
f7b7368c 663b540814 cmp dx,word ptr [eax+ecx+14h]

FAULTING_IP:
Ntfs!LfsWrite+7d
f7b7368c 663b540814 cmp dx,word ptr [eax+ecx+14h]

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from f7b731ff to f7b7368c

STACK_TEXT:
b099c3c0 f7b731ff e1021890 00000003 b099c480 Ntfs!LfsWrite+0x7d
b099c544 f7b7d3f9 b099c9b8 89b8f6d0 89a264f0 Ntfs!NtfsWriteLog+0x6a2
b099c6c0 f7b7d225 b099c9b8 e5058008 00000018 Ntfs!NtfsChangeAttributeValue+0x372
b099c790 f7b7da1e b099c9b8 e5058008 00000000 Ntfs!NtfsUpdateStandardInformation+0x141
b099c99c f7b77d4d b099c9b8 88fbe008 89b90260 Ntfs!NtfsCommonCleanup+0x20a7
b099cb14 804e13eb 89bbe380 88fbe008 88fbe008 Ntfs!NtfsFsdCleanup+0xcf
b099cb24 f746609e 88fbe008 89ac52d8 89bbe0d8 nt!IopfCallDriver+0x31
b099cb50 804e13eb 89b90260 88fbe008 89bc1d68 fltmgr!FltpDispatch+0x152
b099cb60 f7454bbf 88fbe1e0 b099cbd0 b099cb98 nt!IopfCallDriver+0x31
b099cb70 804e13eb 89bbe020 88fbe008 804e9480 sr!SrCleanup+0xb3
b099cb80 b59337a1 88fbe1e0 88fbe204 b099cbd0 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
b099cb98 b593ce98 89bbe020 00000000 b099cbd0 SYMEVENT+0x77a1
b099cbb4 b593390b b099cbd0 804e9480 b59339d3 SYMEVENT+0x10e98
b099cbf4 804e13eb 89928370 88fbe008 88fbe008 SYMEVENT+0x790b
b099cc04 f7465e9b 899fa830 88fbe008 898be460 nt!IopfCallDriver+0x31
b099cc28 f746606b b099cc48 899fa830 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
b099cc60 804e13eb 899fa830 88fbe008 88fbe008 fltmgr!FltpDispatch+0x11f
b099cc70 8057b32f 88c84b70 000000a8 89c1fe70 nt!IopfCallDriver+0x31
b099cca0 8056f9a2 89468510 899fa830 00120089 nt!IopCloseFile+0x26b
b099ccd4 8056faf5 89468510 00000001 89c1fe70 nt!ObpDecrementHandleCount+0xd8
b099ccfc 8056fa1b e512f948 88c84b88 00000328 nt!ObpCloseHandleTableEntry+0x14d
b099cd44 8056fa65 00000328 00000001 00000000 nt!ObpCloseHandle+0x87
b099cd58 804dd99f 00000328 0c36e050 7c90e514 nt!NtClose+0x1d
b099cd58 7c90e514 00000328 0c36e050 7c90e514 nt!KiFastCallEntry+0xfc
0c36e050 00000000 00000000 00000000 00000000 0x7c90e514


SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!LfsWrite+7d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025be5

STACK_COMMAND: .cxr 0xffffffffb099bf54 ; kb

FAILURE_BUCKET_ID: 0x24_Ntfs!LfsWrite+7d

BUCKET_ID: 0x24_Ntfs!LfsWrite+7d

Followup: MachineOwner
---------

The Rtvscan is a Symantec scan. The nightly scan time matches up to when we perform our nightly scans... 5:00 a.m. Can anyone help me decipher this issue?

 

Here is a bit more info:
I clicked the info in the ().
EXCEPTION_RECORD: b099c258 -- (.exr 0xffffffffb099c258)

Output:
1: kd> .exr 0xffffffffb099c258
ExceptionAddress: f7b7368c (Ntfs!LfsWrite+0x0000007d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00007f74
Attempt to read from address 00007f74

I clicked the info in the ().
EXCEPTION_RECORD: b099c258 -- (.exr 0xffffffffb099c258)

Output:
1: kd> .cxr 0xffffffffb099bf54
eax=00007f60 ebx=c0000022 ecx=00000000 edx=00000000 esi=e144aa90 edi=e1021890
eip=f7b7368c esp=b099c320 ebp=b099c3c0 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
Ntfs!LfsWrite+0x7d:
f7b7368c 663b540814 cmp dx,word ptr [eax+ecx+14h] ds:0023:00007f74=????

I hope this helps.