device driver fault or a virus action?psched.sys

Is is this device driver fault or a virus action.

kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or
completely invalid) address at an
interrupt request level (IRQL) that is too high. This
is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000001e, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write
operation
Arg4: f73f9d81, address which referenced memory

Debugging Details:

READ_ADDRESS: 0000001e

CURRENT_IRQL: 2

FAULTING_IP:
NDIS!NdisIMCopySendCompletePerPacketInfo+11
f73f9d81 0fb7711e movzx esi,word ptr
[ecx+0x1e]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f70cc4dd to f73f9d81

TRAP_FRAME: f7915e58 – (.trap fffffffff7915e58)
ErrCode = 00000000
eax=00000000 ebx=83e2d450 ecx=00000000 edx=00000000
esi=00000000 edi=83ba24e0
eip=f73f9d81 esp=f7915ecc ebp=f7915ee4 iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
NDIS!NdisIMCopySendCompletePerPacketInfo+0x11:
f73f9d81 0fb7711e movzx esi,word ptr
[ecx+0x1e] ds:0023:0000001e=???
Resetting default scope

STACK_TEXT:
f7915ecc f70cc4dd 00000000 83ba24e0 83e61d60
NDIS!NdisIMCopySendCompletePerPacketInfo+0x11
f7915ee4 f73f3f4e 83cfd6f8 83ba24e0 00000000
psched!ClSendComplete+0x8d
f7915f08 f70ff831 83e2d450 83ba24e0 00000000
NDIS!ndisMSendCompleteX+0x6e
WARNING: Stack unwind information not available.
Following frames may be wrong.
f7915f70 f73f3e19 83d428b0 83e08308 00000000
dne2000+0x14831
f7915f90 f77acde5 83c9c130 83e082d0 00000000
NDIS!NdisMSendComplete+0xfe
f7915fac f77aa528 83e3d008 83e3d060 83c9c130
RTL8139+0x2de5
f7915fc4 f73f6c07 00e3d008 83cf7970 83cf7bd4
RTL8139+0x528
f7915fe0 8052c93b 83e3d074 83e3d060 00000000
NDIS!ndisMDpc+0x100
f7915ff4 8052c62a f7981a78 00000000 00000000
nt!KiRetireDpcList+0x30

FOLLOWUP_IP:
psched!ClSendComplete+8d
f70cc4dd 57 push edi

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: psched!ClSendComplete+8d

MODULE_NAME: psched

IMAGE_NAME: psched.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3b7d8481

STACK_COMMAND: .trap fffffffff7915e58 ; kb

FAILURE_BUCKET_ID: 0xD1_psched!ClSendComplete+8d

BUCKET_ID: 0xD1_psched!ClSendComplete+8d

Followup: MachineOwner


Do you Yahoo!?
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250

It’s a bug in DNE2000.sys most likely, I have run into several bugs with
their driver.

-Jeff

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Saurabh
Sent: Monday, February 07, 2005 12:19 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] device driver fault or a virus action?psched.sys

Is is this device driver fault or a virus action.

kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or
completely invalid) address at an
interrupt request level (IRQL) that is too high. This
is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000001e, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write
operation
Arg4: f73f9d81, address which referenced memory

Debugging Details:

READ_ADDRESS: 0000001e

CURRENT_IRQL: 2

FAULTING_IP:
NDIS!NdisIMCopySendCompletePerPacketInfo+11
f73f9d81 0fb7711e movzx esi,word ptr
[ecx+0x1e]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f70cc4dd to f73f9d81

TRAP_FRAME: f7915e58 – (.trap fffffffff7915e58)
ErrCode = 00000000
eax=00000000 ebx=83e2d450 ecx=00000000 edx=00000000
esi=00000000 edi=83ba24e0
eip=f73f9d81 esp=f7915ecc ebp=f7915ee4 iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
NDIS!NdisIMCopySendCompletePerPacketInfo+0x11:
f73f9d81 0fb7711e movzx esi,word ptr
[ecx+0x1e] ds:0023:0000001e=???
Resetting default scope

STACK_TEXT:
f7915ecc f70cc4dd 00000000 83ba24e0 83e61d60
NDIS!NdisIMCopySendCompletePerPacketInfo+0x11
f7915ee4 f73f3f4e 83cfd6f8 83ba24e0 00000000
psched!ClSendComplete+0x8d
f7915f08 f70ff831 83e2d450 83ba24e0 00000000
NDIS!ndisMSendCompleteX+0x6e
WARNING: Stack unwind information not available.
Following frames may be wrong.
f7915f70 f73f3e19 83d428b0 83e08308 00000000
dne2000+0x14831
f7915f90 f77acde5 83c9c130 83e082d0 00000000
NDIS!NdisMSendComplete+0xfe
f7915fac f77aa528 83e3d008 83e3d060 83c9c130
RTL8139+0x2de5
f7915fc4 f73f6c07 00e3d008 83cf7970 83cf7bd4
RTL8139+0x528
f7915fe0 8052c93b 83e3d074 83e3d060 00000000
NDIS!ndisMDpc+0x100
f7915ff4 8052c62a f7981a78 00000000 00000000
nt!KiRetireDpcList+0x30

FOLLOWUP_IP:
psched!ClSendComplete+8d
f70cc4dd 57 push edi

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: psched!ClSendComplete+8d

MODULE_NAME: psched

IMAGE_NAME: psched.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3b7d8481

STACK_COMMAND: .trap fffffffff7915e58 ; kb

FAILURE_BUCKET_ID: 0xD1_psched!ClSendComplete+8d

BUCKET_ID: 0xD1_psched!ClSendComplete+8d

Followup: MachineOwner


Do you Yahoo!?
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

***********************************************************************************
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, received late or incomplete, or could contain viruses. The sender therefore does not accept liability for any error or omission in the contents of this message, which arises as a result of e-mail transmission. If verification is required, please request a hard-copy version from the sender.
***********************************************************************************

Saurabh wrote:

Is is this device driver fault or a virus action.

???

Shall we all vote? Perhaps somebody with a connection to the spirit
world can use thier contacts to find out??

Dude, this isn’t much information to go on, you know?? Did you attempt
to analyze this crash dump? Is there some specific reason you’re
posting this to this forum??

Looks to me like the packet scheduling driver crashed the system.
Beyond that, who knows?? Without something about the environment, what
was going on just before the crash too place, WHAT OPERATING SYSTEM and
service pack we’re talking about, etc, etc, etc there’s absolutely no
way to know.

Peter
OSR

Excuse me If I asked a silly question. Actually I am a
beginner in driver developement with lot to learn.

It happens on a XP system(SP1) P3-933.I recently
installed the new Norton AV+firewall 2005.

The system reboots by itself when running idle.
Can you guide me what other things I can do to narrow
down the problem or the cause.

Thanks a lot for your time

Saurabh

— “Peter Viscarola (OSR)” wrote:

> Saurabh wrote:
> > Is is this device driver fault or a virus action.
> >
>
> ???
>
> Shall we all vote? Perhaps somebody with a
> connection to the spirit
> world can use thier contacts to find out??
>
> Dude, this isn’t much information to go on, you
> know?? Did you attempt
> to analyze this crash dump? Is there some specific
> reason you’re
> posting this to this forum??
>
> Looks to me like the packet scheduling driver
> crashed the system.
> Beyond that, who knows?? Without something about
> the environment, what
> was going on just before the crash too place, WHAT
> OPERATING SYSTEM and
> service pack we’re talking about, etc, etc, etc
> there’s absolutely no
> way to know.
>
> Peter
> OSR
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
kd> !analyze -v
****************************************************************



Bugcheck Analysis


*
*****************************************************************


DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or
completely invalid) address at an
interrupt request level (IRQL) that is too high. This
is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000001e, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write
operation
Arg4: f73f9d81, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: 0000001e

CURRENT_IRQL: 2

FAULTING_IP:
NDIS!NdisIMCopySendCompletePerPacketInfo+11
f73f9d81 0fb7711e movzx esi,word ptr
[ecx+0x1e]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f70cc4dd to f73f9d81

TRAP_FRAME: f7915e58 – (.trap fffffffff7915e58)
ErrCode = 00000000
eax=00000000 ebx=83e2d450 ecx=00000000 edx=00000000
esi=00000000 edi=83ba24e0
eip=f73f9d81 esp=f7915ecc ebp=f7915ee4 iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
NDIS!NdisIMCopySendCompletePerPacketInfo+0x11:
f73f9d81 0fb7711e movzx esi,word ptr
[ecx+0x1e] ds:0023:0000001e=???
Resetting default scope

STACK_TEXT:
f7915ecc f70cc4dd 00000000 83ba24e0 83e61d60
NDIS!NdisIMCopySendCompletePerPacketInfo+0x11
f7915ee4 f73f3f4e 83cfd6f8 83ba24e0 00000000
psched!ClSendComplete+0x8d
f7915f08 f70ff831 83e2d450 83ba24e0 00000000
NDIS!ndisMSendCompleteX+0x6e
WARNING: Stack unwind information not available.
Following frames may be wrong.
f7915f70 f73f3e19 83d428b0 83e08308 00000000
dne2000+0x14831
f7915f90 f77acde5 83c9c130 83e082d0 00000000
NDIS!NdisMSendComplete+0xfe
f7915fac f77aa528 83e3d008 83e3d060 83c9c130
RTL8139+0x2de5
f7915fc4 f73f6c07 00e3d008 83cf7970 83cf7bd4
RTL8139+0x528
f7915fe0 8052c93b 83e3d074 83e3d060 00000000
NDIS!ndisMDpc+0x100
f7915ff4 8052c62a f7981a78 00000000 00000000
nt!KiRetireDpcList+0x30

FOLLOWUP_IP:
psched!ClSendComplete+8d
f70cc4dd 57 push edi

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: psched!ClSendComplete+8d

MODULE_NAME: psched

IMAGE_NAME: psched.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3b7d8481

STACK_COMMAND: .trap fffffffff7915e58 ; kb

FAILURE_BUCKET_ID: 0xD1_psched!ClSendComplete+8d

BUCKET_ID: 0xD1_psched!ClSendComplete+8d

Followup: MachineOwner
---------

__________________________________
Do you Yahoo!?
All your favorites on one personal page – Try My Yahoo!
http://my.yahoo.com

Excuse me If I asked a silly question. Actually I am a
beginner in driver developement with lot to learn.

It happens on a XP system(SP1) P3-933.I recently
installed the new Norton AV+firewall 2005.

The system reboots by itself when running idle.
Can you guide me what other things I can do to narrow
down the problem or the cause.

Thanks a lot for your time

Saurabh

— “Peter Viscarola (OSR)” wrote:

> Saurabh wrote:
> > Is is this device driver fault or a virus action.
> >
>
> ???
>
> Shall we all vote? Perhaps somebody with a
> connection to the spirit
> world can use thier contacts to find out??
>
> Dude, this isn’t much information to go on, you
> know?? Did you attempt
> to analyze this crash dump? Is there some specific
> reason you’re
> posting this to this forum??
>
> Looks to me like the packet scheduling driver
> crashed the system.
> Beyond that, who knows?? Without something about
> the environment, what
> was going on just before the crash too place, WHAT
> OPERATING SYSTEM and
> service pack we’re talking about, etc, etc, etc
> there’s absolutely no
> way to know.
>
> Peter
> OSR
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
kd> !analyze -v
****************************************************************



Bugcheck Analysis


*
*****************************************************************


DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or
completely invalid) address at an
interrupt request level (IRQL) that is too high. This
is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000001e, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write
operation
Arg4: f73f9d81, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: 0000001e

CURRENT_IRQL: 2

FAULTING_IP:
NDIS!NdisIMCopySendCompletePerPacketInfo+11
f73f9d81 0fb7711e movzx esi,word ptr
[ecx+0x1e]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f70cc4dd to f73f9d81

TRAP_FRAME: f7915e58 – (.trap fffffffff7915e58)
ErrCode = 00000000
eax=00000000 ebx=83e2d450 ecx=00000000 edx=00000000
esi=00000000 edi=83ba24e0
eip=f73f9d81 esp=f7915ecc ebp=f7915ee4 iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
NDIS!NdisIMCopySendCompletePerPacketInfo+0x11:
f73f9d81 0fb7711e movzx esi,word ptr
[ecx+0x1e] ds:0023:0000001e=???
Resetting default scope

STACK_TEXT:
f7915ecc f70cc4dd 00000000 83ba24e0 83e61d60
NDIS!NdisIMCopySendCompletePerPacketInfo+0x11
f7915ee4 f73f3f4e 83cfd6f8 83ba24e0 00000000
psched!ClSendComplete+0x8d
f7915f08 f70ff831 83e2d450 83ba24e0 00000000
NDIS!ndisMSendCompleteX+0x6e
WARNING: Stack unwind information not available.
Following frames may be wrong.
f7915f70 f73f3e19 83d428b0 83e08308 00000000
dne2000+0x14831
f7915f90 f77acde5 83c9c130 83e082d0 00000000
NDIS!NdisMSendComplete+0xfe
f7915fac f77aa528 83e3d008 83e3d060 83c9c130
RTL8139+0x2de5
f7915fc4 f73f6c07 00e3d008 83cf7970 83cf7bd4
RTL8139+0x528
f7915fe0 8052c93b 83e3d074 83e3d060 00000000
NDIS!ndisMDpc+0x100
f7915ff4 8052c62a f7981a78 00000000 00000000
nt!KiRetireDpcList+0x30

FOLLOWUP_IP:
psched!ClSendComplete+8d
f70cc4dd 57 push edi

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: psched!ClSendComplete+8d

MODULE_NAME: psched

IMAGE_NAME: psched.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3b7d8481

STACK_COMMAND: .trap fffffffff7915e58 ; kb

FAILURE_BUCKET_ID: 0xD1_psched!ClSendComplete+8d

BUCKET_ID: 0xD1_psched!ClSendComplete+8d

Followup: MachineOwner
---------

__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com

Turn off auto reboot and see what the error is.


The personal opinion of
Gary G. Little

“Saurabh” wrote in message news:xxxxx@ntdev…
> Excuse me If I asked a silly question. Actually I am a
> beginner in driver developement with lot to learn.
>
> It happens on a XP system(SP1) P3-933.I recently
> installed the new Norton AV+firewall 2005.
>
> The system reboots by itself when running idle.
> Can you guide me what other things I can do to narrow
> down the problem or the cause.
>
>
> Thanks a lot for your time
>
> Saurabh
>
>
> — “Peter Viscarola (OSR)” wrote:
>
> > Saurabh wrote:
> > > Is is this device driver fault or a virus action.
> > >
> >
> > ???
> >
> > Shall we all vote? Perhaps somebody with a
> > connection to the spirit
> > world can use thier contacts to find out??
> >
> > Dude, this isn’t much information to go on, you
> > know?? Did you attempt
> > to analyze this crash dump? Is there some specific
> > reason you’re
> > posting this to this forum??
> >
> > Looks to me like the packet scheduling driver
> > crashed the system.
> > Beyond that, who knows?? Without something about
> > the environment, what
> > was going on just before the crash too place, WHAT
> > OPERATING SYSTEM and
> > service pack we’re talking about, etc, etc, etc
> > there’s absolutely no
> > way to know.
> >
> > Peter
> > OSR
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> kd> !analyze -v
> *****************************************************************
>

> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *****************************************************************
>

>
> DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
> An attempt was made to access a pageable (or
> completely invalid) address at an
> interrupt request level (IRQL) that is too high. This
> is usually
> caused by drivers using improper addresses.
> If kernel debugger is available get stack backtrace.
> Arguments:
> Arg1: 0000001e, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000000, value 0 = read operation, 1 = write
> operation
> Arg4: f73f9d81, address which referenced memory
>
> Debugging Details:
> ------------------
>
>
> READ_ADDRESS: 0000001e
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> NDIS!NdisIMCopySendCompletePerPacketInfo+11
> f73f9d81 0fb7711e movzx esi,word ptr
> [ecx+0x1e]
>
> CUSTOMER_CRASH_COUNT: 1
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xD1
>
> LAST_CONTROL_TRANSFER: from f70cc4dd to f73f9d81
>
> TRAP_FRAME: f7915e58 – (.trap fffffffff7915e58)
> ErrCode = 00000000
> eax=00000000 ebx=83e2d450 ecx=00000000 edx=00000000
> esi=00000000 edi=83ba24e0
> eip=f73f9d81 esp=f7915ecc ebp=f7915ee4 iopl=0
> nv up ei pl zr na po nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010246
> NDIS!NdisIMCopySendCompletePerPacketInfo+0x11:
> f73f9d81 0fb7711e movzx esi,word ptr
> [ecx+0x1e] ds:0023:0000001e=???
> Resetting default scope
>
> STACK_TEXT:
> f7915ecc f70cc4dd 00000000 83ba24e0 83e61d60
> NDIS!NdisIMCopySendCompletePerPacketInfo+0x11
> f7915ee4 f73f3f4e 83cfd6f8 83ba24e0 00000000
> psched!ClSendComplete+0x8d
> f7915f08 f70ff831 83e2d450 83ba24e0 00000000
> NDIS!ndisMSendCompleteX+0x6e
> WARNING: Stack unwind information not available.
> Following frames may be wrong.
> f7915f70 f73f3e19 83d428b0 83e08308 00000000
> dne2000+0x14831
> f7915f90 f77acde5 83c9c130 83e082d0 00000000
> NDIS!NdisMSendComplete+0xfe
> f7915fac f77aa528 83e3d008 83e3d060 83c9c130
> RTL8139+0x2de5
> f7915fc4 f73f6c07 00e3d008 83cf7970 83cf7bd4
> RTL8139+0x528
> f7915fe0 8052c93b 83e3d074 83e3d060 00000000
> NDIS!ndisMDpc+0x100
> f7915ff4 8052c62a f7981a78 00000000 00000000
> nt!KiRetireDpcList+0x30
>
>
> FOLLOWUP_IP:
> psched!ClSendComplete+8d
> f70cc4dd 57 push edi
>
> SYMBOL_STACK_INDEX: 1
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: psched!ClSendComplete+8d
>
> MODULE_NAME: psched
>
> IMAGE_NAME: psched.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 3b7d8481
>
> STACK_COMMAND: .trap fffffffff7915e58 ; kb
>
> FAILURE_BUCKET_ID: 0xD1_psched!ClSendComplete+8d
>
> BUCKET_ID: 0xD1_psched!ClSendComplete+8d
>
> Followup: MachineOwner
> ---------
>
>
>
>
> __________________________________
> Do you Yahoo!?
> The all-new My Yahoo! - Get yours free!
> http://my.yahoo.com
>
>
>