Blue Screen caused by avastsvc.exe v.2014.9.0.2018

[smipx013]

Hi,

I had a blue screen in Windows 8.1 x64 using avast today and I wanted to report it to see if it is a known issue and whether a fix is available.  Below is the windbg trace from the dump file. 

Thanks
Paul

Microsoft (R) Windows Debugger Version 6.3.9600.17029 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\051014-23781-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       http://msdl.microsoft.com/download/symbols
Symbol search path is: http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17041.amd64fre.winblue_gdr.140305-1710
Machine Name:
Kernel base = 0xfffff803`9421b000 PsLoadedModuleList = 0xfffff803`944e52d0
Debug session time: Sat May 10 08:44:18.095 2014 (UTC + 1:00)
System Uptime: 0 days 14:11:54.849
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
...................................
Loading User Symbols
Loading unloaded module list
................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {ffffe101fe1585e0, 2, 0, fffff803942fadc7}

Probably caused by : NETIO.SYS ( NETIO!KfdClassify+6fd )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffe101fe1585e0, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
   bit 0 : value 0 = read operation, 1 = write operation
   bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff803942fadc7, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8039456f138
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
 ffffe101fe1585e0

CURRENT_IRQL:  2

FAULTING_IP:
nt!RtlLookupEntryHashTable+77
fffff803`942fadc7 488b4110        mov     rax,qword ptr [rcx+10h]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  AvastSvc.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

TRAP_FRAME:  ffffd0002868cef0 -- (.trap 0xffffd0002868cef0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=5085a946b1e35d98 rbx=0000000000000000 rcx=ffffe101fe1585d0
rdx=ffffe00200037630 rsi=0000000000000000 rdi=0000000000000000
rip=fffff803942fadc7 rsp=ffffd0002868d080 rbp=ffffd0002868d1b0
 r8=ffffe00200f701e0  r9=ecc4b5485964d0a6 r10=ffffd0002868d280
r11=0000000000000008 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!RtlLookupEntryHashTable+0x77:
fffff803`942fadc7 488b4110        mov     rax,qword ptr [rcx+10h] ds:ffffe101`fe1585e0=?
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8039437aae9 to fffff8039436efa0

STACK_TEXT: 
ffffd000`2868cda8 fffff803`9437aae9 : 00000000`0000000a ffffe101`fe1585e0 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffd000`2868cdb0 fffff803`9437933a : 00000000`00000000 ecc4b548`5964d0a6 ffffc6a8`81d38e00 ffffd000`2868cef0 : nt!KiBugCheckDispatch+0x69
ffffd000`2868cef0 fffff803`942fadc7 : 00000000`00000000 fffff801`a0b481c4 00000000`000002fb 00000016`00000001 : nt!KiPageFault+0x23a
ffffd000`2868d080 fffff801`a06021d9 : 00000000`00000000 ffffd000`2868d1b0 ffffe001`fdfd91b0 fffff801`a0b11a2d : nt!RtlLookupEntryHashTable+0x77
ffffd000`2868d0b0 fffff801`a0b9b364 : ffffe001`fced2078 fffff801`a08c0887 00000000`00000001 ffffe001`fdfe2300 : NETIO!KfdClassify+0x6fd
ffffd000`2868d530 fffff801`a0b48b7c : ffffd000`2868e090 fffff801`0000000e 00000000`00000000 00000000`00000002 : tcpip!WfpTlShimInspectSendTcpDatagram+0x754
ffffd000`2868d830 fffff801`a0b455b8 : fffff801`0000fab3 ffffe001`00000000 ffffe001`0000000b ffffe001`00007010 : tcpip!IppInspectLocalDatagramsOut+0x82c
ffffd000`2868db60 fffff801`a0afce62 : ffffd000`2868dff0 00000000`00000007 fffff801`a0cb6180 ffffe001`fced2010 : tcpip!IppSendDatagramsCommon+0x3f8
ffffd000`2868dd50 fffff801`a0b1dbe0 : ffffe001`fd0a5240 00000000`00000000 00000000`00000000 00000000`0000000b : tcpip!IpNlpFastSendDatagram+0xf2
ffffd000`2868de30 fffff801`a0b1f6f5 : ffffd000`2868e212 00000000`00000000 ffffe001`ff934310 ffffd000`2868e530 : tcpip!TcpTcbSend+0x780
ffffd000`2868e180 fffff801`a0b1ef8a : 00000000`00000000 ffffe001`fced2010 ffffd000`2868e211 ffffd000`2868e500 : tcpip!TcpEnqueueTcbSendOlmNotifySendComplete+0xa5
ffffd000`2868e1b0 fffff801`a0b1f2f8 : 00000000`00000000 00000000`00000000 ffffe001`fce10a00 00000000`00000000 : tcpip!TcpEnqueueTcbSend+0x2aa
ffffd000`2868e2b0 fffff803`942f5256 : ffffd000`2868e2d0 00000000`00000000 00000000`000000f0 00000000`08a4da60 : tcpip!TcpTlConnectionSendCalloutRoutine+0x28
ffffd000`2868e330 fffff801`a0b1f5a2 : fffff801`a0b1f2d0 ffffd000`2868e450 00000000`00000000 fffff801`a178b6cb : nt!KeExpandKernelStackAndCalloutInternal+0xe6
ffffd000`2868e420 fffff801`a17a6577 : ffffe001`fce10a20 ffffd000`2868ecc0 00000000`0000000b 00000000`00000003 : tcpip!TcpTlConnectionSend+0x72
ffffd000`2868e490 fffff801`a178a451 : ffffe001`ff103e10 ffffe001`ffd8eb30 00000000`00000005 00000000`20206f49 : afd!AfdFastConnectionSend+0x387
ffffd000`2868e650 fffff803`946173f4 : ffffe002`00f073c0 00000000`00000000 ffffe001`ff103e10 00000000`00000001 : afd!AfdFastIoDeviceControl+0x441
ffffd000`2868e9c0 fffff803`946181c6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x3d4
ffffd000`2868eb60 fffff803`9437a7b3 : ffffe001`ffafd568 ffffe001`fd03b880 fffff6fb`7dbed000 fffff6fb`7da00000 : nt!NtDeviceIoControlFile+0x56
ffffd000`2868ebd0 00000000`77742772 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`08a4ea58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77742772


STACK_COMMAND:  kb

FOLLOWUP_IP:
NETIO!KfdClassify+6fd
fffff801`a06021d9 4c8bc0          mov     r8,rax

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  NETIO!KfdClassify+6fd

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  5215f7e4

IMAGE_VERSION:  6.3.9600.16384

BUCKET_ID_FUNC_OFFSET:  6fd

FAILURE_BUCKET_ID:  AV_NETIO!KfdClassify

BUCKET_ID:  AV_NETIO!KfdClassify

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_netio!kfdclassify

FAILURE_ID_HASH:  {0e14637a-385d-0a7b-00b2-7ee608277b22}

Followup: MachineOwner
---------

[Eddy]

Please remove the report and attach it to your post.

[smipx013]

Hi,

Thanks for the quick reply.  I am not overly comfortable attaching a minidump file for public consumption as it contains personally identifiable information.  I am more than happy to send it to an empoloyee of Avast however.  Are you an employee?  If so can you let me have your work email address and I will email it to you.

I hope you understand my reluctance.  In fairness I do not know who you are.  No disrespect intended.

Many thanks
Paul

[smipx013]

so....   I have logged a ticket with Avast Support.  Ref: #DKB-937-93744 and attached the minidump file to the support request. 

Cheers,
Paul

[Shintaro]

Mate,

Looking at the minimal information that you posted.

I would suggest that you start with a offline scan and fix.
Open a command prompt as Administrator and type in:

Code: [Select]

chkdsk c: /offlinescanandfix
Then reboot. The check will take place when you restart.

I would suggest then that you update the driver for your network card.

Hope this helps.

[smipx013]

Hi,

Thanks for that - Will do as you suggested.  I use the fast startup/hibernate option with Windows 8 so it could well be the driver issue you suggest.  I do seem to get the odd "dirty disk" too - but I guess this could be a symptom of the crashes.

Thanks for the tip.

Paul

[smipx013]

Hi,

The LAN drivers are the latest ones for 8.1 from realtek website (I have a Realtek PCIe GBE Family Controller card on my motherboard) so I can't update it.  I could downgrade it to an earlier version I guess. 
Did the scanandfix and its all okay.

If someone would like to see my minidump file then I'm more than happy to PM it - I just didn't want to attach it to a public forum that could be seen by undesirables. I didn't mean to come across all snooty :-)

I suspect its a combination of the new Windows 8.1 hibernation / faststart features and my slightly older motherboard that is not oficially certified for 8.1 (its a gigabyte GA-MA770-UD3 Rev 2.0).  Its a shame as in all other respects this mobo seems to be working well with 8.1 and this crash is only occasional.  I guess I can live with it as I do regular backups.....

Cheers,
Paul


 

[Shintaro]

You could try a uninstall and reinstall.

I would suggest:
1/ Download the latest version of Avast!
2/ Uninstall your current version using Avast's utility. http://www.avast.com/uninstall-utility
3/ Reboot
4/ Install the latest version of Avast that you downloaded.

Hope this helps.

[Eddy]

It is known that there are several (many?) problems with hibernation/power saving in Windows.
A well known problem is that Windows often loads a application before it has loaded the drivers that the application needs.
My advise is not to use hibernation/sleep mode.
Powering down safes more energy and the change of problems are way lower.


For a real clean install of avast I recommend this:
Go to the windows update website. ( http://update.microsoft.com ) and install all updates available for your system.
You may have to visit that website/reboot multiple times before everything is installed.

Check device manager and make sure there are no errors there at all.
No red cross(es), no exclamation mark(s).
If any is there, solve that first by installing the latest correct drivers for the device.

Next:
First make sure there are no remnants of a previously install av other than avast.
http://www.ache.nl > malware > remove (old) av

1. Download Avastclear, Rejzors uninstall tool and the appropriate Avast program edition.
Here are the installer links. Note: You need to be ONLINE during this install.
http://files.avast.com/iavs9x/avast_free_antivirus_setup_online.exe
http://files.avast.com/iavs9x/avast_pro_antivirus_setup_online.exe
http://files.avast.com/iavs9x/avast_internet_security_setup_online.exe
http://files.avast.com/iavs9x/avast_premier_antivirus_setup_online.exe

Avastclear : http://files.avast.com/iavs9x/avastclear.exe
Rejzors Uninstall tool: http://rejzor.wordpress.com/avast-cleanup-tool/

2. Uninstall Avast by control panel  [If you don't have Avast in control Panel go to #4]
3. Uninstall in Safe Mode using Avastclear.
http://www.avast.com/uninstall-utility
4. Run Rejzors Uninstall Utility in Normal Mode (removes traces avastclear doesn't) - reboot.
http://rejzor.wordpress.com/avast-cleanup-tool/
5. Be Sure Too Check Once Uninstall is Complete:Device Manager>View>Show Hidden Devices
If there is anything related to Avast with a yellow triangle then uninstall it (highlight, right click) and reboot.
6. Install the version you downloaded.
7. Reboot.

offline installers:
http://files.avast.com/iavs9x/avast_free_antivirus_setup.exe
http://files.avast.com/iavs9x/avast_pro_antivirus_setup.exe
http://files.avast.com/iavs9x/avast_internet_security_setup.exe
http://files.avast.com/iavs9x/avast_premier_antivirus_setup.exe

[Shintaro]

When you say it crashes occasionally, what is happening at the time when it crashes? Can you please be more specific.

FYI You can turn off the Fast Start and hibernation in Desktop -> Start -> Control Panel -> Hardware and Sound -> Power Options -> System Settings -> "Choose what the power button does"
You might have to click on "Change settings that are currently unavailable"

Because you need to un-tick:
"Turn on fast startup"

If you think that is the problem, I would switch off hibernation and fast start and see if the crashes stop.

[smipx013]

Hi,

I will reinstall avast and turn off the faststart and monitor the situation to see if things improve.  It only happens very occasionally however so may be some time before I can report back - but I will do so....

Cheers,
Paul

[thekochs]

Been around PCs for years....OK decades....yes, I'm old.
It may be all the history I have or bad experiences (was IT guy for awhile) but the VERY first thing I do with a new PC is disable Hibernate mode.  Granted, I'm still on Windows 7 on all my PCs, all the ones at office are too, but Hibernate needs so many things to work right to get it to work and one small change and things go badly....yup, seen BSODs.  Frankly, sleep mode seems fine for me/times when I don't want to boot down my PC.....plus, even Avast wakes up from sleep to run reliably. 

Anyway, just my two cents but if you want to disable Hibernate in system it is very easy....see link....you can always re-enable.
http://www.sevenforums.com/tutorials/819-hibernate-enable-disable.html

[Shintaro]

Ok, a couple of things, the OP is running Windows 8.1 so thing are a little different.

Windows 8.1 doesn't use "update.microsoft.com" that site was for Win XP and earlier.

Use this procedure to update Windows 8 / 8.1 http://www.pcruneasy.com/tutorials/windows-8/windows-update/index.php

The way to disable hibernate and Fast Start in Windows 8 : http://mywindows8.org/fast-start-up-in-windows-8/

[thekochs]

The way to disable hibernate and Fast Start in Windows 8 : http://mywindows8.org/fast-start-up-in-windows-8/

It is semantics but the link you show is to "turn off/on" the feature.
The link I showed about it to actually "disable" the hibernate "ability" in the system.....the link covers W7 & W8.
I think either way will work but since I personally hate hibernate....and some programs try to re-enable....I want the "ability" gone.
http://www.sevenforums.com/tutorials/819-hibernate-enable-disable.html
Just me.....obviously, up to OP.

[smipx013]

Well.....   I uninstalled Avast eventually as I had several more BSOD incidents (not always with the same as the above crash report) and have not had a single BSOD since. 

This was after reinstalling carefully as advised above. I did log a ticket with support but by the time they got back to me (about a week later) it was already uninstalled and I did not feel compelled to reinstall it for some generic "please send me your system logs" help as I have been there before with some other applications and generally speaking I have not got great support (as the other product was also a free one). 

I am happy to reinstall it and help support discover what the issue it but for that I would want a named contact in support and straight through to a level 2 tech who can perform some remote access.  I think that's only fair as it will take a lot of my time and effort too.  I have a working solution (Avira) now so I I have no massive urgency to work on this but it's a shame as I liked Avast (apart from the blue screens). I also installed it for numerous friends and family but now this has put me off a bit.

Thanks
Paul