argh - mcafee firewall blue screen of death

Archived from groups: microsoft.public.win2000.setup (More info?)

About every 5 boot ups or so, I get a blue screen of death, evidently
caused by Mcafee firewall plus

Here's the report from Windbg

argh.. I'm getting Norton next time...
-Julie


Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols

Microsoft (R) Windows Debugger Version 6.3.0017.0
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINNT\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

************************************************************
WARNING: Dump file has been truncated. Data may be missing.
************************************************************
Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free
x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Kernel base = 0x80400000 PsLoadedModuleList = 0x80484b40
Debug session time: Sun Jun 13 14:37:20 2004
System Uptime: 0 days 0:01:29.562
Loading Kernel Symbols
.......................................................................................................................
Loading unloaded module list
....
Loading User Symbols
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck B8, {0, 0, 0, 0}

*** ERROR: Module load completed but symbols could not be loaded for
MpFirewall.sys
Probably caused by : MpFirewall.sys ( MpFirewall+bd47 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

ATTEMPTED_SWITCH_FROM_DPC (b8)
A wait operation, attach process, or yield was attempted from a DPC
routine.
This is an illegal operation and the stack track will lead to the
offending
code and original DPC routine.
Arguments:
Arg1: 00000000, Original thread which is the cause of the failure
Arg2: 00000000, New thread
Arg3: 00000000, Stack address of the original thread
Arg4: 00000000

Debugging Details:
------------------


DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xB8

LAST_CONTROL_TRANSFER: from 8046b356 to 8042a983

STACK_TEXT:
80473be4 8046b356 000000b8 80473cf0 00000202 nt!KeBugCheck+0xf
80473bf4 8046b0a9 80473c30 80470c6c 80470c00 nt!ScPatchFxe+0x34
80473c08 8042c413 00000000 80477820 00000001 nt!KiSwapThread+0x1b1
80473c30 804156bf fa7855a8 00000000 00000000
nt!KeWaitForSingleObject+0x1a3
80473c6c 80414dda 80477820 00000000 80514800
nt!ExpWaitForResource+0x2d
80473c84 8046469a 80477802 00000001 805148cd
nt!ExAcquireResourceSharedLite+0xc6
80473c90 805148cd 80473d14 80473d98 80514838 nt!CmpLockRegistry+0x18
80473d00 804668a9 80473dd0 00020019 80473da4 nt!NtOpenKey+0x95
80473d00 804304cf 80473dd0 00020019 80473da4 nt!KiSystemService+0xc9
80473d84 be753d47 80473dd0 00020019 80473da4 nt!ZwOpenKey+0xb
WARNING: Stack unwind information not available. Following frames may
be wrong.
80473dd8 be753f48 80065420 bbd0dfd0 80465cd0 MpFirewall+0xbd47
80474888 bbd0b642 f99ea8ce f99ea8e2 00000008 MpFirewall+0xbf48
804748dc bbd0b5d7 f99ea8ce f99ea8e2 00000008
ipfltdrv!MatchFilterp+0x66
80474910 be78af19 f99ea8ce f99ea8e2 00000008 ipfltdrv!MatchFilter+0x23
804749c0 be75c98c f9961d88 f99ea8e2 0000001a tcpip!IPRcvPacket+0x2ee
80474a00 be75c9ed 00000001 f9fe355c f99ea8c0
tcpip!ARPRcvIndicationNew+0x172
80474a3c bfec4183 f9960308 00000000 fac8e368 tcpip!ARPRcvPacket+0x5c
80474a94 f6485fbe faf25600 80474af4 00000001
NDIS!ethFilterDprIndicateReceivePacket+0x2ea
80474b54 f648256d 00c8e368 80465c90 faf25630
el90xbc5!UpCompleteNdis40PlusEvent+0x25e
80474b70 bfead974 fac8e368 80470970 ffdff848
el90xbc5!NICInterrupt+0x83
80474b8c 80465c48 fac8e554 fac8e540 00000000 NDIS!ndisMDpc+0xc8
80474ba4 80465ba0 0000000e 00000000 00000000 nt!KiRetireDpcList+0x47
80474bac 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x28


FOLLOWUP_IP:
MpFirewall+bd47
be753d47 85c0 test eax,eax

SYMBOL_STACK_INDEX: a

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: MpFirewall+bd47

MODULE_NAME: MpFirewall

IMAGE_NAME: MpFirewall.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 409a669f

STACK_COMMAND: kb

BUCKET_ID: 0xB8_MpFirewall+bd47

Followup: MachineOwner
---------
2 answers Last reply
More about argh mcafee firewall blue screen death
  1. Archived from groups: microsoft.public.win2000.setup (More info?)

    You could try McAfee site for info; but often with a problem install its
    neccessary to uninstall, ensuring it is completely removed from yr sys -
    McAfee site will have info on this - before reinstalling.

    "Julie Larson" <dichroicreflection@yahoo.com> wrote in message
    news:11f3093f.0406131411.af7d3f5@posting.google.com...
    > About every 5 boot ups or so, I get a blue screen of death, evidently
    > caused by Mcafee firewall plus
    >
    > Here's the report from Windbg
    >
    > argh.. I'm getting Norton next time...
    > -Julie
    >
    >
    >
    > Symbol search path is:
    > SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
    >
    > Microsoft (R) Windows Debugger Version 6.3.0017.0
    > Copyright (c) Microsoft Corporation. All rights reserved.
    >
    >
    > Loading Dump File [C:\WINNT\MEMORY.DMP]
    > Kernel Complete Dump File: Full address space is available
    >
    > ************************************************************
    > WARNING: Dump file has been truncated. Data may be missing.
    > ************************************************************
    > Symbol search path is:
    > SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
    > Executable search path is:
    > Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free
    > x86 compatible
    > Product: Server, suite: TerminalServer SingleUserTS
    > Kernel base = 0x80400000 PsLoadedModuleList = 0x80484b40
    > Debug session time: Sun Jun 13 14:37:20 2004
    > System Uptime: 0 days 0:01:29.562
    > Loading Kernel Symbols
    >
    .............................................................................
    ...........................................
    > Loading unloaded module list
    > ...
    > Loading User Symbols
    >
    ****************************************************************************
    ***
    > *
    > *
    > * Bugcheck Analysis
    > *
    > *
    > *
    >
    ****************************************************************************
    ***
    >
    > Use !analyze -v to get detailed debugging information.
    >
    > BugCheck B8, {0, 0, 0, 0}
    >
    > *** ERROR: Module load completed but symbols could not be loaded for
    > MpFirewall.sys
    > Probably caused by : MpFirewall.sys ( MpFirewall+bd47 )
    >
    > Followup: MachineOwner
    > ---------
    >
    > 0: kd> !analyze -v
    >
    ****************************************************************************
    ***
    > *
    > *
    > * Bugcheck Analysis
    > *
    > *
    > *
    >
    ****************************************************************************
    ***
    >
    > ATTEMPTED_SWITCH_FROM_DPC (b8)
    > A wait operation, attach process, or yield was attempted from a DPC
    > routine.
    > This is an illegal operation and the stack track will lead to the
    > offending
    > code and original DPC routine.
    > Arguments:
    > Arg1: 00000000, Original thread which is the cause of the failure
    > Arg2: 00000000, New thread
    > Arg3: 00000000, Stack address of the original thread
    > Arg4: 00000000
    >
    > Debugging Details:
    > ------------------
    >
    >
    > DEFAULT_BUCKET_ID: DRIVER_FAULT
    >
    > BUGCHECK_STR: 0xB8
    >
    > LAST_CONTROL_TRANSFER: from 8046b356 to 8042a983
    >
    > STACK_TEXT:
    > 80473be4 8046b356 000000b8 80473cf0 00000202 nt!KeBugCheck+0xf
    > 80473bf4 8046b0a9 80473c30 80470c6c 80470c00 nt!ScPatchFxe+0x34
    > 80473c08 8042c413 00000000 80477820 00000001 nt!KiSwapThread+0x1b1
    > 80473c30 804156bf fa7855a8 00000000 00000000
    > nt!KeWaitForSingleObject+0x1a3
    > 80473c6c 80414dda 80477820 00000000 80514800
    > nt!ExpWaitForResource+0x2d
    > 80473c84 8046469a 80477802 00000001 805148cd
    > nt!ExAcquireResourceSharedLite+0xc6
    > 80473c90 805148cd 80473d14 80473d98 80514838 nt!CmpLockRegistry+0x18
    > 80473d00 804668a9 80473dd0 00020019 80473da4 nt!NtOpenKey+0x95
    > 80473d00 804304cf 80473dd0 00020019 80473da4 nt!KiSystemService+0xc9
    > 80473d84 be753d47 80473dd0 00020019 80473da4 nt!ZwOpenKey+0xb
    > WARNING: Stack unwind information not available. Following frames may
    > be wrong.
    > 80473dd8 be753f48 80065420 bbd0dfd0 80465cd0 MpFirewall+0xbd47
    > 80474888 bbd0b642 f99ea8ce f99ea8e2 00000008 MpFirewall+0xbf48
    > 804748dc bbd0b5d7 f99ea8ce f99ea8e2 00000008
    > ipfltdrv!MatchFilterp+0x66
    > 80474910 be78af19 f99ea8ce f99ea8e2 00000008 ipfltdrv!MatchFilter+0x23
    > 804749c0 be75c98c f9961d88 f99ea8e2 0000001a tcpip!IPRcvPacket+0x2ee
    > 80474a00 be75c9ed 00000001 f9fe355c f99ea8c0
    > tcpip!ARPRcvIndicationNew+0x172
    > 80474a3c bfec4183 f9960308 00000000 fac8e368 tcpip!ARPRcvPacket+0x5c
    > 80474a94 f6485fbe faf25600 80474af4 00000001
    > NDIS!ethFilterDprIndicateReceivePacket+0x2ea
    > 80474b54 f648256d 00c8e368 80465c90 faf25630
    > el90xbc5!UpCompleteNdis40PlusEvent+0x25e
    > 80474b70 bfead974 fac8e368 80470970 ffdff848
    > el90xbc5!NICInterrupt+0x83
    > 80474b8c 80465c48 fac8e554 fac8e540 00000000 NDIS!ndisMDpc+0xc8
    > 80474ba4 80465ba0 0000000e 00000000 00000000 nt!KiRetireDpcList+0x47
    > 80474bac 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x28
    >
    >
    > FOLLOWUP_IP:
    > MpFirewall+bd47
    > be753d47 85c0 test eax,eax
    >
    > SYMBOL_STACK_INDEX: a
    >
    > FOLLOWUP_NAME: MachineOwner
    >
    > SYMBOL_NAME: MpFirewall+bd47
    >
    > MODULE_NAME: MpFirewall
    >
    > IMAGE_NAME: MpFirewall.sys
    >
    > DEBUG_FLR_IMAGE_TIMESTAMP: 409a669f
    >
    > STACK_COMMAND: kb
    >
    > BUCKET_ID: 0xB8_MpFirewall+bd47
    >
    > Followup: MachineOwner
    > ---------
  2. Archived from groups: microsoft.public.win2000.setup (More info?)

    Got my answer at last. Sorry to have troubled the whole world with
    it...

    Manual Uninstall of Personal Firewall/Plus
    Boot into Safe Mode (http://www.mcafeehelp.com/faq3.asp?docid=68053)

    Delete the Personal Firewall folders

    From the taskbar, click Start.
    Click Run.
    Type Explorer
    Click OK.
    Double-click My Computer.
    Double-click C: drive.
    Delete the MC?????.tmp folder(s), if present.
    Note: ? = these could be numbers or letters.
    From the C: drive, double-click Program Files.
    Double-click McAfee.
    If present, delete the Personal Firewall folder and MPF folder.
    http://www.mcafeehelp.com/faq3.asp?docid=68053
    Search for Status.mpf

    Perform a search on your C: drive for a file named STATUS.MPF and
    delete any instance found. This file will most likely be found in
    C:Windows\System or C:\Windows\System32, depending upon your operating
    system.

    Backup the registry

    Open and backup the registry
    (http://www.mcafeehelp.com/faq3.asp?docid=68037)

    Delete the registry keys

    Click the + next to HKEY_LOCAL_MACHINE.
    Click the + next to SOFTWARE.
    Click the + next to McAfee.com.
    Delete any instance of a Personal Firewall folder or MPF folder.
    Click on the + next to Microsoft
    Click on the + next to Windows
    Click on the + next to Current Version
    Click on the run folder to highlight it
    On the right side delete the MPFExe file
    Back on the left side click on the + next to uninstall
    Scroll down and delete the Mcafee.com Personal FireWall Plus folder
    Highlight my computer at the top and than click on edit.
    Than click on Find and search for MpFireWall.sys and delete all
    references.
    Close the Registry Editor.
    Run a search on the C: drive for MpFireWall.sys as well and delete all
    reference if any.


    Remove ActiveX components
    Double Click My Computer
    Double Click the C drive icon
    Double Click the Windows folder (Note: This folder name may be WINNT
    for users with Windows 2000 or XP upgraded from 2000)
    Double Click the Downloaded Program Files folder
    Delete any McAfee ActiveX components (examples: McAfee.com Operating
    system class, McAfee Installer Class, McAfee TYP class, McAfee Tree
    class.)
    Note: Browse the folder and if you see a component that you are unsure
    of what program it belongs to like long random names with numbers and
    letters, double click on it and look under the code base. If its from
    Download.McAfee.com, then delete it.
    Empty the recycle bin and restart the computer.

    Misc Stuff

    Check out MSInfo32 and see if there are any "Problem Devices" in the
    list...Under "Components", and "Problem Devices".
    Make sure they don't have another FireWall and that the Windows XP
    Built in FireWall is disabled.
    Check there Device Manager under Network Adapters and make sure the
    devices are working properly.
    From here download and reinstall Personal FireWall/Plus from the web
    site off of your account.
    Check with you hardware vendor for any bios updates. Have them Disable
    bios memory options such as caching or shadowing.
Ask a new question

Read More

Blue Screen Windows