argh - mcafee firewall blue screen of death

[Julie Larson]

About every 5 boot ups or so, I get a blue screen of death, evidently
caused by Mcafee firewall plus

Here's the report from Windbg

argh.. I'm getting Norton next time...
-Julie



Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols

Microsoft (R) Windows Debugger Version 6.3.0017.0
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINNT\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

************************************************************
WARNING: Dump file has been truncated. Data may be missing.
************************************************************
Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free
x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Kernel base = 0x80400000 PsLoadedModuleList = 0x80484b40
Debug session time: Sun Jun 13 14:37:20 2004
System Uptime: 0 days 0:01:29.562
Loading Kernel Symbols
.......................................................................................................................
Loading unloaded module list
....
Loading User Symbols
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck B8, {0, 0, 0, 0}

*** ERROR: Module load completed but symbols could not be loaded for
MpFirewall.sys
Probably caused by : MpFirewall.sys ( MpFirewall+bd47 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

ATTEMPTED_SWITCH_FROM_DPC (b8)
A wait operation, attach process, or yield was attempted from a DPC
routine.
This is an illegal operation and the stack track will lead to the
offending
code and original DPC routine.
Arguments:
Arg1: 00000000, Original thread which is the cause of the failure
Arg2: 00000000, New thread
Arg3: 00000000, Stack address of the original thread
Arg4: 00000000

Debugging Details:
------------------


DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xB8

LAST_CONTROL_TRANSFER: from 8046b356 to 8042a983

STACK_TEXT:
80473be4 8046b356 000000b8 80473cf0 00000202 nt!KeBugCheck+0xf
80473bf4 8046b0a9 80473c30 80470c6c 80470c00 nt!ScPatchFxe+0x34
80473c08 8042c413 00000000 80477820 00000001 nt!KiSwapThread+0x1b1
80473c30 804156bf fa7855a8 00000000 00000000
nt!KeWaitForSingleObject+0x1a3
80473c6c 80414dda 80477820 00000000 80514800
nt!ExpWaitForResource+0x2d
80473c84 8046469a 80477802 00000001 805148cd
nt!ExAcquireResourceSharedLite+0xc6
80473c90 805148cd 80473d14 80473d98 80514838 nt!CmpLockRegistry+0x18
80473d00 804668a9 80473dd0 00020019 80473da4 nt!NtOpenKey+0x95
80473d00 804304cf 80473dd0 00020019 80473da4 nt!KiSystemService+0xc9
80473d84 be753d47 80473dd0 00020019 80473da4 nt!ZwOpenKey+0xb
WARNING: Stack unwind information not available. Following frames may
be wrong.
80473dd8 be753f48 80065420 bbd0dfd0 80465cd0 MpFirewall+0xbd47
80474888 bbd0b642 f99ea8ce f99ea8e2 00000008 MpFirewall+0xbf48
804748dc bbd0b5d7 f99ea8ce f99ea8e2 00000008
ipfltdrv!MatchFilterp+0x66
80474910 be78af19 f99ea8ce f99ea8e2 00000008 ipfltdrv!MatchFilter+0x23
804749c0 be75c98c f9961d88 f99ea8e2 0000001a tcpip!IPRcvPacket+0x2ee
80474a00 be75c9ed 00000001 f9fe355c f99ea8c0
tcpip!ARPRcvIndicationNew+0x172
80474a3c bfec4183 f9960308 00000000 fac8e368 tcpip!ARPRcvPacket+0x5c
80474a94 f6485fbe faf25600 80474af4 00000001
NDIS!ethFilterDprIndicateReceivePacket+0x2ea
80474b54 f648256d 00c8e368 80465c90 faf25630
el90xbc5!UpCompleteNdis40PlusEvent+0x25e
80474b70 bfead974 fac8e368 80470970 ffdff848
el90xbc5!NICInterrupt+0x83
80474b8c 80465c48 fac8e554 fac8e540 00000000 NDIS!ndisMDpc+0xc8
80474ba4 80465ba0 0000000e 00000000 00000000 nt!KiRetireDpcList+0x47
80474bac 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x28


FOLLOWUP_IP:
MpFirewall+bd47
be753d47 85c0 test eax,eax

SYMBOL_STACK_INDEX: a

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: MpFirewall+bd47

MODULE_NAME: MpFirewall

IMAGE_NAME: MpFirewall.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 409a669f

STACK_COMMAND: kb

BUCKET_ID: 0xB8_MpFirewall+bd47

Followup: MachineOwner
---------

 

[DL]

You could try McAfee site for info; but often with a problem install its
neccessary to uninstall, ensuring it is completely removed from yr sys -
McAfee site will have info on this - before reinstalling.

About every 5 boot ups or so, I get a blue screen of death, evidently
caused by Mcafee firewall plus

Here's the report from Windbg

argh.. I'm getting Norton next time...
-Julie



Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols

Microsoft (R) Windows Debugger Version 6.3.0017.0
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINNT\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

************************************************************
WARNING: Dump file has been truncated. Data may be missing.
************************************************************
Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free
x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Kernel base = 0x80400000 PsLoadedModuleList = 0x80484b40
Debug session time: Sun Jun 13 14:37:20 2004
System Uptime: 0 days 0:01:29.562
Loading Kernel Symbols
.............................................................................
...........................................
Loading unloaded module list
...
Loading User Symbols
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

Use !analyze -v to get detailed debugging information.

BugCheck B8, {0, 0, 0, 0}

*** ERROR: Module load completed but symbols could not be loaded for
MpFirewall.sys
Probably caused by : MpFirewall.sys ( MpFirewall+bd47 )

Followup: MachineOwner
---------

0: kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

ATTEMPTED_SWITCH_FROM_DPC (b8)
A wait operation, attach process, or yield was attempted from a DPC
routine.
This is an illegal operation and the stack track will lead to the
offending
code and original DPC routine.
Arguments:
Arg1: 00000000, Original thread which is the cause of the failure
Arg2: 00000000, New thread
Arg3: 00000000, Stack address of the original thread
Arg4: 00000000

Debugging Details:
------------------


DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xB8

LAST_CONTROL_TRANSFER: from 8046b356 to 8042a983

STACK_TEXT:
80473be4 8046b356 000000b8 80473cf0 00000202 nt!KeBugCheck+0xf
80473bf4 8046b0a9 80473c30 80470c6c 80470c00 nt!ScPatchFxe+0x34
80473c08 8042c413 00000000 80477820 00000001 nt!KiSwapThread+0x1b1
80473c30 804156bf fa7855a8 00000000 00000000
nt!KeWaitForSingleObject+0x1a3
80473c6c 80414dda 80477820 00000000 80514800
nt!ExpWaitForResource+0x2d
80473c84 8046469a 80477802 00000001 805148cd
nt!ExAcquireResourceSharedLite+0xc6
80473c90 805148cd 80473d14 80473d98 80514838 nt!CmpLockRegistry+0x18
80473d00 804668a9 80473dd0 00020019 80473da4 nt!NtOpenKey+0x95
80473d00 804304cf 80473dd0 00020019 80473da4 nt!KiSystemService+0xc9
80473d84 be753d47 80473dd0 00020019 80473da4 nt!ZwOpenKey+0xb
WARNING: Stack unwind information not available. Following frames may
be wrong.
80473dd8 be753f48 80065420 bbd0dfd0 80465cd0 MpFirewall+0xbd47
80474888 bbd0b642 f99ea8ce f99ea8e2 00000008 MpFirewall+0xbf48
804748dc bbd0b5d7 f99ea8ce f99ea8e2 00000008
ipfltdrv!MatchFilterp+0x66
80474910 be78af19 f99ea8ce f99ea8e2 00000008 ipfltdrv!MatchFilter+0x23
804749c0 be75c98c f9961d88 f99ea8e2 0000001a tcpip!IPRcvPacket+0x2ee
80474a00 be75c9ed 00000001 f9fe355c f99ea8c0
tcpip!ARPRcvIndicationNew+0x172
80474a3c bfec4183 f9960308 00000000 fac8e368 tcpip!ARPRcvPacket+0x5c
80474a94 f6485fbe faf25600 80474af4 00000001
NDIS!ethFilterDprIndicateReceivePacket+0x2ea
80474b54 f648256d 00c8e368 80465c90 faf25630
el90xbc5!UpCompleteNdis40PlusEvent+0x25e
80474b70 bfead974 fac8e368 80470970 ffdff848
el90xbc5!NICInterrupt+0x83
80474b8c 80465c48 fac8e554 fac8e540 00000000 NDIS!ndisMDpc+0xc8
80474ba4 80465ba0 0000000e 00000000 00000000 nt!KiRetireDpcList+0x47
80474bac 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x28


FOLLOWUP_IP:
MpFirewall+bd47
be753d47 85c0 test eax,eax

SYMBOL_STACK_INDEX: a

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: MpFirewall+bd47

MODULE_NAME: MpFirewall

IMAGE_NAME: MpFirewall.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 409a669f

STACK_COMMAND: kb

BUCKET_ID: 0xB8_MpFirewall+bd47

Followup: MachineOwner
---------

 

[Julie Larson]

Got my answer at last. Sorry to have troubled the whole world with
it...

Manual Uninstall of Personal Firewall/Plus
Boot into Safe Mode (http://www.mcafeehelp.com/faq3.asp?docid=68053)

Delete the Personal Firewall folders

From the taskbar, click Start.
Click Run.
Type Explorer
Click OK.
Double-click My Computer.
Double-click C: drive.
Delete the MC?????.tmp folder(s), if present.
Note: ? = these could be numbers or letters.
From the C: drive, double-click Program Files.
Double-click McAfee.
If present, delete the Personal Firewall folder and MPF folder.
http://www.mcafeehelp.com/faq3.asp?docid=68053
Search for Status.mpf

Perform a search on your C: drive for a file named STATUS.MPF and
delete any instance found. This file will most likely be found in
C:Windows\System or C:\Windows\System32, depending upon your operating
system.

Backup the registry

Open and backup the registry
(http://www.mcafeehelp.com/faq3.asp?docid=68037)

Delete the registry keys

Click the + next to HKEY_LOCAL_MACHINE.
Click the + next to SOFTWARE.
Click the + next to McAfee.com.
Delete any instance of a Personal Firewall folder or MPF folder.
Click on the + next to Microsoft
Click on the + next to Windows
Click on the + next to Current Version
Click on the run folder to highlight it
On the right side delete the MPFExe file
Back on the left side click on the + next to uninstall
Scroll down and delete the Mcafee.com Personal FireWall Plus folder
Highlight my computer at the top and than click on edit.
Than click on Find and search for MpFireWall.sys and delete all
references.
Close the Registry Editor.
Run a search on the C: drive for MpFireWall.sys as well and delete all
reference if any.


Remove ActiveX components
Double Click My Computer
Double Click the C drive icon
Double Click the Windows folder (Note: This folder name may be WINNT
for users with Windows 2000 or XP upgraded from 2000)
Double Click the Downloaded Program Files folder
Delete any McAfee ActiveX components (examples: McAfee.com Operating
system class, McAfee Installer Class, McAfee TYP class, McAfee Tree
class.)
Note: Browse the folder and if you see a component that you are unsure
of what program it belongs to like long random names with numbers and
letters, double click on it and look under the code base. If its from
Download.McAfee.com, then delete it.
Empty the recycle bin and restart the computer.

Misc Stuff

Check out MSInfo32 and see if there are any "Problem Devices" in the
list...Under "Components", and "Problem Devices".
Make sure they don't have another FireWall and that the Windows XP
Built in FireWall is disabled.
Check there Device Manager under Network Adapters and make sure the
devices are working properly.
From here download and reinstall Personal FireWall/Plus from the web
site off of your account.
Check with you hardware vendor for any bios updates. Have them Disable
bios memory options such as caching or shadowing.