Question
Applies to
385196 views

Blue Screen of Death: Driver IRQL Not Less or Equal (Windows 7)

Clo Fuller asked on
My computer started crashing after I downloaded the latest batch of Windows updates. I presume there's a connection, but I could be mistaken. I was able to photograph the screen this last time. (I'm sorry for the reflection at the top, but it's still readable) Any suggestions? I'd very much appreciate any help y'all can provide.



Thanks!
1485 people had this question

Abuse history


The answered status icon Answer
Patrick Barker replied on

Perfect, thank you! You should also be happy to know that this at first glance appears to be a very simple and easy to solve issue.

Right, so all of the attached DMP files are of the DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) bug check.

This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.

If we take a look at the call stack:

1: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0c070a58 fffff800`0308f169 : 00000000`0000000a 00000000`00000008 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`0c070a60 fffff800`0308dde0 : fffff880`0c070c20 fffffa80`0edcc4d8 00000000`00000000 fffff880`0c070f50 : nt!KiBugCheckDispatch+0x69
fffff880`0c070ba0 fffff880`01928a1d : fffffa80`05a44338 fffffa80`05a44330 00000000`00000001 fffff880`0193c827 : nt!KiPageFault+0x260 (TrapFrame @ fffff880`0c070ba0)
fffff880`0c070d30 fffff880`019320d4 : fffff880`0c070f50 fffff880`0c070f50 fffff880`0c071150 fffffa80`0db76280 : NETIO!CalloutStreamDataInit+0x1d
fffff880`0c070d70 fffff880`0193de98 : 00000000`00000000 fffff880`0c071150 fffff880`0c070f00 fffff880`0c070f88 : NETIO!StreamInvokeCalloutAndNormalizeAction+0x54
fffff880`0c070e10 fffff880`0193ee91 : fffffa80`0f81e5f0 fffff880`0c071150 fffff880`0c070f50 fffff880`0c0715a0 : NETIO!StreamCalloutProcessData+0x48
fffff880`0c070e60 fffff880`0193fee8 : fffff880`0c070f50 fffff880`0c0715a0 fffff880`0c071101 fffffa80`0f81e5f0 : NETIO!StreamCalloutProcessingLoop+0xa1
fffff880`0c070ef0 fffff880`01920a2a : fffff880`0c071150 fffff880`09b8e690 00000000`00000000 fffffa80`0e550014 : NETIO!StreamProcessCallout+0x1e8
fffff880`0c070fe0 fffff880`01907f58 : fffff8a0`0fc50014 fffffa80`0ea8dc30 fffffa80`0593ae08 fffff880`0c0715a0 : NETIO! ?? ::FNODOBFM::`string'+0x71f2
fffff880`0c071100 fffff880`019095d2 : fffff880`0c070014 fffffa80`0ea8dc30 fffffa80`0e55b4e0 00000000`00000000 : NETIO!ArbitrateAndEnforce+0x238
fffff880`0c0711d0 fffff880`019423b3 : fffff880`0c071674 fffffa80`0ea8dc30 00000000`00000001 fffff880`0c0715a0 : NETIO!KfdClassify+0x934
fffff880`0c071540 fffff880`0194299a : 00000000`00000000 00000000`00010000 00000000`003793f8 fffffa80`0e55b420 : NETIO!StreamInternalClassify+0xf3
fffff880`0c071610 fffff880`01942d8e : 00000000`00000014 00000000`00000100 00000000`00000000 fffffa80`0e7a98e0 : NETIO!StreamInject+0x1ca
fffff880`0c0716e0 fffff880`01997dd7 : fffffa80`0e55b370 00000000`0000015c fffffa80`0dcd5be0 fffff800`031c3d00 : NETIO!FwppStreamInject+0x12e
fffff880`0c071770 fffff880`09afec44 : fffffa80`0e081360 00000000`00000000 fffffa80`1084e1c0 fffffa80`05b61c10 : fwpkclnt!FwpsStreamInjectAsync0+0xcf
fffff880`0c0717d0 fffffa80`0e081360 : 00000000`00000000 fffffa80`1084e1c0 fffffa80`05b61c10 fffff8a0`0000015c : UrlFilter+0x1c44
fffff880`0c0717d8 00000000`00000000 : fffffa80`1084e1c0 fffffa80`05b61c10 fffff8a0`0000015c fffff800`00000014 : 0xfffffa80`0e081360


We can see a UrlFilter.sys call which is a component of IObit. After we have that call, it leads into MANY Network I/O Subsystem routine calls, which goes directly into a page fault and then the bug check itself.

Unable to load image \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\UrlFilter.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for UrlFilter.sys
*** ERROR: Module load completed but symbols could not be loaded for UrlFilter.sys


Overall, what's happening? IObit Malware Fighter of no surprise to me (as I always see it) is causing NETBIOS conflicts with Norton which then causes memory corruption. Ultimately, this crashes your computer.

------------------

1. Uninstall IObit.

2. Remove and replace Norton with Microsoft Security Essentials for temporary troubleshooting purposes:

Norton removal - https://support.norton.com/sp/en/us/home/current/solutions/kb20080710133834EN_EndUserProfile_en_us;jsessionid=841A6D40BA6872C47697C6C6B19C8E11.4?entsrc=redirect_pubweb&pvid=f-home

MSE -  http://windows.microsoft.com/en-us/windows/security-essentials-download

Your crashes should cease after this, so please keep me updated.

Also, you may want to read this about IObit - IOBit Steals Malwarebytes' Intellectual Property.

Regards,

Patrick
Debugger/Reverse Engineer.
85 people found this helpful

Abuse history


The answered status icon Answer
Patrick Barker replied on

My pleasure, I look forward to your update.

I would not by any means reinstall Norton, it is not a good antivirus despite what many say. I'd stay far away from Norton + McAfee. For now, go several days without any 3rdparty antivirus. If the crashes cease, you know it was both conflicting and you can move on to try others... although I dislike most as I see how many conflicts they can cause, and I deal with it on a daily basis.

For the record though, Malwarebytes is fantastic and you would be just fine installing that right now if you wish.

Regards,

Patrick
Debugger/Reverse Engineer.
19 people found this helpful

Abuse history


progress