BSOD with ndis.sys

[Troudhuk]

Hello,
I'm French so sorry for my communication,
My new computer with Vista 64 meet recently some reboot problems. I installed recently special software :
Virtual PC, VMWare, Daemon Tools, NCP Secure Client (a VPN client), kaspersky internet security is always my security program for a long time (avp.exe on the dump...)
There are 9 dump files but it is almost the same.

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {3b8, 2, 0, fffffa6000faa09f}

Unable to load image \SystemRoot\system32\DRIVERS\ncplelhp.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ncplelhp.sys
*** ERROR: Module load completed but symbols could not be loaded for ncplelhp.sys
Probably caused by : ncplelhp.sys ( ncplelhp+15872 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000000003b8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffffa6000faa09f, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002683080
00000000000003b8

CURRENT_IRQL: 2

FAULTING_IP:
ndis!ndisMSendCompleteNetBufferListsInternal+8f
fffffa60`00faa09f 488b8fb8030000 mov rcx,qword ptr [rdi+3B8h]

CUSTOMER_CRASH_COUNT: 6

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: avp.exe

TRAP_FRAME: fffffa6005978a00 -- (.trap 0xfffffa6005978a00)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa6000e5e110 rbx=0000000000000000 rcx=fffffa6000f670e0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa6000faa09f rsp=fffffa6005978b90 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=fffffa8005014cb0
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
ndis!ndisMSendCompleteNetBufferListsInternal+0x8f:
fffffa60`00faa09f 488b8fb8030000 mov rcx,qword ptr [rdi+3B8h] ds:d6a0:00000000`000003b8=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800024af0ee to fffff800024af350

STACK_TEXT:
fffffa60`059788b8 fffff800`024af0ee : 00000000`0000000a 00000000`000003b8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffffa60`059788c0 fffff800`024adfcb : 00000000`00000000 fffff800`024b1e75 00000000`00000000 fffffa80`041931a0 : nt!KiBugCheckDispatch+0x6e
fffffa60`05978a00 fffffa60`00faa09f : fffffa80`04c9a0ac fffffa60`02a51798 fffffa80`04e458f4 fffffa80`04e2dc04 : nt!KiPageFault+0x20b
fffffa60`05978b90 fffffa60`00faa1ac : fffffa80`041931a0 00000000`00000000 fffffa80`041931a0 fffffa60`00cdb817 : ndis!ndisMSendCompleteNetBufferListsInternal+0x8f
fffffa60`05978c00 fffffa60`02a4b872 : fffffa80`041931a0 00000000`00000000 fffffa80`037bd6a0 00000000`00000000 : ndis!NdisMSendNetBufferListsComplete+0x7c
fffffa60`05978c40 fffffa80`041931a0 : 00000000`00000000 fffffa80`037bd6a0 00000000`00000000 00000000`00000000 : ncplelhp+0x15872
fffffa60`05978c48 00000000`00000000 : fffffa80`037bd6a0 00000000`00000000 00000000`00000000 fffffa60`02a4a200 : 0xfffffa80`041931a0


STACK_COMMAND: kb

FOLLOWUP_IP:
ncplelhp+15872
fffffa60`02a4b872 ?? ???

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: ncplelhp+15872

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ncplelhp

IMAGE_NAME: ncplelhp.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 491848a3

FAILURE_BUCKET_ID: X64_0xD1_ncplelhp+15872

BUCKET_ID: X64_0xD1_ncplelhp+15872

Followup: MachineOwner
---------

I need all the programs I talked about, so I ask you to have the culprit.
Thanks for helping. If you need more informations I will bring it.

Edit : I uninstalled and reinstalled Kaspersky, no more BSOD yet... Strange, I hope it will stay good.

 

[Route44]

All errors are 0xD1 and these are almost always caused by faulty drivers. The driver cited in every minidump as the probable cause is ncplelhp.sys and except for one place there was was nothing on the internet concerning this driver.

Kaspersky isn't your issue because ncplelhp.sys prevents the Kaspersky driver kl1.sys from loading and interferes with the process avp.exe which belongs to Kaspersky as well. This is why when you uninstalled and reinstalled Kaspersky you most likely undid whatever conflicts were taking place bewtween the two.

ncplelhp.sys is a driver for NCP Virtual Tunnel Adapter which is part of the NCP Secure Client Adapter by NCP Engineering GmbH.

Question: Is your Kaspersky anti-virus only or is it their security suit? The reason I ask is because NCP has a built in firewall and two firewalls loaded at the same time will cause conflicts and system crashes.

 

[Troudhuk]

(It crashed again)

It is Kaspersky Internet Security so there is a firewall. Thanks for help, I disable it. Should I disable Windows firewall ? I don't know which one to keep.
It seems that NCP firewall was disabled yet... strange.

 

[Route44]

Here is the rule about security software that provides resident protection: One antivirus, one firewall, one antispyware (plus a router which ias absolutely essential). When I say Resident Protection I mean the kind that is running in the background protecting you PC.

Three firewalls are going to cause all kinds of issues. Disable the other two and keep one. I know nothing about NPC nor how good the firewall is and it might have disabled itself becauswe you already had two running.

Vista's firewall is considerably better than XPs. XP's is actually very poor. You may be okay with Vista. I do know Kaspersky is excellent as an antivirus but I know little about their firewall.

 

[Troudhuk]

I abled only NCP firewall, but there is a new BSOD.

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000000003b8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffffa6000fa509f, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8000207b080
00000000000003b8

CURRENT_IRQL: 2

FAULTING_IP:
ndis!ndisMSendCompleteNetBufferListsInternal+8f
fffffa60`00fa509f 488b8fb8030000 mov rcx,qword ptr [rdi+3B8h]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: NCPRWSNT.EXE

TRAP_FRAME: fffffa6005ff7af0 -- (.trap 0xfffffa6005ff7af0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa6000e59110 rbx=0000000000000000 rcx=fffffa6000f620e0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa6000fa509f rsp=fffffa6005ff7c80 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=fffffa800507ce30
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
ndis!ndisMSendCompleteNetBufferListsInternal+0x8f:
fffffa60`00fa509f 488b8fb8030000 mov rcx,qword ptr [rdi+3B8h] ds:fc00:00000000`000003b8=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80001ea70ee to fffff80001ea7350

STACK_TEXT:
fffffa60`05ff79a8 fffff800`01ea70ee : 00000000`0000000a 00000000`000003b8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffffa60`05ff79b0 fffff800`01ea5fcb : 00000000`00000000 fffff800`01ea9e75 00000000`00000000 fffffa80`041e21a0 : nt!KiBugCheckDispatch+0x6e
fffffa60`05ff7af0 fffffa60`00fa509f : fffffa80`04ffafac fffffa60`02a1f798 fffffa80`04e2da74 fffffa60`00e025eb : nt!KiPageFault+0x20b
fffffa60`05ff7c80 fffffa60`00fa51ac : fffffa80`041e21a0 00000000`00000000 fffffa80`041e21a0 fffffa60`00cdf817 : ndis!ndisMSendCompleteNetBufferListsInternal+0x8f
fffffa60`05ff7cf0 fffffa60`02a19872 : fffffa80`041e21a0 00000000`00000000 fffffa80`053efc00 00000000`00000000 : ndis!NdisMSendNetBufferListsComplete+0x7c
fffffa60`05ff7d30 fffffa80`041e21a0 : 00000000`00000000 fffffa80`053efc00 00000000`00000000 00000000`00000000 : ncplelhp+0x15872
fffffa60`05ff7d38 00000000`00000000 : fffffa80`053efc00 00000000`00000000 00000000`00000000 fffffa60`02a18200 : 0xfffffa80`041e21a0


STACK_COMMAND: kb

FOLLOWUP_IP:
ncplelhp+15872
fffffa60`02a19872 ?? ???

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: ncplelhp+15872

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ncplelhp

IMAGE_NAME: ncplelhp.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 491848a3

FAILURE_BUCKET_ID: X64_0xD1_ncplelhp+15872

BUCKET_ID: X64_0xD1_ncplelhp+15872

Followup: MachineOwner
---------

What should I do ? I can't disable the service "NCPRWSNT.EXE" because I need this to connect.
It crashed when I try to download a lot (>3.5MB/s) with Firefox.

 

[Route44]

Your error is 0xD1 and once again the driver ncplelhp.sys is cited as the issue and it is blocking your Kaspersky from loading certain vital drivers for the antivirus part of your suit.

Even though you disabled Kaspersky's firewall you must keep in mind the drivers are still present from its firewall.

Try updating your NCP product. Also, disable its firewalll and re-enable Kaspersky's and see if that brings stability.

 

[Troudhuk]

support.kaspersky.com/kis2009/tech?qid=208279770

I found that. I uninstalled Kaspersky Anti-Virus NDIS Filter. In few days I will come back here to say if I meet other problems or not.

 

[Route44]

Your antivirus protection won't be compromised, will it?

 

[Troudhuk]

Firewall will not filter packet filtering and “catch” network attacks (network packets will not be intercepted). Functionality of other components will not change.

It is not critical, I prefer that than random BSOD always. It makes me crazy.

 

[Troudhuk]

*deleted sorry