BHDrvx86.sys

Good evening Geeks,
I'm running XP Home SP3 and just got a BSD caused by this driver. this is the first time it happened and a restart went fine. The driver appears to belong to Norton and I use Norton Security Suite. Never had a problem with NSS before, and its been about 99.99% good for what its supposed to do.

Why do you suppose that all of a sudden this driver acts up? and what can I do about it.

 

It's the Symantec/Norton heuristics driver.

Norton generally has a bad rep. for causing or being involved in BSODs. If you drill into Windows > Minidumps and copy the dmp files to your Desktop, zip and attach them here, I'll take a look to see if I can find a likely cause. If there are no dumps, set Windows to create them and upload the next one.

 

Minidump attached.

Thanks.

 

Code:

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\Mini033111-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp3_gdr.101209-1647
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805634c0
Debug session time: Fri Apr  1 02:50:45.078 2011 (UTC + 1:00)
System Uptime: 0 days 0:06:22.640
Loading Kernel Symbols
...............................................................
................................................................
.............
Loading User Symbols
Loading unloaded module list
...
Unable to load image BHDrvx86.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for BHDrvx86.sys
*** ERROR: Module load completed but symbols could not be loaded for BHDrvx86.sys
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, b7a6fdf3, b74a8b00, 0}

[B]*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : BHDrvx86.sys[/B] ( BHDrvx86+1bdf3 )

Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b7a6fdf3, The address that the exception occurred at
Arg3: b74a8b00, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
BHDrvx86+1bdf3
b7a6fdf3 8b10            mov     edx,dword ptr [eax]

TRAP_FRAME:  b74a8b00 -- (.trap 0xffffffffb74a8b00)
ErrCode = 00000000
eax=00000000 ebx=e23ed288 ecx=e343d378 edx=00000000 esi=e23ed350 edi=00000000
eip=b7a6fdf3 esp=b74a8b74 ebp=b74a8b74 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
BHDrvx86+0x1bdf3:
b7a6fdf3 8b10            mov     edx,dword ptr [eax]  ds:0023:00000000=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  wmiprvse.exe

LAST_CONTROL_TRANSFER:  from b7a5a135 to b7a6fdf3

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
b74a8b74 b7a5a135 e343d378 b74a8b9c b7a5a992 BHDrvx86+0x1bdf3
b74a8b80 b7a5a992 e343d378 b7ac5d06 b74a8bd8 BHDrvx86+0x6135
b74a8b9c b7ac6583 00000002 b74a8bc4 b7ab2e25 BHDrvx86+0x6992
b74a8ba8 b7ab2e25 00000000 e1a30000 b74a8c4c BHDrvx86+0x72583
b74a8bc4 b7a5847f e1a30168 e1a30010 b74a8c4c BHDrvx86+0x5ee25
b74a8c04 b7a59216 004a8c4c 00761460 00000018 BHDrvx86+0x447f
b74a8c20 b7aa714c e3761460 8a8689b0 00000001 BHDrvx86+0x5216
b74a8c38 b7aaba1e b74a8c4c b74a8cdc e20c73e8 BHDrvx86+0x5314c
b74a8c94 b7e46d3d 8a8689b0 b74a8ce4 b74a8cc4 BHDrvx86+0x57a1e
b74a8ca4 b7e4926a b74a8ce4 c0000001 e21183e0 SYMEVENT+0xfd3d
b74a8cc4 b7e4b4b5 b74a8cdc 8a886150 b74a8d64 SYMEVENT+0x1226a
b74a8d4c 804dd99f 00c4e78c 00000410 00c4e75c SYMEVENT+0x144b5
b74a8d4c 0000003b 00c4e78c 00000410 00c4e75c nt!KiFastCallEntry+0xfc
b74a8dbc 692ca53d 00c4e77c 00000000 7c90e514 0x3b
b74a8dc0 00c4e77c 00000000 7c90e514 0000001b 0x692ca53d
b74a8dc4 00000000 7c90e514 0000001b 00000246 0xc4e77c


STACK_COMMAND:  kb

FOLLOWUP_IP: 
BHDrvx86+1bdf3
b7a6fdf3 8b10            mov     edx,dword ptr [eax]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  BHDrvx86+1bdf3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: BHDrvx86

IMAGE_NAME:  BHDrvx86.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4d65833d

FAILURE_BUCKET_ID:  0x8E_BHDrvx86+1bdf3

BUCKET_ID:  0x8E_BHDrvx86+1bdf3

Followup: MachineOwner
---------

kd> lmvm BHDrvx86
start    end        module name
b7a54000 b7b1b000   BHDrvx86 T (no symbols)           
    Loaded symbol image file: BHDrvx86.sys
    Image path: BHDrvx86.sys
    Image name: BHDrvx86.sys
    Timestamp:        Wed Feb 23 21:59:25 2011 (4D65833D)
    CheckSum:         000CEA9F
    ImageSize:        000C7000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

BHDrvx86.sys listed as the probable cause, also SYMEVENT.SYS (another Symantec driver) could not be verified.

There are some very old drivers, Creative - PfModNT.sys is from 1999!! and Wacom, that need to be updated if you can find more recent drivers.

The most recent drivers loaded are from Symantec, my guess is that they're not compatible with some of your earlier drivers. Either uninstall Symantec (use their tool to ensure it's all cleaned out) and replace it with Avast! or Avira and a firewall, or else visit the Malware forum to get your PC checked over - 2 files from a security program flagged is suspicious!

 

Thanks, this is good to know.
The Wacom driver I can delete, its from a graphics pad that I no longer use.
The Creative driver I can check out, I still use the Creative sound card that came with the Dell machine so maybe there is an upgrade here.
I used to use Avira and the Comodo Firewall. Avira provided terrific protection but I became a little frustrated when the upgraded to v10 because the auto update kept failing and it became high maintenance.
The Norton I have is a full suite free as a Comcast subscriber. I'm not married to it but most comparisons a year ago when I made the change had Norton rated very high in the protection area. Have been fully satisfied with it from that respect.
I think I will try to find updated drivers and see what happens. The BSOD has not reoccurred since I posted the original question.
I'll come back to this post with any updates.
Thanks again.

 

In Keni254's description of the security software being used, it was stated that the Comcast version of Norton Security was installed. Ourt experience with this software is that it has the potential to totally compromise a computer. After the installation of the Comcast Norton Security software on a computer in our firm, the unit would boot up and then totally lockup in 10 -20 minutes. There were no known issues with the computer prioe to the installation of the Comcast Norton Security.

Our firm uses both the vendor version of Symantec Norton Internet Security (NIS) and Symantec Endpoint. This is also the security software recommended to our clients.

Last but not least, the BHDrvx86.sys appears to be part of the Symantec Sonar function. It should be located in the following sub-folder:
C:\All Users\Application Data\Norton\[0C55C096-0FID-4F28-AAA2-85EF591126E7}\NIS20.1.1.2\Definitions\BASHdefs\20121005.002\.

The above path is applicable to Symantec NIS 2013. The ...\NIS20.1.1.2\portion of the path will vary based on the version of the software installed.

The size of the BHdrvx86.sys file in both NIS 2012 and 2013 is 893 bytes.

Hope that this information is helpful.