WinXP: Random BSODs since SEP 12 install -- WCA blames SEP
I installed the SEP 12 client on an upgraded PC running Windows XP Pro SP3. The PC had several hardware upgrades; at the time, Windows XP was reinstalled and SEP 12 was installed to replace SEP 11. This was about three months ago.
Since then, this PC has been throwing BSODs at random. It may blow up once one week, twice the next, not again for ten or twelve days, then once the following week … although this past week it has been blowing up with increasing frequency. The BSODs seem to have no relationship with the machine’s load or what apps are running at the time. (In fact, this morning it BSODed while idle on the desktop with no apps running, then BSODed while rebooting, then BSODed while it was running the SEP Support Tool (after the reboot)).
After the computer reboots from the BSOD, it leaves an error in the event log similar to this:
Event Type: Error
Event Source: System Error
Event ID: 1003
Time: 5:32:27 PM
Error code 10000050, parameter1 e996b000, parameter2 00000000, parameter3 8a6c93de, parameter4 00000001.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 35 1000005
0020: 30 20 20 50 61 72 61 6d 0 Param
0028: 65 74 65 72 73 20 65 39 eters e9
0030: 39 36 62 30 30 30 2c 20 96b000,
0038: 30 30 30 30 30 30 30 30 00000000
0040: 2c 20 38 61 36 63 39 33 , 8a6c93
0048: 64 65 2c 20 30 30 30 30 de, 0000
0050: 30 30 30 31 0001
The event category, event ID and error code are always the same. The parameters change with every crash.
Every time the computer reboots after one of these BSODs, Windows Crash Analysis reports that the crash was caused by a problem with the antivirus software.
We have verified that the PC is running the latest BIOS and driver files for all critical system components (chipset, SATA, video, mobo components, LAN, etc.). We have uninstalled, cleaned up and reinstalled SEP twice on this PC. All Windows updates have been applied. The WCA report’s suggestion to “update your antivirus program” has been verified – the PC is running the latest available versions of all program components as well as virus signatures.
The other WCA report suggestion to verify that there is only one AV program running has also been confirmed. This PC ran SEP 11 – and only SEP 11 – before this. Now it’s running only SEP 12. And during one of the SEP 12 reinstalls we performed a complete manual removal of all Symantec software per the KB article instructions.
The PC recently passed a 9.5-hour memtest run that reported 0 memory errors.
No fewer than ten different virus/malware/rootkit/Trojan detection programs – including SEP 12, the SEP Support Tool and the SEP Power Eraser – have pronounced this PC clean several times each. These scans have been performed in normal mode, diagnostic startup mode, Safe mode … The worst that any program has reported have been “trackware” cookies. In fact, between 5 p.m. on Friday and 11 a.m. today, this PC did nothing but run scans. And while the PC was running in Safe Mode, it didn’t crash once.
Every startup service and program has been scrutinized, and over the past several weeks many of the less useful (or even unwanted) ones have been removed. This PC is running a lot leaner than it was, and yet the BSODs seem to be increasing in frequency.
The Registry has also been scanned, not only for malware but also for all those things that can cause a PC to misbehave.
The SEP 12 Support Tool found nothing wrong with the SEP installation the first time I ran it. The second time, when I selected the rootkit/reboot option, the PC BSODed shortly after the PC rebooted. The third time I ran the Support Tool, again with the rootkit/reboot option, it ran through and reported nothing amiss.
In addition to Windows Crash Analyses going back almost three months that all insist that the problem is with the antivirus software, SEP’s own behavior leads me to suspect that maybe all those WCA reports are on to something. When I run the PC in Safe mode, the SEP shield in the System Tray shows a problem and SEP complains that File System Auto-Protect is malfunctioning. In this state, we’ve done just about everything that has caused BSODs in the past and the PC has not crashed once. Only when the machine is running in Normal Mode – and SEP reports that there are no problems – do we seem to open ourselves up to random BSODs.
I need to get to the bottom of this, and I’m out of things to try (or to try to fix). How do I get this PC to behave?