Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

BSOD. LHMON.SYS


  • Please log in to reply

#1
Geeves00

Geeves00

    Member

  • Member
  • PipPip
  • 38 posts
I have a server that has been crashing pretty frequently over the last few months. I ran hardware diags on it for 24 hours and found no issues.

I did a bug check on the dump file and got the following results:

*** ERROR: Module load completed but symbols could not be loaded for lhmon.sys
*** ERROR: Module load completed but symbols could not be loaded for bxnd52x.sys
*** ERROR: Module load completed but symbols could not be loaded for bxvbdx.sys
Probably caused by : lhmon.sys ( lhmon+75a7 )



!Analyze -v showed the following:

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0b4b907e, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 808531df, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 0b4b907e

CURRENT_IRQL: 2

FAULTING_IP:
nt!MmMapLockedPagesSpecifyCache+2ed
808531df 0fb7490e movzx ecx,word ptr [ecx+0Eh]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: Idle

TRAP_FRAME: f78de7c4 -- (.trap 0xfffffffff78de7c4)
ErrCode = 00000000
eax=84ecfc04 ebx=c05d0a48 ecx=0b4b9070 edx=0001407a esi=00000000 edi=00000963
eip=808531df esp=f78de838 ebp=f78de878 iopl=0 ov up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010a03
nt!MmMapLockedPagesSpecifyCache+0x2ed:
808531df 0fb7490e movzx ecx,word ptr [ecx+0Eh] ds:0023:0b4b907e=????
Resetting default scope

LAST_CONTROL_TRANSFER: from 808531df to 8088c963

STACK_TEXT:
f78de7c4 808531df badb0d00 0001407a 808aea18 nt!KiTrap0E+0x2a7
f78de878 b8bc75a7 8c628be8 1f000000 c05d0a48 nt!MmMapLockedPagesSpecifyCache+0x2ed
WARNING: Stack unwind information not available. Following frames may be wrong.
f78de8a8 b8bc61e5 8b2a4150 8ab77090 00006dc0 lhmon+0x75a7
f78de8e0 b8bc4352 f78de92c 8ac81c30 0000000f lhmon+0x61e5
f78de970 b8bc1a29 b8bce9a0 00000001 8ac81c30 lhmon+0x4352
f78de9c0 b8c3bf16 8ac81c30 8ad15b08 00000a20 lhmon+0x1a29
f78dea24 b8c6c479 010f0e40 00000000 f78dea48 tcpip!IndicateData+0xcd
f78dea94 baec5fe0 0266f57c 89836318 00000000 tcpip!TcpOffloadReceiveHandler+0xd7
f78deaac b93708d5 8a66f57c 89836318 00000000 NDIS!NdisMTcpOffloadReceiveIndicate+0x1a
f78dead0 bafa2e8f 8c4ef010 00000000 89ab7090 bxnd52x+0xa8d5
f78deaf4 bafaa54a 8c8e3010 89caabd0 89caacf0 bxvbdx+0x13e8f
f78deb14 bafaa619 8c8e3010 89caabd0 8b2a4108 bxvbdx+0x1b54a
f78deb38 bafaa722 8c8e3010 00000001 f78debb0 bxvbdx+0x1b619
f78deb50 bafaa83c 8c8e3010 f78debb0 00000001 bxvbdx+0x1b722
f78deb70 bafaa8d2 00000001 f78debac 00000001 bxvbdx+0x1b83c
f78deb94 bafaa99d 8c8e3010 8c8e563c 00008000 bxvbdx+0x1b8d2
f78decac baf9a57b 00000000 8c8e3010 baf9a82e bxvbdx+0x1b99d
f78decdc baf9add3 f7767a40 8c8e4c5c baf9ad2e bxvbdx+0xb57b
f78decf8 808320f0 8c8e4c5c 8c8e3010 00000001 bxvbdx+0xbdd3
f78ded50 8088de1f 00000000 0000000e 00000000 nt!KiRetireDpcList+0xca
f78ded54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x37


STACK_COMMAND: kb

FOLLOWUP_IP:
lhmon+75a7
b8bc75a7 8b4d10 mov ecx,dword ptr [ebp+10h]

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: lhmon+75a7

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: lhmon

IMAGE_NAME: lhmon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 497e142a

FAILURE_BUCKET_ID: 0xA_lhmon+75a7

BUCKET_ID: 0xA_lhmon+75a7

Followup: MachineOwner
---------




I tried to research lhmon.sys but I can't seem to find much on it. At first I thought it was something to do with the NIC drivers. I updated those to the latest version but they did not solve the issue.


Anyone have a clue what lhmon.sys is?
  • 0

Advertisements


#2
diabillic

diabillic

    Member 1K

  • Member
  • PipPipPipPip
  • 1,370 posts
I cant find much on lhmon.sys either. The other 2 files are related to drivers for a Broadcom based NIC. First thing I would do is to make sure the NIC drivers are current.
  • 0

#3
Geeves00

Geeves00

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts

I cant find much on lhmon.sys either. The other 2 files are related to drivers for a Broadcom based NIC. First thing I would do is to make sure the NIC drivers are current.



At the bottom of my initial post I mentioned that the drivers for the NICs have been updated to the latest version. This did not resolve the issue.
  • 0

#4
diabillic

diabillic

    Member 1K

  • Member
  • PipPipPipPip
  • 1,370 posts
Sorry, I must have missed that.

Check here, C:\WINDOWS\system32\drivers\etc, see if there is an LMHOST file in there.
  • 0

#5
Geeves00

Geeves00

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
the lmhosts.sam is there but there are no entries in it. Just the standard 4k file with everything commented out.
  • 0

#6
diabillic

diabillic

    Member 1K

  • Member
  • PipPipPipPip
  • 1,370 posts
To be honest, I really cant find any info on this lhmon.sys file anywhere. I would now recommend that you post up in the Malware forum just to be sure. I don't think this is an issue, just want to rule it out.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP