RickNCN
asked on
iexplore.exe application error, undefined, mshtml.dll, ntdll.dll, others
Windows Terminal Server 2003. 2 XP RDP clients, 1 Win 7 client.
User remotes in and a 6-12 times a day roughly Internet Explorer crashes. Logging into the server, all those crashes pop up. I've inadvertently erased the Application Log through Dr Watson it seems, so I'm going from memory with some written notes.
Most errors were:
undefined
mshtml.dll
ntdll.dll
msvcrt.dll
I also noticed other programs would crash on those same modules: mbam.exe and cbplus (= clientbase: a travel agency program) among others.
I *think* these errors have been evident in the app log since the beginning, but in small numbers (since 2010) - around every 2-7 days But sometime around Sept 2011, the incidence of them increased to almost daily and many times a day.
What happened on Sept 9 was a malware infection. It was cleaned up and I'm quite certain it's clean now, but since then, they've experienced this spike in crashes. I think I've read just about every post on related topics and nothing is "connecting" and making sense as the issue.
I did match up the event log with Internet Explorer history to see if there was a correlation. I made notes of recent dates and times of these crashes. Then I used IEHistView as Admin on the server, had it display the cache history for all users and looked for any websites that might be setting it off. There was absolutely no correlation between a crash in event log and hitting a website at that time. Something else is triggering it.
In Dr Watson, before I cleared the history, I do recall seeing crashes referencing a network CAPT print driver (AXIS CAPT port I think). May be nothing.
Here, Dr Watson just caught a crash:
-------------------------- ---------- ---------- -----
Event Type: Information
Event Source: DrWatson
Event Category: None
Event ID: 4097
Date: 2/7/2012
Time: 5:16:23 PM
User: N/A
Computer: NPTSERVER
Description:
The application, C:\Program Files\Internet Explorer\iexplore.exe, generated an application error The error occurred on 02/07/2012 @ 17:16:22.812 The exception generated was c0000005 at address 3FA6B616 (mshtml!DllGetClassObject)
-------------------------- ---------- ---------- ---------- ----
I'm having a user disable addons as a test. I haven't reset Advanced settings yet. I might try uninstalling IE8 but fear breaking the "web apps" that this travel business relies on. And, IE 7 is less secure?
User remotes in and a 6-12 times a day roughly Internet Explorer crashes. Logging into the server, all those crashes pop up. I've inadvertently erased the Application Log through Dr Watson it seems, so I'm going from memory with some written notes.
Most errors were:
undefined
mshtml.dll
ntdll.dll
msvcrt.dll
I also noticed other programs would crash on those same modules: mbam.exe and cbplus (= clientbase: a travel agency program) among others.
I *think* these errors have been evident in the app log since the beginning, but in small numbers (since 2010) - around every 2-7 days But sometime around Sept 2011, the incidence of them increased to almost daily and many times a day.
What happened on Sept 9 was a malware infection. It was cleaned up and I'm quite certain it's clean now, but since then, they've experienced this spike in crashes. I think I've read just about every post on related topics and nothing is "connecting" and making sense as the issue.
I did match up the event log with Internet Explorer history to see if there was a correlation. I made notes of recent dates and times of these crashes. Then I used IEHistView as Admin on the server, had it display the cache history for all users and looked for any websites that might be setting it off. There was absolutely no correlation between a crash in event log and hitting a website at that time. Something else is triggering it.
In Dr Watson, before I cleared the history, I do recall seeing crashes referencing a network CAPT print driver (AXIS CAPT port I think). May be nothing.
Here, Dr Watson just caught a crash:
--------------------------
Event Type: Information
Event Source: DrWatson
Event Category: None
Event ID: 4097
Date: 2/7/2012
Time: 5:16:23 PM
User: N/A
Computer: NPTSERVER
Description:
The application, C:\Program Files\Internet Explorer\iexplore.exe, generated an application error The error occurred on 02/07/2012 @ 17:16:22.812 The exception generated was c0000005 at address 3FA6B616 (mshtml!DllGetClassObject)
--------------------------
I'm having a user disable addons as a test. I haven't reset Advanced settings yet. I might try uninstalling IE8 but fear breaking the "web apps" that this travel business relies on. And, IE 7 is less secure?
When you say the malware infection was cleaned up do you mean by using a program or there was a complete system re-installation?
ASKER
Using software and manual methods
I know its no fun but you may find that doing a fresh installation of the OS will solve this problem quicker. I've found that these types of issues are difficult to resolve manually. Worse case use an extra hard drive for the re-install and save the old one for testing when the user doesn't need their computer.
ASKER
Really? Reinstall a Win 2003 Terminal Server? Oy! I don't think I have the time or - they - the money for that.
I apoligize. It was late for me and I didn't realize it was a server. Do you have a backup you can restore to before the infection occurred?
ASKER
I do have backups to an external hdd... but.. hmm, what would you propose for that? how would that work?
Some questions. When the users are connecting to the TS are they connecting via a saved RDP connection? Once they have remoted into the TS can they use another web browser to see if the issue is specific to IE?
Have you reset IE on the TS?
As for your backup, is it a file or system backup?
Have you reset IE on the TS?
As for your backup, is it a file or system backup?
ASKER
saved RDP connections: yes.
They could use another web browser, but their travel website apps only work on IE so they do need to use IE for the majority of work.
I havent reset IE yet.
The backup is a system backup: Retrospect Server.
They could use another web browser, but their travel website apps only work on IE so they do need to use IE for the majority of work.
I havent reset IE yet.
The backup is a system backup: Retrospect Server.
I would reset IE first. Will IE9 work? You can try it then roll it back off if needed.
Reset IE for a single user to begin with. I'm not sure how to do it on a global scale.
ASKER
IE9 won't work because this is a 2003 server. I may try the reset. I rebooted the server last night. This morning, logging in as Admin I received several messages about earlier crashes. That seems to be how it goes: these processes crash but you don't see the window on it until you log out and in or restart and log in. I saved all the temp\~Wer---- folders with the hdmps and mdmps in them. I'm currently installing WinDbg for 2003. We'll see if I can load the dumps and get anything meaningful from them.
Here is a great online utility for analyzing dumps. http://www.osronline.com/page.cfm?name=analyze
ASKER
downloading and installing symbols is a confusing mess. Web symbols don't seem to be helping either. Do you know the right syntax to drop into the location on windbg for web symbols?
"downloading and installing symbols is a confusing mess." I don't understand what you're asking.
ASKER
meaning I installed the WinDBG windows debugger but you have to find, download and install the proper symbols for your particular os and service pack. It's just not intuitive to me. I had trouble with it. Maybe I'm just missing a piece of the puzzle to do that.
I'm not sure. To diagnose the minidumps I've always used the link listed above.
ASKER
I tried that free online dump analysis and it always comes back that there is no dump file in the ZIP archive:
=====================
Instant Online Crash Analysis, brought to you by OSR Open Systems Resources, Inc.
Primary Analysis
Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
No dump file in ZIP archive!
===================
I'm uploading a 135kb mdmp file:
iexplore.exe.mdmp, zipped into iexplore.exe.zip
=====================
Instant Online Crash Analysis, brought to you by OSR Open Systems Resources, Inc.
Primary Analysis
Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
No dump file in ZIP archive!
===================
I'm uploading a 135kb mdmp file:
iexplore.exe.mdmp, zipped into iexplore.exe.zip
ASKER
I tried uploading the unzipped *.mdmp file and it gave me an error:
Please review the following issues:
•Only dump files (file type .DMP) and or ZIP files (file type .ZIP) may be uploaded.
Click "back" in your browser to retry.
I guess it's looking for a different kind of file?
Please review the following issues:
•Only dump files (file type .DMP) and or ZIP files (file type .ZIP) may be uploaded.
Click "back" in your browser to retry.
I guess it's looking for a different kind of file?
ASKER
Ok, I changed the extension from mdmp to dmp and resubmitted and it liked it.
here's what it said:
=======================
Primary Analysis
Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows Server 2003 Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer
kernel32.dll version: 5.2.3790.4480 (srv03_sp2_gdr.090321-1244 )
Machine Name:
Debug session time: Wed Feb 8 12:29:17.000 2012 (UTC - 5:00)
System Uptime: not available
Process Uptime: 0 days 0:00:14.000
Kernel time: 0 days 0:00:00.000
User time: 0 days 0:00:00.000
************************** ********** ********** ********** ********** ********** ***
* *
* Exception Analysis *
* *
************************** ********** ********** ********** ********** ********** ***
Unable to load image C:\WINDOWS\system32\iefram e.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ieframe.dll
Unable to load image C:\WINDOWS\system32\iertut il.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for iertutil.dll
*** WARNING: Unable to verify timestamp for iexplore.exe
*** WARNING: Unable to verify timestamp for LMDataXF.DLL
*** ERROR: Module load completed but symbols could not be loaded for LMDataXF.DLL
Unable to load image C:\WINDOWS\system32\winine t.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for wininet.dll
Unable to load image C:\WINDOWS\system32\dxtran s.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for dxtrans.dll
FAULTING_IP:
mshtml!CTableSizeCalculato r::Release ColumnSize Ary+39
3fab1249 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 3fab1249 (mshtml!CTableSizeCalculat or::Releas eColumnSiz eAry+0x000 00039)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
DEFAULT_BUCKET_ID: NULL_POINTER_READ
PROCESS_NAME: iexplore.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
mshtml!CTableSizeCalculato r::Release ColumnSize Ary+39
3fab1249 ?? ???
MOD_LIST:
FAULTING_THREAD: 00002294
PRIMARY_PROBLEM_CLASS: NULL_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_NULL_POI NTER_READ
LAST_CONTROL_TRANSFER: from 00000000 to 3fab1249
STACK_TEXT:
0163cf0c 00000000 04c71548 04d19134 00000000 mshtml!CTableSizeCalculato r::Release ColumnSize Ary+0x39
STACK_COMMAND: ~8s; .ecxr ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: mshtml!CTableSizeCalculato r::Release ColumnSize Ary+39
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mshtml
IMAGE_NAME: mshtml.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4eb5320f
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005 _mshtml.dl l!CTableSi zeCalculat or::Releas eColumnSiz eAry
BUCKET_ID: APPLICATION_FAULT_NULL_POI NTER_READ_ mshtml!CTa bleSizeCal culator::R eleaseColu mnSizeAry+ 39
WATSON_IBUCKET: -1557135218
WATSON_IBUCKETTABLE: 1
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/iexplore_exe/8_0_6001_18702/49b3ad2e/mshtml_dll/8_0_6001_19170/4eb5320f/c0000005/00111249.htm?Retriage=1
Followup: MachineOwner
---------
This free analysis is provided by OSR Open Systems Resources, Inc.
Want a deeper understanding of crash dump analysis? Check out our Windows Kernel Debugging and Crash Dump Analysis Seminar (opens in new tab/window)
Loaded Module List
start end module name
00400000 0049c000 iexplore iexplore.exe
01640000 01905000 xpsp2res xpsp2res.dll
01920000 01929000 normaliz normaliz.dll
02230000 0225c000 LMDataXF LMDataXF.DLL
02670000 02699000 msls31 msls31.dll
042a0000 043c7000 msxml3 msxml3.dll
05b50000 06477000 Flash11e Flash11e.ocx
06ab0000 06b78000 QTPlugin QTPlugin.ocx
06ba0000 06ed7000 wmploc wmploc.dll
10000000 10053000 LMIECTR2 LMIECTR2.DLL
1b000000 1b00c000 imgutil imgutil.dll
1b060000 1b06e000 pngfilt pngfilt.dll
35c50000 35c89000 dxtrans dxtrans.dll
35cb0000 35d07000 dxtmsft dxtmsft.dll
3f9a0000 3ff57000 mshtml mshtml.dll
40220000 402d4000 jscript jscript.dll
403e0000 403e6000 xpshims xpshims.dll
403f0000 404d6000 wininet wininet.dll
40a90000 40c7b000 iertutil iertutil.dll
40c80000 41715000 ieframe ieframe.dll
42c50000 43091000 msi msi.dll
44460000 444a0000 ieproxy ieproxy.dll
45530000 4555f000 iepeers iepeers.dll
4b3c0000 4b410000 MSCTF MSCTF.dll
4dc30000 4dc5e000 MSCTFIME MSCTFIME.IME
4dd60000 4df0b000 GdiPlus GdiPlus.dll
4e010000 4e1b6000 d3d9 d3d9.dll
4f580000 4fb5a000 wmp wmp.dll
5f270000 5f2ca000 hnetcfg hnetcfg.dll
61880000 618bb000 oleacc oleacc.dll
68000000 68035000 rsaenh rsaenh.dll
68100000 68127000 dssenh dssenh.dll
69500000 69517000 faultrep faultrep.dll
6d4c0000 6d4ca000 ddrawex ddrawex.dll
6d730000 6d77e000 ssv ssv.dll
6da60000 6da66000 d3d8thk d3d8thk.dll
6f350000 6f483000 urlmon urlmon.dll
71640000 7180d000 AcGenral AcGenral.dll
71ae0000 71ae8000 wshtcpip wshtcpip.dll
71af0000 71b12000 shimeng shimeng.dll
71b20000 71b61000 mswsock mswsock.dll
71b70000 71ba6000 uxtheme uxtheme.dll
71bc0000 71bc8000 rdpsnd rdpsnd.dll
71bf0000 71bf8000 ws2help ws2help.dll
71c00000 71c17000 ws2_32 ws2_32.dll
71c40000 71c97000 netapi32 netapi32.dll
71d00000 71d1c000 actxprxy actxprxy.dll
722f0000 722f5000 sensapi sensapi.dll
72ea0000 72f0f000 ieapfltr ieapfltr.dll
73070000 73097000 winspool winspool.drv
73860000 738ab000 ddraw ddraw.dll
73aa0000 73ab6000 mscms mscms.dll
73b30000 73b36000 dciman32 dciman32.dll
73e50000 73eab000 dsound dsound.dll
744c0000 744eb000 MSIMTF MSIMTF.dll
74540000 745d3000 mlang mlang.dll
75490000 754f5000 usp10 usp10.dll
75da0000 75e5d000 sxs sxs.dll
75e60000 75e87000 apphelp apphelp.dll
75fc0000 75fe2000 msvfw32 msvfw32.dll
76190000 761a2000 msasn1 msasn1.dll
761b0000 76243000 crypt32 crypt32.dll
76280000 76285000 msimg32 msimg32.dll
76290000 762ad000 imm32 imm32.dll
762b0000 762f9000 comdlg32 comdlg32.dll
766e0000 766ec000 cryptdll cryptdll.dll
76750000 76779000 schannel schannel.dll
76920000 769e2000 userenv userenv.dll
76a80000 76a92000 atl atl.dll
76aa0000 76acd000 winmm winmm.dll
76b70000 76b7b000 psapi psapi.dll
76bb0000 76bdc000 wintrust wintrust.dll
76c10000 76c38000 imagehlp imagehlp.dll
76c90000 76cb7000 msv1_0 msv1_0.dll
76cf0000 76d0a000 iphlpapi iphlpapi.dll
76e30000 76e3c000 rtutils rtutils.dll
76e40000 76e52000 rasman rasman.dll
76e60000 76e8f000 tapi32 tapi32.dll
76e90000 76ecf000 rasapi32 rasapi32.dll
76ed0000 76efa000 dnsapi dnsapi.dll
76f10000 76f3e000 wldap32 wldap32.dll
76f50000 76f63000 secur32 secur32.dll
76f70000 76f77000 winrnr winrnr.dll
76f80000 76f85000 rasadhlp rasadhlp.dll
77010000 770d6000 comres comres.dll
770e0000 771e8000 setupapi setupapi.dll
771f0000 77201000 winsta winsta.dll
77380000 77411000 user32 user32.dll
77420000 77523000 comctl32 comctl32.dll
77530000 775c7000 comctl32_77530000 comctl32.dll
77670000 777a9000 ole32 ole32.dll
777b0000 77833000 clbcatq clbcatq.dll
77b70000 77b84000 msacm32 msacm32.dll
77b90000 77b98000 version version.dll
77ba0000 77bfa000 msvcrt msvcrt.dll
77c00000 77c49000 gdi32 gdi32.dll
77c50000 77cf0000 rpcrt4 rpcrt4.dll
77e40000 77f42000 kernel32 kernel32.dll
7c340000 7c396000 msvcr71 msvcr71.dll
7c800000 7c8c3000 ntdll ntdll.dll
7c8d0000 7d0cf000 shell32 shell32.dll
7d0e0000 7d16b000 oleaut32 oleaut32.dll
7d180000 7d1d2000 shlwapi shlwapi.dll
7d1e0000 7d27c000 advapi32 advapi32.dll
Unloaded modules:
5deb0000 5deb7000 pwdssp.dll
71e20000 71e70000 msnsspc.dll
73770000 73786000 digest.dll
76750000 76779000 schannel.dll
78080000 78091000 MSVCRT40.dll
71e00000 71e14000 msapsspc.dll
Raw Stack Contents
Memory access error at 'StackLimit) @@(((ntdll!_NT_TIB *)@$teb)->StackBase)'
Dump Header Information
----- User Mini Dump Analysis
MINIDUMP_HEADER:
Version A793 (52CE)
NumberOfStreams 9
Flags 21
0001 MiniDumpWithDataSegs
0020 MiniDumpWithUnloadedModule s
Streams:
Stream 0: type ThreadListStream (3), size 00000604, RVA 00000184
32 threads
RVA 00000188, ID 1DA0, Teb:000000007FFDE000
RVA 000001B8, ID 271C, Teb:000000007FFDD000
RVA 000001E8, ID 1064, Teb:000000007FFDC000
RVA 00000218, ID 280, Teb:000000007FFDB000
RVA 00000248, ID 251C, Teb:000000007FFDA000
RVA 00000278, ID 1E3C, Teb:000000007FFD9000
RVA 000002A8, ID 1184, Teb:000000007FFD8000
RVA 000002D8, ID 21C8, Teb:000000007FFD7000
RVA 00000308, ID 2294, Teb:000000007FFD6000
RVA 00000338, ID 1E2C, Teb:000000007FFD5000
RVA 00000368, ID 2758, Teb:000000007FFD4000
RVA 00000398, ID 2344, Teb:000000007FFAF000
RVA 000003C8, ID 27BC, Teb:000000007FFAE000
RVA 000003F8, ID D44, Teb:000000007FFAD000
RVA 00000428, ID 49C, Teb:000000007FFAC000
RVA 00000458, ID 2134, Teb:000000007FFAB000
RVA 00000488, ID 210C, Teb:000000007FFAA000
RVA 000004B8, ID 17B4, Teb:000000007FFA9000
RVA 000004E8, ID 1CBC, Teb:000000007FFA8000
RVA 00000518, ID 1C40, Teb:000000007FFA7000
RVA 00000548, ID 25A8, Teb:000000007FFA6000
RVA 00000578, ID 26D0, Teb:000000007FFA5000
RVA 000005A8, ID 3B4, Teb:000000007FFA4000
RVA 000005D8, ID 2014, Teb:000000007FFA3000
RVA 00000608, ID 2264, Teb:000000007FFA2000
RVA 00000638, ID 1150, Teb:000000007FFA1000
RVA 00000668, ID 2018, Teb:000000007FFA0000
RVA 00000698, ID 20F8, Teb:000000007FF9F000
RVA 000006C8, ID 2358, Teb:000000007FF9E000
RVA 000006F8, ID 228C, Teb:000000007FF9D000
RVA 00000728, ID 21C4, Teb:000000007FF9C000
RVA 00000758, ID 1440, Teb:000000007FF9B000
Stream 1: type ModuleListStream (4), size 00002BE4, RVA 00000788
104 modules
RVA 0000078C, 00400000 - 0049c000: 'C:\Program Files\Internet Explorer\iexplore.exe'
RVA 000007F8, 7c800000 - 7c8c3000: 'C:\WINDOWS\system32\ntdll .dll'
RVA 00000864, 77e40000 - 77f42000: 'C:\WINDOWS\system32\kerne l32.dll'
RVA 000008D0, 7d1e0000 - 7d27c000: 'C:\WINDOWS\system32\advap i32.dll'
RVA 0000093C, 77c50000 - 77cf0000: 'C:\WINDOWS\system32\rpcrt 4.dll'
RVA 000009A8, 76f50000 - 76f63000: 'C:\WINDOWS\system32\secur 32.dll'
RVA 00000A14, 77380000 - 77411000: 'C:\WINDOWS\system32\user3 2.dll'
RVA 00000A80, 77c00000 - 77c49000: 'C:\WINDOWS\system32\gdi32 .dll'
RVA 00000AEC, 77ba0000 - 77bfa000: 'C:\WINDOWS\system32\msvcr t.dll'
RVA 00000B58, 7d180000 - 7d1d2000: 'C:\WINDOWS\system32\shlwa pi.dll'
RVA 00000BC4, 7c8d0000 - 7d0cf000: 'C:\WINDOWS\system32\shell 32.dll'
RVA 00000C30, 77670000 - 777a9000: 'C:\WINDOWS\system32\ole32 .dll'
RVA 00000C9C, 40a90000 - 40c7b000: 'C:\WINDOWS\system32\iertu til.dll'
RVA 00000D08, 6f350000 - 6f483000: 'C:\WINDOWS\system32\urlmo n.dll'
RVA 00000D74, 7d0e0000 - 7d16b000: 'C:\WINDOWS\system32\oleau t32.dll'
RVA 00000DE0, 71af0000 - 71b12000: 'C:\WINDOWS\system32\shime ng.dll'
RVA 00000E4C, 75e60000 - 75e87000: 'C:\WINDOWS\system32\apphe lp.dll'
RVA 00000EB8, 71640000 - 7180d000: 'C:\WINDOWS\AppPatch\AcGen ral.dll'
RVA 00000F24, 76aa0000 - 76acd000: 'C:\WINDOWS\system32\winmm .dll'
RVA 00000F90, 77b70000 - 77b84000: 'C:\WINDOWS\system32\msacm 32.dll'
RVA 00000FFC, 77b90000 - 77b98000: 'C:\WINDOWS\system32\versi on.dll'
RVA 00001068, 76920000 - 769e2000: 'C:\WINDOWS\system32\usere nv.dll'
RVA 000010D4, 71b70000 - 71ba6000: 'C:\WINDOWS\system32\uxthe me.dll'
RVA 00001140, 76290000 - 762ad000: 'C:\WINDOWS\system32\imm32 .dll'
RVA 000011AC, 77420000 - 77523000: 'C:\WINDOWS\WinSxS\x86_Mic rosoft.Win dows.Commo n-Controls _6595b6414 4ccf1df_6. 0.3790.477 0_x-ww_05F DF087\comc tl32.dll'
RVA 00001218, 71bc0000 - 71bc8000: 'C:\WINDOWS\system32\rdpsn d.dll'
RVA 00001284, 771f0000 - 77201000: 'C:\WINDOWS\system32\winst a.dll'
RVA 000012F0, 71c40000 - 71c97000: 'C:\WINDOWS\system32\netap i32.dll'
RVA 0000135C, 76b70000 - 76b7b000: 'C:\WINDOWS\system32\psapi .dll'
RVA 000013C8, 40c80000 - 41715000: 'C:\WINDOWS\system32\iefra me.dll'
RVA 00001434, 762b0000 - 762f9000: 'C:\WINDOWS\system32\comdl g32.dll'
RVA 000014A0, 403e0000 - 403e6000: 'C:\Program Files\Internet Explorer\xpshims.dll'
RVA 0000150C, 4b3c0000 - 4b410000: 'C:\WINDOWS\system32\MSCTF .dll'
RVA 00001578, 01640000 - 01905000: 'C:\WINDOWS\system32\xpsp2 res.dll'
RVA 000015E4, 770e0000 - 771e8000: 'C:\WINDOWS\system32\setup api.dll'
RVA 00001650, 403f0000 - 404d6000: 'C:\WINDOWS\system32\winin et.dll'
RVA 000016BC, 01920000 - 01929000: 'C:\WINDOWS\system32\norma liz.dll'
RVA 00001728, 777b0000 - 77833000: 'C:\WINDOWS\system32\clbca tq.dll'
RVA 00001794, 77010000 - 770d6000: 'C:\WINDOWS\system32\comre s.dll'
RVA 00001800, 44460000 - 444a0000: 'C:\Program Files\Internet Explorer\ieproxy.dll'
RVA 0000186C, 71c00000 - 71c17000: 'C:\WINDOWS\system32\ws2_3 2.dll'
RVA 000018D8, 71bf0000 - 71bf8000: 'C:\WINDOWS\system32\ws2he lp.dll'
RVA 00001944, 74540000 - 745d3000: 'C:\WINDOWS\system32\mlang .dll'
RVA 000019B0, 4dc30000 - 4dc5e000: 'C:\WINDOWS\system32\MSCTF IME.IME'
RVA 00001A1C, 6d730000 - 6d77e000: 'C:\Program Files\Java\jre6\bin\ssv.dl l'
RVA 00001A88, 77530000 - 775c7000: 'C:\WINDOWS\WinSxS\x86_Mic rosoft.Win dows.Commo n-Controls _6595b6414 4ccf1df_5. 82.3790.47 70_x-ww_A6 89AB02\com ctl32.dll'
RVA 00001AF4, 7c340000 - 7c396000: 'C:\Program Files\Java\jre6\bin\msvcr7 1.dll'
RVA 00001B60, 10000000 - 10053000: 'C:\Program Files\BookingBuilder\LMIEC TR2.DLL'
RVA 00001BCC, 61880000 - 618bb000: 'C:\WINDOWS\system32\oleac c.dll'
RVA 00001C38, 42c50000 - 43091000: 'C:\WINDOWS\system32\msi.d ll'
RVA 00001CA4, 75da0000 - 75e5d000: 'C:\WINDOWS\system32\sxs.d ll'
RVA 00001D10, 02230000 - 0225c000: 'C:\Program Files\BookingBuilder\LMDat aXF.DLL'
RVA 00001D7C, 71d00000 - 71d1c000: 'C:\WINDOWS\system32\actxp rxy.dll'
RVA 00001DE8, 3f9a0000 - 3ff57000: 'C:\WINDOWS\system32\mshtm l.dll'
RVA 00001E54, 02670000 - 02699000: 'C:\WINDOWS\system32\msls3 1.dll'
RVA 00001EC0, 76e90000 - 76ecf000: 'C:\WINDOWS\system32\rasap i32.dll'
RVA 00001F2C, 76e40000 - 76e52000: 'C:\WINDOWS\system32\rasma n.dll'
RVA 00001F98, 76e60000 - 76e8f000: 'C:\WINDOWS\system32\tapi3 2.dll'
RVA 00002004, 76e30000 - 76e3c000: 'C:\WINDOWS\system32\rtuti ls.dll'
RVA 00002070, 761b0000 - 76243000: 'C:\WINDOWS\system32\crypt 32.dll'
RVA 000020DC, 76190000 - 761a2000: 'C:\WINDOWS\system32\msasn 1.dll'
RVA 00002148, 76c90000 - 76cb7000: 'C:\WINDOWS\system32\msv1_ 0.dll'
RVA 000021B4, 766e0000 - 766ec000: 'C:\WINDOWS\system32\crypt dll.dll'
RVA 00002220, 76cf0000 - 76d0a000: 'C:\WINDOWS\system32\iphlp api.dll'
RVA 0000228C, 722f0000 - 722f5000: 'C:\WINDOWS\system32\sensa pi.dll'
RVA 000022F8, 72ea0000 - 72f0f000: 'C:\WINDOWS\system32\ieapf ltr.dll'
RVA 00002364, 76ed0000 - 76efa000: 'C:\WINDOWS\system32\dnsap i.dll'
RVA 000023D0, 40220000 - 402d4000: 'C:\WINDOWS\system32\jscri pt.dll'
RVA 0000243C, 744c0000 - 744eb000: 'C:\WINDOWS\system32\MSIMT F.dll'
RVA 000024A8, 71b20000 - 71b61000: 'C:\WINDOWS\system32\mswso ck.dll'
RVA 00002514, 5f270000 - 5f2ca000: 'C:\WINDOWS\system32\hnetc fg.dll'
RVA 00002580, 71ae0000 - 71ae8000: 'C:\WINDOWS\system32\wshtc pip.dll'
RVA 000025EC, 76f80000 - 76f85000: 'C:\WINDOWS\system32\rasad hlp.dll'
RVA 00002658, 76f70000 - 76f77000: 'C:\WINDOWS\system32\winrn r.dll'
RVA 000026C4, 76f10000 - 76f3e000: 'C:\WINDOWS\system32\wldap 32.dll'
RVA 00002730, 042a0000 - 043c7000: 'C:\WINDOWS\system32\msxml 3.dll'
RVA 0000279C, 76bb0000 - 76bdc000: 'C:\WINDOWS\system32\wintr ust.dll'
RVA 00002808, 76c10000 - 76c38000: 'C:\WINDOWS\system32\image hlp.dll'
RVA 00002874, 76750000 - 76779000: 'C:\WINDOWS\system32\schan nel.dll'
RVA 000028E0, 68000000 - 68035000: 'C:\WINDOWS\system32\rsaen h.dll'
RVA 0000294C, 68100000 - 68127000: 'C:\WINDOWS\system32\dssen h.dll'
RVA 000029B8, 45530000 - 4555f000: 'C:\WINDOWS\system32\iepee rs.dll'
RVA 00002A24, 73070000 - 73097000: 'C:\WINDOWS\system32\winsp ool.drv'
RVA 00002A90, 05b50000 - 06477000: 'C:\WINDOWS\system32\Macro med\Flash\ Flash11e.o cx'
RVA 00002AFC, 73e50000 - 73eab000: 'C:\WINDOWS\system32\dsoun d.dll'
RVA 00002B68, 76280000 - 76285000: 'C:\WINDOWS\system32\msimg 32.dll'
RVA 00002BD4, 4e010000 - 4e1b6000: 'C:\WINDOWS\system32\d3d9. dll'
RVA 00002C40, 6da60000 - 6da66000: 'C:\WINDOWS\system32\d3d8t hk.dll'
RVA 00002CAC, 73aa0000 - 73ab6000: 'C:\WINDOWS\system32\mscms .dll'
RVA 00002D18, 06ab0000 - 06b78000: 'C:\Program Files\QuickTime\QTPlugin.o cx'
RVA 00002D84, 4f580000 - 4fb5a000: 'C:\WINDOWS\system32\wmp.d ll'
RVA 00002DF0, 4dd60000 - 4df0b000: 'C:\WINDOWS\WinSxS\x86_Mic rosoft.Win dows.GdiPl us_6595b64 144ccf1df_ 1.0.6002.2 2507_x-ww_ C7DAD021\G diPlus.dll '
RVA 00002E5C, 75fc0000 - 75fe2000: 'C:\WINDOWS\system32\msvfw 32.dll'
RVA 00002EC8, 06ba0000 - 06ed7000: 'C:\WINDOWS\system32\wmplo c.dll'
RVA 00002F34, 75490000 - 754f5000: 'C:\WINDOWS\system32\usp10 .dll'
RVA 00002FA0, 35c50000 - 35c89000: 'C:\WINDOWS\system32\dxtra ns.dll'
RVA 0000300C, 76a80000 - 76a92000: 'C:\WINDOWS\system32\atl.d ll'
RVA 00003078, 6d4c0000 - 6d4ca000: 'C:\WINDOWS\system32\ddraw ex.dll'
RVA 000030E4, 73860000 - 738ab000: 'C:\WINDOWS\system32\ddraw .dll'
RVA 00003150, 73b30000 - 73b36000: 'C:\WINDOWS\system32\dcima n32.dll'
RVA 000031BC, 35cb0000 - 35d07000: 'C:\WINDOWS\system32\dxtms ft.dll'
RVA 00003228, 1b000000 - 1b00c000: 'C:\WINDOWS\system32\imgut il.dll'
RVA 00003294, 1b060000 - 1b06e000: 'C:\WINDOWS\system32\pngfi lt.dll'
RVA 00003300, 69500000 - 69517000: 'C:\WINDOWS\system32\fault rep.dll'
Stream 2: type UnloadedModuleListStream (14), size 0000009C, RVA 0000336C
6 unloaded modules
RVA 00003378, 5deb0000 - 5deb7000: 'pwdssp.dll'
RVA 00003390, 71e20000 - 71e70000: 'msnsspc.dll'
RVA 000033A8, 73770000 - 73786000: 'digest.dll'
RVA 000033C0, 76750000 - 76779000: 'schannel.dll'
RVA 000033D8, 78080000 - 78091000: 'MSVCRT40.dll'
RVA 000033F0, 71e00000 - 71e14000: 'msapsspc.dll'
Stream 3: type MemoryListStream (5), size 00000234, RVA 0000BDAA
35 memory ranges
range# RVA Address Size
0 0000BFDE 7c8283dc 00000100
1 0000C0DE 0040b000 00000660
2 0000C73E 3fed7000 00008d4c
3 0001548A 0013fc18 000003e8
4 00015872 00b7fea0 00000160
5 000159D2 00f2ff9c 00000064
6 00015A36 0102ff70 00000090
7 00015AC6 0112fcec 00000314
8 00015DDA 0123fe18 000001e8
9 00015FC2 0133eebc 00001144
10 00017106 0143fe40 000001c0
11 000172C6 01637520 00008ae0
12 0001FDA6 01a3fe18 000001e8
13 0001FF8E 01b3ff08 000000f8
14 00020086 01c6fe18 000001e8
15 0002026E 0237fef8 00000108
16 00020376 0248fe18 000001e8
17 0002055E 02effe18 000001e8
18 00020746 035dff70 00000090
19 000207D6 037bfad8 00000528
20 00020CFE 038ffef8 00000108
21 00020E06 03a9ff7c 00000084
22 00020E8A 0429ff70 00000090
23 00020F1A 04baff70 00000090
24 00020FAA 04eafec0 00000140
25 000210EA 052dfef8 00000108
26 000211F2 067eff10 000000f0
27 000212E2 068eff10 000000f0
28 000213D2 069eff10 000000f0
29 000214C2 06fdff10 000000f0
30 000215B2 070dff10 000000f0
31 000216A2 071dff10 000000f0
32 00021792 072dff10 000000f0
33 00021882 073dff10 000000f0
34 00021972 07a1fef8 00000108
Total memory: 15a9c
Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000DC
ThreadID 8852
ExceptionCode C0000005
ExceptionRecord 0
ExceptionAddress 3fab1249
Context record RVA 52e6, size 2cc
Stream 5: type SystemInfoStream (7), size 00000038, RVA 0000008C
ProcessorArchitecture 0000 (PROCESSOR_ARCHITECTURE_IN TEL)
ProcessorLevel 0006
ProcessorRevision 0F0B
NumberOfProcessors 04
MajorVersion 00000005
MinorVersion 00000002
BuildNumber 00000ECE (3790)
PlatformId 00000002 (VER_PLATFORM_WIN32_NT)
CSDVersionRva 00003408
Length: 28
Buffer: {'Service Pack 2'}
Product: LanManNt, suite: TerminalServer
Stream 6: type MiscInfoStream (15), size 00000018, RVA 000000C4
Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
Stream 8: type UnusedStream (0), size 00000000, RVA 00000000
Strings
here's what it said:
=======================
Primary Analysis
Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows Server 2003 Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer
kernel32.dll version: 5.2.3790.4480 (srv03_sp2_gdr.090321-1244
Machine Name:
Debug session time: Wed Feb 8 12:29:17.000 2012 (UTC - 5:00)
System Uptime: not available
Process Uptime: 0 days 0:00:14.000
Kernel time: 0 days 0:00:00.000
User time: 0 days 0:00:00.000
**************************
* *
* Exception Analysis *
* *
**************************
Unable to load image C:\WINDOWS\system32\iefram
*** WARNING: Unable to verify timestamp for ieframe.dll
Unable to load image C:\WINDOWS\system32\iertut
*** WARNING: Unable to verify timestamp for iertutil.dll
*** WARNING: Unable to verify timestamp for iexplore.exe
*** WARNING: Unable to verify timestamp for LMDataXF.DLL
*** ERROR: Module load completed but symbols could not be loaded for LMDataXF.DLL
Unable to load image C:\WINDOWS\system32\winine
*** WARNING: Unable to verify timestamp for wininet.dll
Unable to load image C:\WINDOWS\system32\dxtran
*** WARNING: Unable to verify timestamp for dxtrans.dll
FAULTING_IP:
mshtml!CTableSizeCalculato
3fab1249 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 3fab1249 (mshtml!CTableSizeCalculat
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
DEFAULT_BUCKET_ID: NULL_POINTER_READ
PROCESS_NAME: iexplore.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
mshtml!CTableSizeCalculato
3fab1249 ?? ???
MOD_LIST:
FAULTING_THREAD: 00002294
PRIMARY_PROBLEM_CLASS: NULL_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_NULL_POI
LAST_CONTROL_TRANSFER: from 00000000 to 3fab1249
STACK_TEXT:
0163cf0c 00000000 04c71548 04d19134 00000000 mshtml!CTableSizeCalculato
STACK_COMMAND: ~8s; .ecxr ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: mshtml!CTableSizeCalculato
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mshtml
IMAGE_NAME: mshtml.dll
DEBUG_FLR_IMAGE_TIMESTAMP:
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005
BUCKET_ID: APPLICATION_FAULT_NULL_POI
WATSON_IBUCKET: -1557135218
WATSON_IBUCKETTABLE: 1
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/iexplore_exe/8_0_6001_18702/49b3ad2e/mshtml_dll/8_0_6001_19170/4eb5320f/c0000005/00111249.htm?Retriage=1
Followup: MachineOwner
---------
This free analysis is provided by OSR Open Systems Resources, Inc.
Want a deeper understanding of crash dump analysis? Check out our Windows Kernel Debugging and Crash Dump Analysis Seminar (opens in new tab/window)
Loaded Module List
start end module name
00400000 0049c000 iexplore iexplore.exe
01640000 01905000 xpsp2res xpsp2res.dll
01920000 01929000 normaliz normaliz.dll
02230000 0225c000 LMDataXF LMDataXF.DLL
02670000 02699000 msls31 msls31.dll
042a0000 043c7000 msxml3 msxml3.dll
05b50000 06477000 Flash11e Flash11e.ocx
06ab0000 06b78000 QTPlugin QTPlugin.ocx
06ba0000 06ed7000 wmploc wmploc.dll
10000000 10053000 LMIECTR2 LMIECTR2.DLL
1b000000 1b00c000 imgutil imgutil.dll
1b060000 1b06e000 pngfilt pngfilt.dll
35c50000 35c89000 dxtrans dxtrans.dll
35cb0000 35d07000 dxtmsft dxtmsft.dll
3f9a0000 3ff57000 mshtml mshtml.dll
40220000 402d4000 jscript jscript.dll
403e0000 403e6000 xpshims xpshims.dll
403f0000 404d6000 wininet wininet.dll
40a90000 40c7b000 iertutil iertutil.dll
40c80000 41715000 ieframe ieframe.dll
42c50000 43091000 msi msi.dll
44460000 444a0000 ieproxy ieproxy.dll
45530000 4555f000 iepeers iepeers.dll
4b3c0000 4b410000 MSCTF MSCTF.dll
4dc30000 4dc5e000 MSCTFIME MSCTFIME.IME
4dd60000 4df0b000 GdiPlus GdiPlus.dll
4e010000 4e1b6000 d3d9 d3d9.dll
4f580000 4fb5a000 wmp wmp.dll
5f270000 5f2ca000 hnetcfg hnetcfg.dll
61880000 618bb000 oleacc oleacc.dll
68000000 68035000 rsaenh rsaenh.dll
68100000 68127000 dssenh dssenh.dll
69500000 69517000 faultrep faultrep.dll
6d4c0000 6d4ca000 ddrawex ddrawex.dll
6d730000 6d77e000 ssv ssv.dll
6da60000 6da66000 d3d8thk d3d8thk.dll
6f350000 6f483000 urlmon urlmon.dll
71640000 7180d000 AcGenral AcGenral.dll
71ae0000 71ae8000 wshtcpip wshtcpip.dll
71af0000 71b12000 shimeng shimeng.dll
71b20000 71b61000 mswsock mswsock.dll
71b70000 71ba6000 uxtheme uxtheme.dll
71bc0000 71bc8000 rdpsnd rdpsnd.dll
71bf0000 71bf8000 ws2help ws2help.dll
71c00000 71c17000 ws2_32 ws2_32.dll
71c40000 71c97000 netapi32 netapi32.dll
71d00000 71d1c000 actxprxy actxprxy.dll
722f0000 722f5000 sensapi sensapi.dll
72ea0000 72f0f000 ieapfltr ieapfltr.dll
73070000 73097000 winspool winspool.drv
73860000 738ab000 ddraw ddraw.dll
73aa0000 73ab6000 mscms mscms.dll
73b30000 73b36000 dciman32 dciman32.dll
73e50000 73eab000 dsound dsound.dll
744c0000 744eb000 MSIMTF MSIMTF.dll
74540000 745d3000 mlang mlang.dll
75490000 754f5000 usp10 usp10.dll
75da0000 75e5d000 sxs sxs.dll
75e60000 75e87000 apphelp apphelp.dll
75fc0000 75fe2000 msvfw32 msvfw32.dll
76190000 761a2000 msasn1 msasn1.dll
761b0000 76243000 crypt32 crypt32.dll
76280000 76285000 msimg32 msimg32.dll
76290000 762ad000 imm32 imm32.dll
762b0000 762f9000 comdlg32 comdlg32.dll
766e0000 766ec000 cryptdll cryptdll.dll
76750000 76779000 schannel schannel.dll
76920000 769e2000 userenv userenv.dll
76a80000 76a92000 atl atl.dll
76aa0000 76acd000 winmm winmm.dll
76b70000 76b7b000 psapi psapi.dll
76bb0000 76bdc000 wintrust wintrust.dll
76c10000 76c38000 imagehlp imagehlp.dll
76c90000 76cb7000 msv1_0 msv1_0.dll
76cf0000 76d0a000 iphlpapi iphlpapi.dll
76e30000 76e3c000 rtutils rtutils.dll
76e40000 76e52000 rasman rasman.dll
76e60000 76e8f000 tapi32 tapi32.dll
76e90000 76ecf000 rasapi32 rasapi32.dll
76ed0000 76efa000 dnsapi dnsapi.dll
76f10000 76f3e000 wldap32 wldap32.dll
76f50000 76f63000 secur32 secur32.dll
76f70000 76f77000 winrnr winrnr.dll
76f80000 76f85000 rasadhlp rasadhlp.dll
77010000 770d6000 comres comres.dll
770e0000 771e8000 setupapi setupapi.dll
771f0000 77201000 winsta winsta.dll
77380000 77411000 user32 user32.dll
77420000 77523000 comctl32 comctl32.dll
77530000 775c7000 comctl32_77530000 comctl32.dll
77670000 777a9000 ole32 ole32.dll
777b0000 77833000 clbcatq clbcatq.dll
77b70000 77b84000 msacm32 msacm32.dll
77b90000 77b98000 version version.dll
77ba0000 77bfa000 msvcrt msvcrt.dll
77c00000 77c49000 gdi32 gdi32.dll
77c50000 77cf0000 rpcrt4 rpcrt4.dll
77e40000 77f42000 kernel32 kernel32.dll
7c340000 7c396000 msvcr71 msvcr71.dll
7c800000 7c8c3000 ntdll ntdll.dll
7c8d0000 7d0cf000 shell32 shell32.dll
7d0e0000 7d16b000 oleaut32 oleaut32.dll
7d180000 7d1d2000 shlwapi shlwapi.dll
7d1e0000 7d27c000 advapi32 advapi32.dll
Unloaded modules:
5deb0000 5deb7000 pwdssp.dll
71e20000 71e70000 msnsspc.dll
73770000 73786000 digest.dll
76750000 76779000 schannel.dll
78080000 78091000 MSVCRT40.dll
71e00000 71e14000 msapsspc.dll
Raw Stack Contents
Memory access error at 'StackLimit) @@(((ntdll!_NT_TIB *)@$teb)->StackBase)'
Dump Header Information
----- User Mini Dump Analysis
MINIDUMP_HEADER:
Version A793 (52CE)
NumberOfStreams 9
Flags 21
0001 MiniDumpWithDataSegs
0020 MiniDumpWithUnloadedModule
Streams:
Stream 0: type ThreadListStream (3), size 00000604, RVA 00000184
32 threads
RVA 00000188, ID 1DA0, Teb:000000007FFDE000
RVA 000001B8, ID 271C, Teb:000000007FFDD000
RVA 000001E8, ID 1064, Teb:000000007FFDC000
RVA 00000218, ID 280, Teb:000000007FFDB000
RVA 00000248, ID 251C, Teb:000000007FFDA000
RVA 00000278, ID 1E3C, Teb:000000007FFD9000
RVA 000002A8, ID 1184, Teb:000000007FFD8000
RVA 000002D8, ID 21C8, Teb:000000007FFD7000
RVA 00000308, ID 2294, Teb:000000007FFD6000
RVA 00000338, ID 1E2C, Teb:000000007FFD5000
RVA 00000368, ID 2758, Teb:000000007FFD4000
RVA 00000398, ID 2344, Teb:000000007FFAF000
RVA 000003C8, ID 27BC, Teb:000000007FFAE000
RVA 000003F8, ID D44, Teb:000000007FFAD000
RVA 00000428, ID 49C, Teb:000000007FFAC000
RVA 00000458, ID 2134, Teb:000000007FFAB000
RVA 00000488, ID 210C, Teb:000000007FFAA000
RVA 000004B8, ID 17B4, Teb:000000007FFA9000
RVA 000004E8, ID 1CBC, Teb:000000007FFA8000
RVA 00000518, ID 1C40, Teb:000000007FFA7000
RVA 00000548, ID 25A8, Teb:000000007FFA6000
RVA 00000578, ID 26D0, Teb:000000007FFA5000
RVA 000005A8, ID 3B4, Teb:000000007FFA4000
RVA 000005D8, ID 2014, Teb:000000007FFA3000
RVA 00000608, ID 2264, Teb:000000007FFA2000
RVA 00000638, ID 1150, Teb:000000007FFA1000
RVA 00000668, ID 2018, Teb:000000007FFA0000
RVA 00000698, ID 20F8, Teb:000000007FF9F000
RVA 000006C8, ID 2358, Teb:000000007FF9E000
RVA 000006F8, ID 228C, Teb:000000007FF9D000
RVA 00000728, ID 21C4, Teb:000000007FF9C000
RVA 00000758, ID 1440, Teb:000000007FF9B000
Stream 1: type ModuleListStream (4), size 00002BE4, RVA 00000788
104 modules
RVA 0000078C, 00400000 - 0049c000: 'C:\Program Files\Internet Explorer\iexplore.exe'
RVA 000007F8, 7c800000 - 7c8c3000: 'C:\WINDOWS\system32\ntdll
RVA 00000864, 77e40000 - 77f42000: 'C:\WINDOWS\system32\kerne
RVA 000008D0, 7d1e0000 - 7d27c000: 'C:\WINDOWS\system32\advap
RVA 0000093C, 77c50000 - 77cf0000: 'C:\WINDOWS\system32\rpcrt
RVA 000009A8, 76f50000 - 76f63000: 'C:\WINDOWS\system32\secur
RVA 00000A14, 77380000 - 77411000: 'C:\WINDOWS\system32\user3
RVA 00000A80, 77c00000 - 77c49000: 'C:\WINDOWS\system32\gdi32
RVA 00000AEC, 77ba0000 - 77bfa000: 'C:\WINDOWS\system32\msvcr
RVA 00000B58, 7d180000 - 7d1d2000: 'C:\WINDOWS\system32\shlwa
RVA 00000BC4, 7c8d0000 - 7d0cf000: 'C:\WINDOWS\system32\shell
RVA 00000C30, 77670000 - 777a9000: 'C:\WINDOWS\system32\ole32
RVA 00000C9C, 40a90000 - 40c7b000: 'C:\WINDOWS\system32\iertu
RVA 00000D08, 6f350000 - 6f483000: 'C:\WINDOWS\system32\urlmo
RVA 00000D74, 7d0e0000 - 7d16b000: 'C:\WINDOWS\system32\oleau
RVA 00000DE0, 71af0000 - 71b12000: 'C:\WINDOWS\system32\shime
RVA 00000E4C, 75e60000 - 75e87000: 'C:\WINDOWS\system32\apphe
RVA 00000EB8, 71640000 - 7180d000: 'C:\WINDOWS\AppPatch\AcGen
RVA 00000F24, 76aa0000 - 76acd000: 'C:\WINDOWS\system32\winmm
RVA 00000F90, 77b70000 - 77b84000: 'C:\WINDOWS\system32\msacm
RVA 00000FFC, 77b90000 - 77b98000: 'C:\WINDOWS\system32\versi
RVA 00001068, 76920000 - 769e2000: 'C:\WINDOWS\system32\usere
RVA 000010D4, 71b70000 - 71ba6000: 'C:\WINDOWS\system32\uxthe
RVA 00001140, 76290000 - 762ad000: 'C:\WINDOWS\system32\imm32
RVA 000011AC, 77420000 - 77523000: 'C:\WINDOWS\WinSxS\x86_Mic
RVA 00001218, 71bc0000 - 71bc8000: 'C:\WINDOWS\system32\rdpsn
RVA 00001284, 771f0000 - 77201000: 'C:\WINDOWS\system32\winst
RVA 000012F0, 71c40000 - 71c97000: 'C:\WINDOWS\system32\netap
RVA 0000135C, 76b70000 - 76b7b000: 'C:\WINDOWS\system32\psapi
RVA 000013C8, 40c80000 - 41715000: 'C:\WINDOWS\system32\iefra
RVA 00001434, 762b0000 - 762f9000: 'C:\WINDOWS\system32\comdl
RVA 000014A0, 403e0000 - 403e6000: 'C:\Program Files\Internet Explorer\xpshims.dll'
RVA 0000150C, 4b3c0000 - 4b410000: 'C:\WINDOWS\system32\MSCTF
RVA 00001578, 01640000 - 01905000: 'C:\WINDOWS\system32\xpsp2
RVA 000015E4, 770e0000 - 771e8000: 'C:\WINDOWS\system32\setup
RVA 00001650, 403f0000 - 404d6000: 'C:\WINDOWS\system32\winin
RVA 000016BC, 01920000 - 01929000: 'C:\WINDOWS\system32\norma
RVA 00001728, 777b0000 - 77833000: 'C:\WINDOWS\system32\clbca
RVA 00001794, 77010000 - 770d6000: 'C:\WINDOWS\system32\comre
RVA 00001800, 44460000 - 444a0000: 'C:\Program Files\Internet Explorer\ieproxy.dll'
RVA 0000186C, 71c00000 - 71c17000: 'C:\WINDOWS\system32\ws2_3
RVA 000018D8, 71bf0000 - 71bf8000: 'C:\WINDOWS\system32\ws2he
RVA 00001944, 74540000 - 745d3000: 'C:\WINDOWS\system32\mlang
RVA 000019B0, 4dc30000 - 4dc5e000: 'C:\WINDOWS\system32\MSCTF
RVA 00001A1C, 6d730000 - 6d77e000: 'C:\Program Files\Java\jre6\bin\ssv.dl
RVA 00001A88, 77530000 - 775c7000: 'C:\WINDOWS\WinSxS\x86_Mic
RVA 00001AF4, 7c340000 - 7c396000: 'C:\Program Files\Java\jre6\bin\msvcr7
RVA 00001B60, 10000000 - 10053000: 'C:\Program Files\BookingBuilder\LMIEC
RVA 00001BCC, 61880000 - 618bb000: 'C:\WINDOWS\system32\oleac
RVA 00001C38, 42c50000 - 43091000: 'C:\WINDOWS\system32\msi.d
RVA 00001CA4, 75da0000 - 75e5d000: 'C:\WINDOWS\system32\sxs.d
RVA 00001D10, 02230000 - 0225c000: 'C:\Program Files\BookingBuilder\LMDat
RVA 00001D7C, 71d00000 - 71d1c000: 'C:\WINDOWS\system32\actxp
RVA 00001DE8, 3f9a0000 - 3ff57000: 'C:\WINDOWS\system32\mshtm
RVA 00001E54, 02670000 - 02699000: 'C:\WINDOWS\system32\msls3
RVA 00001EC0, 76e90000 - 76ecf000: 'C:\WINDOWS\system32\rasap
RVA 00001F2C, 76e40000 - 76e52000: 'C:\WINDOWS\system32\rasma
RVA 00001F98, 76e60000 - 76e8f000: 'C:\WINDOWS\system32\tapi3
RVA 00002004, 76e30000 - 76e3c000: 'C:\WINDOWS\system32\rtuti
RVA 00002070, 761b0000 - 76243000: 'C:\WINDOWS\system32\crypt
RVA 000020DC, 76190000 - 761a2000: 'C:\WINDOWS\system32\msasn
RVA 00002148, 76c90000 - 76cb7000: 'C:\WINDOWS\system32\msv1_
RVA 000021B4, 766e0000 - 766ec000: 'C:\WINDOWS\system32\crypt
RVA 00002220, 76cf0000 - 76d0a000: 'C:\WINDOWS\system32\iphlp
RVA 0000228C, 722f0000 - 722f5000: 'C:\WINDOWS\system32\sensa
RVA 000022F8, 72ea0000 - 72f0f000: 'C:\WINDOWS\system32\ieapf
RVA 00002364, 76ed0000 - 76efa000: 'C:\WINDOWS\system32\dnsap
RVA 000023D0, 40220000 - 402d4000: 'C:\WINDOWS\system32\jscri
RVA 0000243C, 744c0000 - 744eb000: 'C:\WINDOWS\system32\MSIMT
RVA 000024A8, 71b20000 - 71b61000: 'C:\WINDOWS\system32\mswso
RVA 00002514, 5f270000 - 5f2ca000: 'C:\WINDOWS\system32\hnetc
RVA 00002580, 71ae0000 - 71ae8000: 'C:\WINDOWS\system32\wshtc
RVA 000025EC, 76f80000 - 76f85000: 'C:\WINDOWS\system32\rasad
RVA 00002658, 76f70000 - 76f77000: 'C:\WINDOWS\system32\winrn
RVA 000026C4, 76f10000 - 76f3e000: 'C:\WINDOWS\system32\wldap
RVA 00002730, 042a0000 - 043c7000: 'C:\WINDOWS\system32\msxml
RVA 0000279C, 76bb0000 - 76bdc000: 'C:\WINDOWS\system32\wintr
RVA 00002808, 76c10000 - 76c38000: 'C:\WINDOWS\system32\image
RVA 00002874, 76750000 - 76779000: 'C:\WINDOWS\system32\schan
RVA 000028E0, 68000000 - 68035000: 'C:\WINDOWS\system32\rsaen
RVA 0000294C, 68100000 - 68127000: 'C:\WINDOWS\system32\dssen
RVA 000029B8, 45530000 - 4555f000: 'C:\WINDOWS\system32\iepee
RVA 00002A24, 73070000 - 73097000: 'C:\WINDOWS\system32\winsp
RVA 00002A90, 05b50000 - 06477000: 'C:\WINDOWS\system32\Macro
RVA 00002AFC, 73e50000 - 73eab000: 'C:\WINDOWS\system32\dsoun
RVA 00002B68, 76280000 - 76285000: 'C:\WINDOWS\system32\msimg
RVA 00002BD4, 4e010000 - 4e1b6000: 'C:\WINDOWS\system32\d3d9.
RVA 00002C40, 6da60000 - 6da66000: 'C:\WINDOWS\system32\d3d8t
RVA 00002CAC, 73aa0000 - 73ab6000: 'C:\WINDOWS\system32\mscms
RVA 00002D18, 06ab0000 - 06b78000: 'C:\Program Files\QuickTime\QTPlugin.o
RVA 00002D84, 4f580000 - 4fb5a000: 'C:\WINDOWS\system32\wmp.d
RVA 00002DF0, 4dd60000 - 4df0b000: 'C:\WINDOWS\WinSxS\x86_Mic
RVA 00002E5C, 75fc0000 - 75fe2000: 'C:\WINDOWS\system32\msvfw
RVA 00002EC8, 06ba0000 - 06ed7000: 'C:\WINDOWS\system32\wmplo
RVA 00002F34, 75490000 - 754f5000: 'C:\WINDOWS\system32\usp10
RVA 00002FA0, 35c50000 - 35c89000: 'C:\WINDOWS\system32\dxtra
RVA 0000300C, 76a80000 - 76a92000: 'C:\WINDOWS\system32\atl.d
RVA 00003078, 6d4c0000 - 6d4ca000: 'C:\WINDOWS\system32\ddraw
RVA 000030E4, 73860000 - 738ab000: 'C:\WINDOWS\system32\ddraw
RVA 00003150, 73b30000 - 73b36000: 'C:\WINDOWS\system32\dcima
RVA 000031BC, 35cb0000 - 35d07000: 'C:\WINDOWS\system32\dxtms
RVA 00003228, 1b000000 - 1b00c000: 'C:\WINDOWS\system32\imgut
RVA 00003294, 1b060000 - 1b06e000: 'C:\WINDOWS\system32\pngfi
RVA 00003300, 69500000 - 69517000: 'C:\WINDOWS\system32\fault
Stream 2: type UnloadedModuleListStream (14), size 0000009C, RVA 0000336C
6 unloaded modules
RVA 00003378, 5deb0000 - 5deb7000: 'pwdssp.dll'
RVA 00003390, 71e20000 - 71e70000: 'msnsspc.dll'
RVA 000033A8, 73770000 - 73786000: 'digest.dll'
RVA 000033C0, 76750000 - 76779000: 'schannel.dll'
RVA 000033D8, 78080000 - 78091000: 'MSVCRT40.dll'
RVA 000033F0, 71e00000 - 71e14000: 'msapsspc.dll'
Stream 3: type MemoryListStream (5), size 00000234, RVA 0000BDAA
35 memory ranges
range# RVA Address Size
0 0000BFDE 7c8283dc 00000100
1 0000C0DE 0040b000 00000660
2 0000C73E 3fed7000 00008d4c
3 0001548A 0013fc18 000003e8
4 00015872 00b7fea0 00000160
5 000159D2 00f2ff9c 00000064
6 00015A36 0102ff70 00000090
7 00015AC6 0112fcec 00000314
8 00015DDA 0123fe18 000001e8
9 00015FC2 0133eebc 00001144
10 00017106 0143fe40 000001c0
11 000172C6 01637520 00008ae0
12 0001FDA6 01a3fe18 000001e8
13 0001FF8E 01b3ff08 000000f8
14 00020086 01c6fe18 000001e8
15 0002026E 0237fef8 00000108
16 00020376 0248fe18 000001e8
17 0002055E 02effe18 000001e8
18 00020746 035dff70 00000090
19 000207D6 037bfad8 00000528
20 00020CFE 038ffef8 00000108
21 00020E06 03a9ff7c 00000084
22 00020E8A 0429ff70 00000090
23 00020F1A 04baff70 00000090
24 00020FAA 04eafec0 00000140
25 000210EA 052dfef8 00000108
26 000211F2 067eff10 000000f0
27 000212E2 068eff10 000000f0
28 000213D2 069eff10 000000f0
29 000214C2 06fdff10 000000f0
30 000215B2 070dff10 000000f0
31 000216A2 071dff10 000000f0
32 00021792 072dff10 000000f0
33 00021882 073dff10 000000f0
34 00021972 07a1fef8 00000108
Total memory: 15a9c
Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000DC
ThreadID 8852
ExceptionCode C0000005
ExceptionRecord 0
ExceptionAddress 3fab1249
Context record RVA 52e6, size 2cc
Stream 5: type SystemInfoStream (7), size 00000038, RVA 0000008C
ProcessorArchitecture 0000 (PROCESSOR_ARCHITECTURE_IN
ProcessorLevel 0006
ProcessorRevision 0F0B
NumberOfProcessors 04
MajorVersion 00000005
MinorVersion 00000002
BuildNumber 00000ECE (3790)
PlatformId 00000002 (VER_PLATFORM_WIN32_NT)
CSDVersionRva 00003408
Length: 28
Buffer: {'Service Pack 2'}
Product: LanManNt, suite: TerminalServer
Stream 6: type MiscInfoStream (15), size 00000018, RVA 000000C4
Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
Stream 8: type UnusedStream (0), size 00000000, RVA 00000000
Strings
Did you ever reset IE? Try removing any add-on's also. Does any of this sound familiar to you? http://blogs.technet.com/b/markrussinovich/archive/2010/06/01/3335060.aspx?PageIndex=3
ASKER
That blog post sounds VERY familiar to me. So I'm going to document what I did, if only for my reference.
So, I took another stab at the symbol thing. For me, I found a MS site (http://msdn.microsoft.com/en-us/windows/hardware/gg462988) that gave the online symbols path. I used:
SRV*d:\websymbols*http://msdl.microsoft.com/download/symbols
Dropped that into File>Symbol File Path (I use D:\ because I have more drive space there)
Russinovich's blog post was very detailed and lead me closer than ever to the problem, but I failed to find the smoking gun right at the end.
Following his instructions: I did not attatch to a process. the first part of his post is about finding which process to attach windbg to . I had a dump file so I used that instead. So after entering the proper symbols path, I go to file and "open crash dump".
***( When the crash actually happens and comes up and asks if I want to submit it to Microsoft, I pause there and go to the location, usually something like:
C:\Documents and Settings\[UserID]\Local Settings\Temp\WER1f2f.dir0 0\
and I copy that folder and drop it into something like :
\My Documents\dumps. When you cancel out of that window, the crash dump is deleted...)
So after loading the dump file, I: (quoting from his blog: http://blogs.technet.com/b/markrussinovich/archive/2010/06/01/3335060.aspx?PageIndex=3):
"open both the Processes and Threads and the Call Stack dialogs, arranging them side by side. The goal is to find the thread that has functions with the words fault, exception, or unhandled in their names. You can quickly do this by selecting each thread in the Processes and Threads window, pressing Enter, and then scanning the stack that appears in the Call Stack window. After doing this for the first few threads, I came across the thread I was looking for, revealed by functions all over its stack containing the telltale strings:"
It said "KiUserExceptionDispatcher +0xe", then the next line says "Following frames may be wrong" Then there's a line referencing mshtml.dll Then another line with only addresses, just like in Mark's post.
0x24b500.
So here things sort of fell apart. I couldn't pin down a specific dll.
So, I took another stab at the symbol thing. For me, I found a MS site (http://msdn.microsoft.com/en-us/windows/hardware/gg462988) that gave the online symbols path. I used:
SRV*d:\websymbols*http://msdl.microsoft.com/download/symbols
Dropped that into File>Symbol File Path (I use D:\ because I have more drive space there)
Russinovich's blog post was very detailed and lead me closer than ever to the problem, but I failed to find the smoking gun right at the end.
Following his instructions: I did not attatch to a process. the first part of his post is about finding which process to attach windbg to . I had a dump file so I used that instead. So after entering the proper symbols path, I go to file and "open crash dump".
***( When the crash actually happens and comes up and asks if I want to submit it to Microsoft, I pause there and go to the location, usually something like:
C:\Documents and Settings\[UserID]\Local Settings\Temp\WER1f2f.dir0
and I copy that folder and drop it into something like :
\My Documents\dumps. When you cancel out of that window, the crash dump is deleted...)
So after loading the dump file, I: (quoting from his blog: http://blogs.technet.com/b/markrussinovich/archive/2010/06/01/3335060.aspx?PageIndex=3):
"open both the Processes and Threads and the Call Stack dialogs, arranging them side by side. The goal is to find the thread that has functions with the words fault, exception, or unhandled in their names. You can quickly do this by selecting each thread in the Processes and Threads window, pressing Enter, and then scanning the stack that appears in the Call Stack window. After doing this for the first few threads, I came across the thread I was looking for, revealed by functions all over its stack containing the telltale strings:"
It said "KiUserExceptionDispatcher
0x24b500.
So here things sort of fell apart. I couldn't pin down a specific dll.
ASKER
Ok, I may have an answer, FINALLY.
After becoming more familiar with WinDBG, I realized I could do what Mark mentions in the post, that is use the !analyze command in the command window. So after loading the symbol path and the dump file, I typed "!analyze" in the command line at the bottom. LO AND BEHOLD, I get:
0:008> !analyze
************************** ********** ********** ********** ********** ********** ***
* *
* Exception Analysis *
* *
************************** ********** ********** ********** ********** ********** ***
Use !analyze -v to get detailed debugging information.
Probably caused by : ieframe.dll ( ieframe+12c20d )
Followup: MachineOwner
The I Google "Probably caused by : ieframe.dll" and get: "IEFRAME.dll error dnserror-- A Quick Way To Fix It" (http://www.articlewritingclicks.com/Dll_Errors/Ieframedll_Error_dnserror__A_Quick_Way_to_Fix_it.html)
And wouldn't you know, their analysis fits my situation perfectly:
What causes this error?
In most cases it is a virus or other malware that infected your Internet Explorer. Unfortunately in many cases the infection might damage another vulnerable part of your Windows system – that is your Windows registry system.
Now, the final piece - fixing it. They have a link that takes you to a tool:
The only way to handle this error effectively is to make use of an advanced Windows errors repair tool that handles both that malware and/or repairing any damages it might have left on your Windows registry system.
The question is, is that tool trustworthy? is it trialware or something else? What program should I use, if any to repair the registry? I always avoid registry cleaners. I have never had any real use for them.
After becoming more familiar with WinDBG, I realized I could do what Mark mentions in the post, that is use the !analyze command in the command window. So after loading the symbol path and the dump file, I typed "!analyze" in the command line at the bottom. LO AND BEHOLD, I get:
0:008> !analyze
**************************
* *
* Exception Analysis *
* *
**************************
Use !analyze -v to get detailed debugging information.
Probably caused by : ieframe.dll ( ieframe+12c20d )
Followup: MachineOwner
The I Google "Probably caused by : ieframe.dll" and get: "IEFRAME.dll error dnserror-- A Quick Way To Fix It" (http://www.articlewritingclicks.com/Dll_Errors/Ieframedll_Error_dnserror__A_Quick_Way_to_Fix_it.html)
And wouldn't you know, their analysis fits my situation perfectly:
What causes this error?
In most cases it is a virus or other malware that infected your Internet Explorer. Unfortunately in many cases the infection might damage another vulnerable part of your Windows system – that is your Windows registry system.
Now, the final piece - fixing it. They have a link that takes you to a tool:
The only way to handle this error effectively is to make use of an advanced Windows errors repair tool that handles both that malware and/or repairing any damages it might have left on your Windows registry system.
The question is, is that tool trustworthy? is it trialware or something else? What program should I use, if any to repair the registry? I always avoid registry cleaners. I have never had any real use for them.
ASKER
I saved about 9 WER temp folders. I ran the hdmp and mdmp files from each one and did an !analyze command on them. Here's the breakdown on the number of times each dll was indicated as the cause of the crash:
1-mbamcore.dll
10-ieframe.dll
3-mshtml.dll
3-urlmon.dll
ieframe.dll seems to be the clear loser.
1-mbamcore.dll
10-ieframe.dll
3-mshtml.dll
3-urlmon.dll
ieframe.dll seems to be the clear loser.
ASKER
I don't know if this means anything but I used WhoCrashed to analyze the dump files I have and in Whocrashed, all of the iexplore.exe hdmp or mdmp files say that kernel32.sys is the cause.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll just have to close out this question at that. If I figure out anything else helpful, I'll add it here later. Thanks for your help.
ASKER
Thanks for trying, I think the problem was a bit beyond your and my abilities like you said. If I can come to any conclusion I'll post it to the end.
thanks
thanks
You are welcome.