Link to home
Start Free TrialLog in
Avatar of RickNCN
RickNCNFlag for United States of America

asked on

iexplore.exe application error, undefined, mshtml.dll, ntdll.dll, others

Windows Terminal Server 2003. 2 XP RDP clients, 1 Win 7 client.

User remotes in and a 6-12 times a day roughly Internet Explorer crashes. Logging into the server, all those crashes pop up. I've inadvertently erased the Application Log through Dr Watson it seems, so I'm going from memory with some written notes.

Most errors were:
undefined
mshtml.dll
ntdll.dll
msvcrt.dll

I also noticed other programs would crash on those same modules: mbam.exe and cbplus (= clientbase: a travel agency program) among others.

I *think* these errors have been evident in the app log since the beginning, but in small numbers (since 2010) - around every 2-7 days But sometime around Sept 2011, the incidence of them increased to almost daily and many times a day.

What happened on Sept 9 was a malware infection. It was cleaned up and I'm quite certain it's clean now, but since then, they've experienced this spike in crashes. I think I've read just about every post on related topics and nothing is "connecting" and making sense as the issue.

I did match up the event log with Internet Explorer history to see if there was a correlation. I made notes of recent dates and times of these crashes. Then I used IEHistView as Admin on the server, had it display the cache history for all users and looked for any websites that might be setting it off. There was absolutely no correlation between a crash in event log and hitting a website at that time. Something else is triggering it.

In Dr Watson, before I cleared the history, I do recall seeing crashes referencing a network CAPT print driver (AXIS CAPT port I think). May be nothing.

Here, Dr Watson just caught a crash:
---------------------------------------------------
Event Type:      Information
Event Source:      DrWatson
Event Category:      None
Event ID:      4097
Date:            2/7/2012
Time:            5:16:23 PM
User:            N/A
Computer:      NPTSERVER
Description:
The application, C:\Program Files\Internet Explorer\iexplore.exe, generated an application error The error occurred on 02/07/2012 @ 17:16:22.812 The exception generated was c0000005 at address 3FA6B616 (mshtml!DllGetClassObject)
------------------------------------------------------------

I'm having a user disable addons as a test. I haven't reset Advanced settings yet. I might try uninstalling IE8 but fear breaking the "web apps" that this travel business relies on. And, IE 7 is less secure?
Avatar of 1namyln
1namyln
Flag of United States of America image

When you say the malware infection was cleaned up do you mean by using a program or there was a complete system re-installation?
Avatar of RickNCN

ASKER

Using software and manual methods
I know its no fun but you may find that doing a fresh installation of the OS will solve this problem quicker.  I've found that these types of issues are difficult to resolve manually.  Worse case use an extra hard drive for the re-install and save the old one for testing when the user doesn't need their computer.
Avatar of RickNCN

ASKER

Really? Reinstall a Win 2003 Terminal Server? Oy! I don't think I have the time or - they - the money for that.
I apoligize. It was late for me and I didn't realize it was a server. Do you have a backup you can restore to before the infection occurred?
Avatar of RickNCN

ASKER

I do have backups to an external hdd... but.. hmm, what would you propose for that? how would that work?
Some questions. When the users are connecting to the TS are they connecting via a saved RDP connection?  Once they have remoted into the TS can they use another web browser to see if the issue is specific to IE?

Have you reset IE on the TS?

As for your backup, is it a file or system backup?
Avatar of RickNCN

ASKER

saved RDP connections: yes.
They could use another web browser, but their travel website apps only work on IE so they do need to use IE for the majority of work.
I havent reset IE yet.
The backup is a system backup: Retrospect Server.
I would reset IE first. Will IE9 work?  You can try it then roll it back off if needed.
Reset IE for a single user to begin with.  I'm not sure how to do it on a global scale.
Avatar of RickNCN

ASKER

IE9 won't work because this is a 2003 server. I may try the reset. I rebooted the server last night. This morning, logging in as Admin I received several messages about earlier crashes. That seems to be how it goes: these processes crash but you don't see the window on it until you log out and in or restart and log in. I saved all the temp\~Wer---- folders with the hdmps and mdmps in them. I'm currently installing WinDbg for 2003. We'll see if I can load the dumps and get anything meaningful from them.
Here is a great online utility for analyzing dumps.  http://www.osronline.com/page.cfm?name=analyze
Avatar of RickNCN

ASKER

downloading and installing symbols is a confusing mess. Web symbols don't seem to be helping either. Do you know the right syntax to drop into the location on windbg for web symbols?
"downloading and installing symbols is a confusing mess." I don't understand what you're asking.
Avatar of RickNCN

ASKER

meaning I installed the WinDBG windows debugger but you have to find, download and install the proper symbols for your particular os and service pack. It's just not intuitive to me. I had trouble with it. Maybe I'm just missing a piece of the puzzle to do that.
I'm not sure.  To diagnose the minidumps I've always used the link listed above.
Avatar of RickNCN

ASKER

I tried that free online dump analysis and it always comes back that there is no dump file in the ZIP archive:

=====================
Instant Online Crash Analysis, brought to you by OSR Open Systems Resources, Inc.
Primary Analysis
Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
No dump file in ZIP archive!

===================
I'm uploading a 135kb mdmp file:
iexplore.exe.mdmp, zipped into iexplore.exe.zip
Avatar of RickNCN

ASKER

I tried uploading the unzipped *.mdmp file and it gave me an error:


Please review the following issues:
•Only dump files (file type .DMP) and or ZIP files (file type .ZIP) may be uploaded.
Click "back" in your browser to retry.

I guess it's looking for a different kind of file?
Avatar of RickNCN

ASKER

Ok, I changed the extension from mdmp to dmp and resubmitted and it liked it.
here's what it said:
=======================
Primary Analysis
Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows Server 2003 Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer
kernel32.dll version: 5.2.3790.4480 (srv03_sp2_gdr.090321-1244)
Machine Name:
Debug session time: Wed Feb  8 12:29:17.000 2012 (UTC - 5:00)
System Uptime: not available
Process Uptime: 0 days 0:00:14.000
  Kernel time: 0 days 0:00:00.000
  User time: 0 days 0:00:00.000
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

Unable to load image C:\WINDOWS\system32\ieframe.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ieframe.dll
Unable to load image C:\WINDOWS\system32\iertutil.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for iertutil.dll
*** WARNING: Unable to verify timestamp for iexplore.exe
*** WARNING: Unable to verify timestamp for LMDataXF.DLL
*** ERROR: Module load completed but symbols could not be loaded for LMDataXF.DLL
Unable to load image C:\WINDOWS\system32\wininet.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for wininet.dll
Unable to load image C:\WINDOWS\system32\dxtrans.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for dxtrans.dll

FAULTING_IP:
mshtml!CTableSizeCalculator::ReleaseColumnSizeAry+39
3fab1249 ??              ???

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 3fab1249 (mshtml!CTableSizeCalculator::ReleaseColumnSizeAry+0x00000039)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

DEFAULT_BUCKET_ID:  NULL_POINTER_READ

PROCESS_NAME:  iexplore.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000000

READ_ADDRESS:  00000000

FOLLOWUP_IP:
mshtml!CTableSizeCalculator::ReleaseColumnSizeAry+39
3fab1249 ??              ???

MOD_LIST:

FAULTING_THREAD:  00002294

PRIMARY_PROBLEM_CLASS:  NULL_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_NULL_POINTER_READ

LAST_CONTROL_TRANSFER:  from 00000000 to 3fab1249

STACK_TEXT:  
0163cf0c 00000000 04c71548 04d19134 00000000 mshtml!CTableSizeCalculator::ReleaseColumnSizeAry+0x39


STACK_COMMAND:  ~8s; .ecxr ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  mshtml!CTableSizeCalculator::ReleaseColumnSizeAry+39

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mshtml

IMAGE_NAME:  mshtml.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4eb5320f

FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_mshtml.dll!CTableSizeCalculator::ReleaseColumnSizeAry

BUCKET_ID:  APPLICATION_FAULT_NULL_POINTER_READ_mshtml!CTableSizeCalculator::ReleaseColumnSizeAry+39

WATSON_IBUCKET:  -1557135218

WATSON_IBUCKETTABLE:  1

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/iexplore_exe/8_0_6001_18702/49b3ad2e/mshtml_dll/8_0_6001_19170/4eb5320f/c0000005/00111249.htm?Retriage=1

Followup: MachineOwner
---------


This free analysis is provided by OSR Open Systems Resources, Inc.
Want a deeper understanding of crash dump analysis? Check out our Windows Kernel Debugging and Crash Dump Analysis Seminar (opens in new tab/window)
Loaded Module List
start    end        module name
00400000 0049c000   iexplore iexplore.exe
01640000 01905000   xpsp2res xpsp2res.dll
01920000 01929000   normaliz normaliz.dll
02230000 0225c000   LMDataXF LMDataXF.DLL
02670000 02699000   msls31   msls31.dll  
042a0000 043c7000   msxml3   msxml3.dll  
05b50000 06477000   Flash11e Flash11e.ocx
06ab0000 06b78000   QTPlugin QTPlugin.ocx
06ba0000 06ed7000   wmploc   wmploc.dll  
10000000 10053000   LMIECTR2 LMIECTR2.DLL
1b000000 1b00c000   imgutil  imgutil.dll
1b060000 1b06e000   pngfilt  pngfilt.dll
35c50000 35c89000   dxtrans  dxtrans.dll
35cb0000 35d07000   dxtmsft  dxtmsft.dll
3f9a0000 3ff57000   mshtml   mshtml.dll  
40220000 402d4000   jscript  jscript.dll
403e0000 403e6000   xpshims  xpshims.dll
403f0000 404d6000   wininet  wininet.dll
40a90000 40c7b000   iertutil iertutil.dll
40c80000 41715000   ieframe  ieframe.dll
42c50000 43091000   msi      msi.dll    
44460000 444a0000   ieproxy  ieproxy.dll
45530000 4555f000   iepeers  iepeers.dll
4b3c0000 4b410000   MSCTF    MSCTF.dll  
4dc30000 4dc5e000   MSCTFIME MSCTFIME.IME
4dd60000 4df0b000   GdiPlus  GdiPlus.dll
4e010000 4e1b6000   d3d9     d3d9.dll    
4f580000 4fb5a000   wmp      wmp.dll    
5f270000 5f2ca000   hnetcfg  hnetcfg.dll
61880000 618bb000   oleacc   oleacc.dll  
68000000 68035000   rsaenh   rsaenh.dll  
68100000 68127000   dssenh   dssenh.dll  
69500000 69517000   faultrep faultrep.dll
6d4c0000 6d4ca000   ddrawex  ddrawex.dll
6d730000 6d77e000   ssv      ssv.dll    
6da60000 6da66000   d3d8thk  d3d8thk.dll
6f350000 6f483000   urlmon   urlmon.dll  
71640000 7180d000   AcGenral AcGenral.dll
71ae0000 71ae8000   wshtcpip wshtcpip.dll
71af0000 71b12000   shimeng  shimeng.dll
71b20000 71b61000   mswsock  mswsock.dll
71b70000 71ba6000   uxtheme  uxtheme.dll
71bc0000 71bc8000   rdpsnd   rdpsnd.dll  
71bf0000 71bf8000   ws2help  ws2help.dll
71c00000 71c17000   ws2_32   ws2_32.dll  
71c40000 71c97000   netapi32 netapi32.dll
71d00000 71d1c000   actxprxy actxprxy.dll
722f0000 722f5000   sensapi  sensapi.dll
72ea0000 72f0f000   ieapfltr ieapfltr.dll
73070000 73097000   winspool winspool.drv
73860000 738ab000   ddraw    ddraw.dll  
73aa0000 73ab6000   mscms    mscms.dll  
73b30000 73b36000   dciman32 dciman32.dll
73e50000 73eab000   dsound   dsound.dll  
744c0000 744eb000   MSIMTF   MSIMTF.dll  
74540000 745d3000   mlang    mlang.dll  
75490000 754f5000   usp10    usp10.dll  
75da0000 75e5d000   sxs      sxs.dll    
75e60000 75e87000   apphelp  apphelp.dll
75fc0000 75fe2000   msvfw32  msvfw32.dll
76190000 761a2000   msasn1   msasn1.dll  
761b0000 76243000   crypt32  crypt32.dll
76280000 76285000   msimg32  msimg32.dll
76290000 762ad000   imm32    imm32.dll  
762b0000 762f9000   comdlg32 comdlg32.dll
766e0000 766ec000   cryptdll cryptdll.dll
76750000 76779000   schannel schannel.dll
76920000 769e2000   userenv  userenv.dll
76a80000 76a92000   atl      atl.dll    
76aa0000 76acd000   winmm    winmm.dll  
76b70000 76b7b000   psapi    psapi.dll  
76bb0000 76bdc000   wintrust wintrust.dll
76c10000 76c38000   imagehlp imagehlp.dll
76c90000 76cb7000   msv1_0   msv1_0.dll  
76cf0000 76d0a000   iphlpapi iphlpapi.dll
76e30000 76e3c000   rtutils  rtutils.dll
76e40000 76e52000   rasman   rasman.dll  
76e60000 76e8f000   tapi32   tapi32.dll  
76e90000 76ecf000   rasapi32 rasapi32.dll
76ed0000 76efa000   dnsapi   dnsapi.dll  
76f10000 76f3e000   wldap32  wldap32.dll
76f50000 76f63000   secur32  secur32.dll
76f70000 76f77000   winrnr   winrnr.dll  
76f80000 76f85000   rasadhlp rasadhlp.dll
77010000 770d6000   comres   comres.dll  
770e0000 771e8000   setupapi setupapi.dll
771f0000 77201000   winsta   winsta.dll  
77380000 77411000   user32   user32.dll  
77420000 77523000   comctl32 comctl32.dll
77530000 775c7000   comctl32_77530000 comctl32.dll
77670000 777a9000   ole32    ole32.dll  
777b0000 77833000   clbcatq  clbcatq.dll
77b70000 77b84000   msacm32  msacm32.dll
77b90000 77b98000   version  version.dll
77ba0000 77bfa000   msvcrt   msvcrt.dll  
77c00000 77c49000   gdi32    gdi32.dll  
77c50000 77cf0000   rpcrt4   rpcrt4.dll  
77e40000 77f42000   kernel32 kernel32.dll
7c340000 7c396000   msvcr71  msvcr71.dll
7c800000 7c8c3000   ntdll    ntdll.dll  
7c8d0000 7d0cf000   shell32  shell32.dll
7d0e0000 7d16b000   oleaut32 oleaut32.dll
7d180000 7d1d2000   shlwapi  shlwapi.dll
7d1e0000 7d27c000   advapi32 advapi32.dll

Unloaded modules:
5deb0000 5deb7000   pwdssp.dll
71e20000 71e70000   msnsspc.dll
73770000 73786000   digest.dll
76750000 76779000   schannel.dll
78080000 78091000   MSVCRT40.dll
71e00000 71e14000   msapsspc.dll


Raw Stack Contents
Memory access error at 'StackLimit) @@(((ntdll!_NT_TIB *)@$teb)->StackBase)'


Dump Header Information
----- User Mini Dump Analysis

MINIDUMP_HEADER:
Version         A793 (52CE)
NumberOfStreams 9
Flags           21
                0001 MiniDumpWithDataSegs
                0020 MiniDumpWithUnloadedModules

Streams:
Stream 0: type ThreadListStream (3), size 00000604, RVA 00000184
  32 threads
  RVA 00000188, ID 1DA0, Teb:000000007FFDE000
  RVA 000001B8, ID 271C, Teb:000000007FFDD000
  RVA 000001E8, ID 1064, Teb:000000007FFDC000
  RVA 00000218, ID 280, Teb:000000007FFDB000
  RVA 00000248, ID 251C, Teb:000000007FFDA000
  RVA 00000278, ID 1E3C, Teb:000000007FFD9000
  RVA 000002A8, ID 1184, Teb:000000007FFD8000
  RVA 000002D8, ID 21C8, Teb:000000007FFD7000
  RVA 00000308, ID 2294, Teb:000000007FFD6000
  RVA 00000338, ID 1E2C, Teb:000000007FFD5000
  RVA 00000368, ID 2758, Teb:000000007FFD4000
  RVA 00000398, ID 2344, Teb:000000007FFAF000
  RVA 000003C8, ID 27BC, Teb:000000007FFAE000
  RVA 000003F8, ID D44, Teb:000000007FFAD000
  RVA 00000428, ID 49C, Teb:000000007FFAC000
  RVA 00000458, ID 2134, Teb:000000007FFAB000
  RVA 00000488, ID 210C, Teb:000000007FFAA000
  RVA 000004B8, ID 17B4, Teb:000000007FFA9000
  RVA 000004E8, ID 1CBC, Teb:000000007FFA8000
  RVA 00000518, ID 1C40, Teb:000000007FFA7000
  RVA 00000548, ID 25A8, Teb:000000007FFA6000
  RVA 00000578, ID 26D0, Teb:000000007FFA5000
  RVA 000005A8, ID 3B4, Teb:000000007FFA4000
  RVA 000005D8, ID 2014, Teb:000000007FFA3000
  RVA 00000608, ID 2264, Teb:000000007FFA2000
  RVA 00000638, ID 1150, Teb:000000007FFA1000
  RVA 00000668, ID 2018, Teb:000000007FFA0000
  RVA 00000698, ID 20F8, Teb:000000007FF9F000
  RVA 000006C8, ID 2358, Teb:000000007FF9E000
  RVA 000006F8, ID 228C, Teb:000000007FF9D000
  RVA 00000728, ID 21C4, Teb:000000007FF9C000
  RVA 00000758, ID 1440, Teb:000000007FF9B000
Stream 1: type ModuleListStream (4), size 00002BE4, RVA 00000788
  104 modules
  RVA 0000078C, 00400000 - 0049c000: 'C:\Program Files\Internet Explorer\iexplore.exe'
  RVA 000007F8, 7c800000 - 7c8c3000: 'C:\WINDOWS\system32\ntdll.dll'
  RVA 00000864, 77e40000 - 77f42000: 'C:\WINDOWS\system32\kernel32.dll'
  RVA 000008D0, 7d1e0000 - 7d27c000: 'C:\WINDOWS\system32\advapi32.dll'
  RVA 0000093C, 77c50000 - 77cf0000: 'C:\WINDOWS\system32\rpcrt4.dll'
  RVA 000009A8, 76f50000 - 76f63000: 'C:\WINDOWS\system32\secur32.dll'
  RVA 00000A14, 77380000 - 77411000: 'C:\WINDOWS\system32\user32.dll'
  RVA 00000A80, 77c00000 - 77c49000: 'C:\WINDOWS\system32\gdi32.dll'
  RVA 00000AEC, 77ba0000 - 77bfa000: 'C:\WINDOWS\system32\msvcrt.dll'
  RVA 00000B58, 7d180000 - 7d1d2000: 'C:\WINDOWS\system32\shlwapi.dll'
  RVA 00000BC4, 7c8d0000 - 7d0cf000: 'C:\WINDOWS\system32\shell32.dll'
  RVA 00000C30, 77670000 - 777a9000: 'C:\WINDOWS\system32\ole32.dll'
  RVA 00000C9C, 40a90000 - 40c7b000: 'C:\WINDOWS\system32\iertutil.dll'
  RVA 00000D08, 6f350000 - 6f483000: 'C:\WINDOWS\system32\urlmon.dll'
  RVA 00000D74, 7d0e0000 - 7d16b000: 'C:\WINDOWS\system32\oleaut32.dll'
  RVA 00000DE0, 71af0000 - 71b12000: 'C:\WINDOWS\system32\shimeng.dll'
  RVA 00000E4C, 75e60000 - 75e87000: 'C:\WINDOWS\system32\apphelp.dll'
  RVA 00000EB8, 71640000 - 7180d000: 'C:\WINDOWS\AppPatch\AcGenral.dll'
  RVA 00000F24, 76aa0000 - 76acd000: 'C:\WINDOWS\system32\winmm.dll'
  RVA 00000F90, 77b70000 - 77b84000: 'C:\WINDOWS\system32\msacm32.dll'
  RVA 00000FFC, 77b90000 - 77b98000: 'C:\WINDOWS\system32\version.dll'
  RVA 00001068, 76920000 - 769e2000: 'C:\WINDOWS\system32\userenv.dll'
  RVA 000010D4, 71b70000 - 71ba6000: 'C:\WINDOWS\system32\uxtheme.dll'
  RVA 00001140, 76290000 - 762ad000: 'C:\WINDOWS\system32\imm32.dll'
  RVA 000011AC, 77420000 - 77523000: 'C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087\comctl32.dll'
  RVA 00001218, 71bc0000 - 71bc8000: 'C:\WINDOWS\system32\rdpsnd.dll'
  RVA 00001284, 771f0000 - 77201000: 'C:\WINDOWS\system32\winsta.dll'
  RVA 000012F0, 71c40000 - 71c97000: 'C:\WINDOWS\system32\netapi32.dll'
  RVA 0000135C, 76b70000 - 76b7b000: 'C:\WINDOWS\system32\psapi.dll'
  RVA 000013C8, 40c80000 - 41715000: 'C:\WINDOWS\system32\ieframe.dll'
  RVA 00001434, 762b0000 - 762f9000: 'C:\WINDOWS\system32\comdlg32.dll'
  RVA 000014A0, 403e0000 - 403e6000: 'C:\Program Files\Internet Explorer\xpshims.dll'
  RVA 0000150C, 4b3c0000 - 4b410000: 'C:\WINDOWS\system32\MSCTF.dll'
  RVA 00001578, 01640000 - 01905000: 'C:\WINDOWS\system32\xpsp2res.dll'
  RVA 000015E4, 770e0000 - 771e8000: 'C:\WINDOWS\system32\setupapi.dll'
  RVA 00001650, 403f0000 - 404d6000: 'C:\WINDOWS\system32\wininet.dll'
  RVA 000016BC, 01920000 - 01929000: 'C:\WINDOWS\system32\normaliz.dll'
  RVA 00001728, 777b0000 - 77833000: 'C:\WINDOWS\system32\clbcatq.dll'
  RVA 00001794, 77010000 - 770d6000: 'C:\WINDOWS\system32\comres.dll'
  RVA 00001800, 44460000 - 444a0000: 'C:\Program Files\Internet Explorer\ieproxy.dll'
  RVA 0000186C, 71c00000 - 71c17000: 'C:\WINDOWS\system32\ws2_32.dll'
  RVA 000018D8, 71bf0000 - 71bf8000: 'C:\WINDOWS\system32\ws2help.dll'
  RVA 00001944, 74540000 - 745d3000: 'C:\WINDOWS\system32\mlang.dll'
  RVA 000019B0, 4dc30000 - 4dc5e000: 'C:\WINDOWS\system32\MSCTFIME.IME'
  RVA 00001A1C, 6d730000 - 6d77e000: 'C:\Program Files\Java\jre6\bin\ssv.dll'
  RVA 00001A88, 77530000 - 775c7000: 'C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_5.82.3790.4770_x-ww_A689AB02\comctl32.dll'
  RVA 00001AF4, 7c340000 - 7c396000: 'C:\Program Files\Java\jre6\bin\msvcr71.dll'
  RVA 00001B60, 10000000 - 10053000: 'C:\Program Files\BookingBuilder\LMIECTR2.DLL'
  RVA 00001BCC, 61880000 - 618bb000: 'C:\WINDOWS\system32\oleacc.dll'
  RVA 00001C38, 42c50000 - 43091000: 'C:\WINDOWS\system32\msi.dll'
  RVA 00001CA4, 75da0000 - 75e5d000: 'C:\WINDOWS\system32\sxs.dll'
  RVA 00001D10, 02230000 - 0225c000: 'C:\Program Files\BookingBuilder\LMDataXF.DLL'
  RVA 00001D7C, 71d00000 - 71d1c000: 'C:\WINDOWS\system32\actxprxy.dll'
  RVA 00001DE8, 3f9a0000 - 3ff57000: 'C:\WINDOWS\system32\mshtml.dll'
  RVA 00001E54, 02670000 - 02699000: 'C:\WINDOWS\system32\msls31.dll'
  RVA 00001EC0, 76e90000 - 76ecf000: 'C:\WINDOWS\system32\rasapi32.dll'
  RVA 00001F2C, 76e40000 - 76e52000: 'C:\WINDOWS\system32\rasman.dll'
  RVA 00001F98, 76e60000 - 76e8f000: 'C:\WINDOWS\system32\tapi32.dll'
  RVA 00002004, 76e30000 - 76e3c000: 'C:\WINDOWS\system32\rtutils.dll'
  RVA 00002070, 761b0000 - 76243000: 'C:\WINDOWS\system32\crypt32.dll'
  RVA 000020DC, 76190000 - 761a2000: 'C:\WINDOWS\system32\msasn1.dll'
  RVA 00002148, 76c90000 - 76cb7000: 'C:\WINDOWS\system32\msv1_0.dll'
  RVA 000021B4, 766e0000 - 766ec000: 'C:\WINDOWS\system32\cryptdll.dll'
  RVA 00002220, 76cf0000 - 76d0a000: 'C:\WINDOWS\system32\iphlpapi.dll'
  RVA 0000228C, 722f0000 - 722f5000: 'C:\WINDOWS\system32\sensapi.dll'
  RVA 000022F8, 72ea0000 - 72f0f000: 'C:\WINDOWS\system32\ieapfltr.dll'
  RVA 00002364, 76ed0000 - 76efa000: 'C:\WINDOWS\system32\dnsapi.dll'
  RVA 000023D0, 40220000 - 402d4000: 'C:\WINDOWS\system32\jscript.dll'
  RVA 0000243C, 744c0000 - 744eb000: 'C:\WINDOWS\system32\MSIMTF.dll'
  RVA 000024A8, 71b20000 - 71b61000: 'C:\WINDOWS\system32\mswsock.dll'
  RVA 00002514, 5f270000 - 5f2ca000: 'C:\WINDOWS\system32\hnetcfg.dll'
  RVA 00002580, 71ae0000 - 71ae8000: 'C:\WINDOWS\system32\wshtcpip.dll'
  RVA 000025EC, 76f80000 - 76f85000: 'C:\WINDOWS\system32\rasadhlp.dll'
  RVA 00002658, 76f70000 - 76f77000: 'C:\WINDOWS\system32\winrnr.dll'
  RVA 000026C4, 76f10000 - 76f3e000: 'C:\WINDOWS\system32\wldap32.dll'
  RVA 00002730, 042a0000 - 043c7000: 'C:\WINDOWS\system32\msxml3.dll'
  RVA 0000279C, 76bb0000 - 76bdc000: 'C:\WINDOWS\system32\wintrust.dll'
  RVA 00002808, 76c10000 - 76c38000: 'C:\WINDOWS\system32\imagehlp.dll'
  RVA 00002874, 76750000 - 76779000: 'C:\WINDOWS\system32\schannel.dll'
  RVA 000028E0, 68000000 - 68035000: 'C:\WINDOWS\system32\rsaenh.dll'
  RVA 0000294C, 68100000 - 68127000: 'C:\WINDOWS\system32\dssenh.dll'
  RVA 000029B8, 45530000 - 4555f000: 'C:\WINDOWS\system32\iepeers.dll'
  RVA 00002A24, 73070000 - 73097000: 'C:\WINDOWS\system32\winspool.drv'
  RVA 00002A90, 05b50000 - 06477000: 'C:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx'
  RVA 00002AFC, 73e50000 - 73eab000: 'C:\WINDOWS\system32\dsound.dll'
  RVA 00002B68, 76280000 - 76285000: 'C:\WINDOWS\system32\msimg32.dll'
  RVA 00002BD4, 4e010000 - 4e1b6000: 'C:\WINDOWS\system32\d3d9.dll'
  RVA 00002C40, 6da60000 - 6da66000: 'C:\WINDOWS\system32\d3d8thk.dll'
  RVA 00002CAC, 73aa0000 - 73ab6000: 'C:\WINDOWS\system32\mscms.dll'
  RVA 00002D18, 06ab0000 - 06b78000: 'C:\Program Files\QuickTime\QTPlugin.ocx'
  RVA 00002D84, 4f580000 - 4fb5a000: 'C:\WINDOWS\system32\wmp.dll'
  RVA 00002DF0, 4dd60000 - 4df0b000: 'C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22507_x-ww_C7DAD021\GdiPlus.dll'
  RVA 00002E5C, 75fc0000 - 75fe2000: 'C:\WINDOWS\system32\msvfw32.dll'
  RVA 00002EC8, 06ba0000 - 06ed7000: 'C:\WINDOWS\system32\wmploc.dll'
  RVA 00002F34, 75490000 - 754f5000: 'C:\WINDOWS\system32\usp10.dll'
  RVA 00002FA0, 35c50000 - 35c89000: 'C:\WINDOWS\system32\dxtrans.dll'
  RVA 0000300C, 76a80000 - 76a92000: 'C:\WINDOWS\system32\atl.dll'
  RVA 00003078, 6d4c0000 - 6d4ca000: 'C:\WINDOWS\system32\ddrawex.dll'
  RVA 000030E4, 73860000 - 738ab000: 'C:\WINDOWS\system32\ddraw.dll'
  RVA 00003150, 73b30000 - 73b36000: 'C:\WINDOWS\system32\dciman32.dll'
  RVA 000031BC, 35cb0000 - 35d07000: 'C:\WINDOWS\system32\dxtmsft.dll'
  RVA 00003228, 1b000000 - 1b00c000: 'C:\WINDOWS\system32\imgutil.dll'
  RVA 00003294, 1b060000 - 1b06e000: 'C:\WINDOWS\system32\pngfilt.dll'
  RVA 00003300, 69500000 - 69517000: 'C:\WINDOWS\system32\faultrep.dll'
Stream 2: type UnloadedModuleListStream (14), size 0000009C, RVA 0000336C
  6 unloaded modules
  RVA 00003378, 5deb0000 - 5deb7000: 'pwdssp.dll'
  RVA 00003390, 71e20000 - 71e70000: 'msnsspc.dll'
  RVA 000033A8, 73770000 - 73786000: 'digest.dll'
  RVA 000033C0, 76750000 - 76779000: 'schannel.dll'
  RVA 000033D8, 78080000 - 78091000: 'MSVCRT40.dll'
  RVA 000033F0, 71e00000 - 71e14000: 'msapsspc.dll'
Stream 3: type MemoryListStream (5), size 00000234, RVA 0000BDAA
  35 memory ranges
  range#    RVA      Address      Size
       0 0000BFDE    7c8283dc   00000100
       1 0000C0DE    0040b000   00000660
       2 0000C73E    3fed7000   00008d4c
       3 0001548A    0013fc18   000003e8
       4 00015872    00b7fea0   00000160
       5 000159D2    00f2ff9c   00000064
       6 00015A36    0102ff70   00000090
       7 00015AC6    0112fcec   00000314
       8 00015DDA    0123fe18   000001e8
       9 00015FC2    0133eebc   00001144
      10 00017106    0143fe40   000001c0
      11 000172C6    01637520   00008ae0
      12 0001FDA6    01a3fe18   000001e8
      13 0001FF8E    01b3ff08   000000f8
      14 00020086    01c6fe18   000001e8
      15 0002026E    0237fef8   00000108
      16 00020376    0248fe18   000001e8
      17 0002055E    02effe18   000001e8
      18 00020746    035dff70   00000090
      19 000207D6    037bfad8   00000528
      20 00020CFE    038ffef8   00000108
      21 00020E06    03a9ff7c   00000084
      22 00020E8A    0429ff70   00000090
      23 00020F1A    04baff70   00000090
      24 00020FAA    04eafec0   00000140
      25 000210EA    052dfef8   00000108
      26 000211F2    067eff10   000000f0
      27 000212E2    068eff10   000000f0
      28 000213D2    069eff10   000000f0
      29 000214C2    06fdff10   000000f0
      30 000215B2    070dff10   000000f0
      31 000216A2    071dff10   000000f0
      32 00021792    072dff10   000000f0
      33 00021882    073dff10   000000f0
      34 00021972    07a1fef8   00000108
  Total memory: 15a9c
Stream 4: type ExceptionStream (6), size 000000A8, RVA 000000DC
  ThreadID 8852
  ExceptionCode C0000005
  ExceptionRecord 0
  ExceptionAddress 3fab1249
  Context record RVA 52e6, size 2cc
Stream 5: type SystemInfoStream (7), size 00000038, RVA 0000008C
  ProcessorArchitecture   0000 (PROCESSOR_ARCHITECTURE_INTEL)
  ProcessorLevel          0006
  ProcessorRevision       0F0B
  NumberOfProcessors      04
  MajorVersion            00000005
  MinorVersion            00000002
  BuildNumber             00000ECE (3790)
  PlatformId              00000002 (VER_PLATFORM_WIN32_NT)
  CSDVersionRva           00003408
                            Length: 28
                            Buffer: {'Service Pack 2'}
  Product: LanManNt, suite: TerminalServer
Stream 6: type MiscInfoStream (15), size 00000018, RVA 000000C4
Stream 7: type UnusedStream (0), size 00000000, RVA 00000000
Stream 8: type UnusedStream (0), size 00000000, RVA 00000000


Strings
Did you ever reset IE?  Try removing any add-on's also.  Does any of this sound familiar to you?  http://blogs.technet.com/b/markrussinovich/archive/2010/06/01/3335060.aspx?PageIndex=3
Avatar of RickNCN

ASKER

That blog post sounds VERY familiar to me. So I'm going to document what I did, if only for my reference.

So, I took another stab at the symbol thing.  For me, I found a MS site (http://msdn.microsoft.com/en-us/windows/hardware/gg462988)  that gave the online symbols path. I used:
SRV*d:\websymbols*http://msdl.microsoft.com/download/symbols
Dropped that into File>Symbol File Path (I use D:\ because I have more drive space there)

Russinovich's blog post was very detailed and lead me closer than ever to the problem, but I failed to find the smoking gun right at the end.

Following his instructions: I did not attatch to a process. the first part of his post is about finding which process to attach windbg to . I had a dump file so I used that instead. So after entering the proper symbols path, I go to file and "open crash dump".
***( When the crash actually happens and comes up and asks if I want to submit it to Microsoft, I pause there and go to the location, usually something like:
C:\Documents and Settings\[UserID]\Local Settings\Temp\WER1f2f.dir00\
and I copy that folder and drop it into something like :
\My Documents\dumps. When you cancel out of that window, the crash dump is deleted...)

So after loading the dump file, I: (quoting from his blog: http://blogs.technet.com/b/markrussinovich/archive/2010/06/01/3335060.aspx?PageIndex=3):

"open both the Processes and Threads and the Call Stack dialogs, arranging them side by side. The goal is to find the thread that has functions with the words fault, exception, or unhandled in their names. You can quickly do this by selecting each thread in the Processes and Threads window, pressing Enter, and then scanning the stack that appears in the Call Stack window. After doing this for the first few threads, I came across the thread I was looking for, revealed by functions all over its stack containing the telltale strings:"

It said "KiUserExceptionDispatcher+0xe", then the next line says "Following frames may be wrong" Then there's a line referencing mshtml.dll Then another line with only addresses, just like in Mark's post.
0x24b500.
So here things sort of fell apart. I couldn't pin down a specific dll.
Avatar of RickNCN

ASKER

Ok, I may have an answer, FINALLY.
After becoming more familiar with WinDBG, I realized I could do what Mark mentions in the post, that is use the !analyze command in the command window. So after loading the symbol path and the dump file, I typed "!analyze" in the command line at the bottom. LO AND BEHOLD, I get:

0:008> !analyze
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
Probably caused by : ieframe.dll ( ieframe+12c20d )
Followup: MachineOwner

The I Google "Probably caused by : ieframe.dll" and get: "IEFRAME.dll error dnserror-- A Quick Way To Fix It" (http://www.articlewritingclicks.com/Dll_Errors/Ieframedll_Error_dnserror__A_Quick_Way_to_Fix_it.html)

And wouldn't you know, their analysis fits my situation perfectly:

What causes this error?
In most cases it is a virus or other malware that infected your Internet Explorer. Unfortunately in many cases the infection might damage another vulnerable part of your Windows system – that is your Windows registry system.


Now, the final piece - fixing it. They have a link that takes you to a tool:

The only way to handle this error effectively is to make use of an advanced Windows errors repair tool that handles both that malware and/or repairing any damages it might have left on your Windows registry system.

The question is, is that tool trustworthy? is it trialware or something else? What program should I use, if any to repair the registry? I always avoid registry cleaners. I have never had any real use for them.
Avatar of RickNCN

ASKER

I saved about 9 WER temp folders. I ran the hdmp and mdmp files from each one and did an !analyze command on them. Here's the breakdown on the number of times each dll was indicated as the cause of the crash:

1-mbamcore.dll
10-ieframe.dll
3-mshtml.dll
3-urlmon.dll

ieframe.dll seems to be the clear loser.
Avatar of RickNCN

ASKER

I don't know if this means anything but I used WhoCrashed to analyze the dump files I have and in Whocrashed, all of the iexplore.exe hdmp or mdmp files say that kernel32.sys is the cause.
ASKER CERTIFIED SOLUTION
Avatar of 1namyln
1namyln
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of RickNCN

ASKER

I'll just have to close out this question at that. If I figure out anything else helpful, I'll add it here later. Thanks for your help.
Avatar of RickNCN

ASKER

Thanks for trying, I think the problem was a bit beyond your and my abilities like you said. If I can come to any conclusion I'll post it to the end.
 thanks
You are welcome.