IE not starting

[Greg Hines]

Hi all,

I have IE6/SP1 installed on a W2K/SP4 machine and IE has just stopped
working for some reason. When you start IE iexplore.exe briefly appears in
task manager and then disappears. No error messages appear on the screen or
in the event log.

Ad-Aware can find no browser hijacks or any other nasties and Symantec can
find no viruses.

I've reinstalled IE by running ie6setup.exe but it has not fixed the
problem.

Can anyone offer any suggestions on how to get IE working again?

Thanks in advance.

Greg

 

[Frank Saunders, MS-MVP IE/OE]

Hi all,

I have IE6/SP1 installed on a W2K/SP4 machine and IE has just stopped
working for some reason. When you start IE iexplore.exe briefly
appears in task manager and then disappears. No error messages
appear on the screen or in the event log.

Ad-Aware can find no browser hijacks or any other nasties and
Symantec can find no viruses.

I've reinstalled IE by running ie6setup.exe but it has not fixed the
problem.

Can anyone offer any suggestions on how to get IE working again?

Thanks in advance.

Greg

Ad-Aware does not catch everything.
What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx

CAUTION!!!!! Removing some spyware can damage the Winsock stack. Before
you try to remove spyware, download a copy of LSP-Fix - a free program to
repair damaged Winsock 2 stacks (all Windows versions)
http://www.cexx.org/lspfix.htm
Winsockfix for W95, W98, ME, NT, 2000, XP
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here: http://www.tacktech.com/display.cfm?ttid=257
WinXP:
Get WinSockxpFix
http://www.spychecker.com/program/winsockxpfix.html
How to Reset Internet Protocol (TCP/IP) in Windows XP
http://support.microsoft.com/kb/299357
In WinXP SP2: You can fix Winsock by going to Start | Run and typing
CMD
In the command window type
netsh winsock reset

See
Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/data/tshoot.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
http://defendingyourmachine.blogspot.com/

 

[Greg Hines]

Hi Frank,

Have run LSP-Fix and WinsockFix and it has not repaired IE.

Any other suggestions appreciated.

Greg

 

[Frank Saunders, MS-MVP, IE/OE]

Hi Frank,

Have run LSP-Fix and WinsockFix and it has not repaired IE.

Any other suggestions appreciated.

Greg

Those are for after you remove the malware (I did say that). You need to
follow the rest of the message.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
http://defendingyourmachine.blogspot.com/

 

[Greg Hines]

Sorry about that.

Booted into safe mode
Ran CWShredder
Booted into safe mode
Did a complete AdAware Scan
Booted into safe mode
Run MS Antispyware
Booted into safe mode
Run Spybot S&D
Booted into safe mode
Ran LSPfix and Winsockfix
Did a normal reboot

Problem still persists. IE will not start. I did notice that IE ran in
safe mode, which seems to suggest something has not been deleted that should
have been.

Ideas appreciated, and thanks again for your help this far.

Greg

-
(e-mail address removed)
Remove NOSPAM when replying

 

[Frank Saunders, MS-MVP, IE/OE]

Sorry about that.

Booted into safe mode
Ran CWShredder
Booted into safe mode
Did a complete AdAware Scan
Booted into safe mode
Run MS Antispyware
Booted into safe mode
Run Spybot S&D
Booted into safe mode
Ran LSPfix and Winsockfix
Did a normal reboot

Problem still persists. IE will not start. I did notice that IE ran
in safe mode, which seems to suggest something has not been deleted
that should have been.

Ideas appreciated, and thanks again for your help this far.

Greg

-
(e-mail address removed)
Remove NOSPAM when replying

run HijackThis; http://aumha.org/downloads/hijackthis.zip
HijackThis - Tutorial & FAQ;
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

Register here: http://aumha.net/profile.php?mode=register
Once you have received your registration confirmation, post your HJT
log here: *(for expert analysis)*
http://aumha.net/viewforum.php?f=30

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
http://defendingyourmachine.blogspot.com/

 

[Greg Hines]

Frank,

Have posted the hijackthis log to http://aumha.net/ and had it confirmed
that my problem is not a problem relating to hijacking.

Have noticed that if you logon as another user on the same pc IE6 works, so
it seems related to my local profile.

Any ideas appreciated.

Greg

 

[Frank Saunders, MS-MVP IE/OE]

Frank,

Have posted the hijackthis log to http://aumha.net/ and had it
confirmed that my problem is not a problem relating to hijacking.

Have noticed that if you logon as another user on the same pc IE6
works, so it seems related to my local profile.

Any ideas appreciated.

Greg

How to Reinstall or Repair Internet Explorer and Outlook Express in Windows
XP
http://support.microsoft.com/?kbid=318378
Make sure your anti-virus is turned off.
The section
Windows XP and Windows XP SP1: Edit the registry and install Internet
Explorer 6
works on earlier versions of Windows.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
http://defendingyourmachine.blogspot.com/

 

[Greg Hines]

Frank,

Tried that, but still the same problem. I happened to have the Task Mgr.
open when I tried to start IE6 and Dr. Watson briefly appears as well, but
no entry in the Event Viewer. Tracked down the log file and the top section
looks like this:-


Microsoft (R) Windows 2000 (TM) Version 5.00 DrWtsn32
Copyright (C) 1985-1999 Microsoft Corp. All rights reserved.



Application exception occurred:
App: (pid=1552)
When: 7/6/2005 @ 15:56:36.732
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: GREGH
User Name: greg
Number of Processors: 1
Processor Type: x86 Family 15 Model 2 Stepping 9
Windows 2000 Version: 5.0
Current Build: 2195
Service Pack: 4
Current Type: Uniprocessor Free
Registered Organization: Remtech Australia
Registered Owner: Greg Hines

*----> Task List <----*
0 Idle.exe
8 System.exe
160 smss.exe
192 csrss.exe
212 winlogon.exe
240 services.exe
252 lsass.exe
392 SCardSvr.exe
472 svchost.exe
500 spoolsv.exe
580 DefWatch.exe
600 svchost.exe
624 llssrv.exe
652 LogWatNT.exe
740 Rtvscan.exe
756 nvsvc32.exe
804 regsvc.exe
820 MSTask.exe
908 SCARDS32.exe
920 vmware-authd.ex.exe
972 vmnat.exe
988 WinMgmt.exe
1016 mspmspsv.exe
1028 svchost.exe
1040 Dfssvc.exe
1060 PDSched.exe
1140 vmnetdhcp.exe
1380 svchost.exe
1800 uphclean.exe
1504 Explorer.exe
312 iTouch.exe
1336 EM_EXEC.exe
1752 AtomTime.exe
1516 VPTray.exe
1348 jusched.exe
1784 Ad-Watch.exe
696 issch.exe
892 sched.exe
668 wcescomm.exe
1132 getright.exe
1492 getright.exe
1600 sqlmangr.exe
1548 AcroTray.exe
280 gcasDtServ.exe
1780 OUTLOOK.exe
1552 iexplore.exe
1520 drwtsn32.exe
0 _Total.exe

(00400000 - 00419000)
(77F80000 - 77FFD000)
(78000000 - 78045000)
(7C570000 - 7C623000)
(77E10000 - 77E6F000)
(77F40000 - 77F7B000)
(70BD0000 - 70C35000)
(7C2D0000 - 7C332000)
(77D30000 - 77DA1000)
(71000000 - 71149000)
(71710000 - 71794000)
(782F0000 - 78535000)
(77A50000 - 77B3F000)
(10000000 - 10007000)
(71160000 - 7125D000)
(71960000 - 71972000)
(775A0000 - 77630000)
(779B0000 - 77A4B000)
(70200000 - 70295000)
(7C740000 - 7C7C7000)
(77430000 - 77440000)
(77840000 - 7787E000)
(770C0000 - 770E3000)

State Dump for Thread Id 0x648

eax=00004265 ebx=0013a8bc ecx=00004200 edx=0015b703 esi=001574a0
edi=ffffffff
eip=7830e1b1 esp=0012d194 ebp=0012d1b0 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000206


function: Ordinal152
7830e1a4 8b542404 mov edx,[esp+0x4]
ss:0094707b=????????
7830e1a8 33c0 xor eax,eax
7830e1aa 85d2 test edx,edx
7830e1ac 7414 jz Ordinal103+0x8d (78314bc2)
7830e1ae 6a02 push 0x2
7830e1b0 58 pop eax
FAULT ->7830e1b1 668b0a mov cx,[edx]
ds:0015b703=????
7830e1b4 6685c9 test cx,cx
7830e1b7 7409 jz DllGetClassObject+0xb2d (7830f0c2)
7830e1b9 0fb7c9 movzx ecx,cx
7830e1bc 03c1 add eax,ecx
7830e1be 03d1 add edx,ecx
7830e1c0 ebef jmp Ordinal171+0xb (7831a4b1)
7830e1c2 c20400 ret 0x4

I don't know if the access violation is a file access violation or not. The
C Drive partition is FAT32.

Any other thoughts appreciated.

Greg

 

[Frank Saunders, MS-MVP, IE/OE]

Sorry, we've gotten over my head.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
http://defendingyourmachine.blogspot.com/

Frank,

Tried that, but still the same problem. I happened to have the Task
Mgr. open when I tried to start IE6 and Dr. Watson briefly appears as
well, but no entry in the Event Viewer. Tracked down the log file
and the top section looks like this:-


Microsoft (R) Windows 2000 (TM) Version 5.00 DrWtsn32
Copyright (C) 1985-1999 Microsoft Corp. All rights reserved.



Application exception occurred:
App: (pid=1552)
When: 7/6/2005 @ 15:56:36.732
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: GREGH
User Name: greg
Number of Processors: 1
Processor Type: x86 Family 15 Model 2 Stepping 9
Windows 2000 Version: 5.0
Current Build: 2195
Service Pack: 4
Current Type: Uniprocessor Free
Registered Organization: Remtech Australia
Registered Owner: Greg Hines

*----> Task List <----*
0 Idle.exe
8 System.exe
160 smss.exe
192 csrss.exe
212 winlogon.exe
240 services.exe
252 lsass.exe
392 SCardSvr.exe
472 svchost.exe
500 spoolsv.exe
580 DefWatch.exe
600 svchost.exe
624 llssrv.exe
652 LogWatNT.exe
740 Rtvscan.exe
756 nvsvc32.exe
804 regsvc.exe
820 MSTask.exe
908 SCARDS32.exe
920 vmware-authd.ex.exe
972 vmnat.exe
988 WinMgmt.exe
1016 mspmspsv.exe
1028 svchost.exe
1040 Dfssvc.exe
1060 PDSched.exe
1140 vmnetdhcp.exe
1380 svchost.exe
1800 uphclean.exe
1504 Explorer.exe
312 iTouch.exe
1336 EM_EXEC.exe
1752 AtomTime.exe
1516 VPTray.exe
1348 jusched.exe
1784 Ad-Watch.exe
696 issch.exe
892 sched.exe
668 wcescomm.exe
1132 getright.exe
1492 getright.exe
1600 sqlmangr.exe
1548 AcroTray.exe
280 gcasDtServ.exe
1780 OUTLOOK.exe
1552 iexplore.exe
1520 drwtsn32.exe
0 _Total.exe

(00400000 - 00419000)
(77F80000 - 77FFD000)
(78000000 - 78045000)
(7C570000 - 7C623000)
(77E10000 - 77E6F000)
(77F40000 - 77F7B000)
(70BD0000 - 70C35000)
(7C2D0000 - 7C332000)
(77D30000 - 77DA1000)
(71000000 - 71149000)
(71710000 - 71794000)
(782F0000 - 78535000)
(77A50000 - 77B3F000)
(10000000 - 10007000)
(71160000 - 7125D000)
(71960000 - 71972000)
(775A0000 - 77630000)
(779B0000 - 77A4B000)
(70200000 - 70295000)
(7C740000 - 7C7C7000)
(77430000 - 77440000)
(77840000 - 7787E000)
(770C0000 - 770E3000)

State Dump for Thread Id 0x648

eax=00004265 ebx=0013a8bc ecx=00004200 edx=0015b703 esi=001574a0
edi=ffffffff
eip=7830e1b1 esp=0012d194 ebp=0012d1b0 iopl=0 nv up ei pl nz
na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000206


function: Ordinal152
7830e1a4 8b542404 mov edx,[esp+0x4]
ss:0094707b=????????
7830e1a8 33c0 xor eax,eax
7830e1aa 85d2 test edx,edx
7830e1ac 7414 jz Ordinal103+0x8d (78314bc2)
7830e1ae 6a02 push 0x2
7830e1b0 58 pop eax
FAULT ->7830e1b1 668b0a mov cx,[edx]
ds:0015b703=????
7830e1b4 6685c9 test cx,cx
7830e1b7 7409 jz DllGetClassObject+0xb2d
(7830f0c2) 7830e1b9 0fb7c9 movzx ecx,cx
7830e1bc 03c1 add eax,ecx
7830e1be 03d1 add edx,ecx
7830e1c0 ebef jmp Ordinal171+0xb (7831a4b1)
7830e1c2 c20400 ret 0x4

I don't know if the access violation is a file access violation or
not. The C Drive partition is FAT32.

Any other thoughts appreciated.

Greg

How to Reinstall or Repair Internet Explorer and Outlook Express in
Windows XP
http://support.microsoft.com/?kbid=318378
Make sure your anti-virus is turned off.
The section
Windows XP and Windows XP SP1: Edit the registry and install Internet
Explorer 6
works on earlier versions of Windows.

 

[Robert Aldwinckle]

Frank,

Tried that, but still the same problem. I happened to have the Task Mgr.
open when I tried to start IE6 and Dr. Watson briefly appears as well, but
no entry in the Event Viewer. Tracked down the log file and the top section
looks like this:- ....
FAULT ->7830e1b1 668b0a mov cx,[edx] ....
I don't know if the access violation is a file access violation or not. The
C Drive partition is FAT32.

You chopped the dump too soon.
The most useful part of a drwtsn32.log is the following section
called Stack Back Trace (only the one following the FAULT -> line)
If there are any interpreted characters in the section following that,
the Raw Stack Dump the words they display may be clues too.

It's really unfortunate that your OS doesn't match module names.
In the past I have suggested that W2K users might try activating
Dump Symbol Table to try to compensate for this deficiency.
If you can get full symbols in your Stack Back Trace you would
have even better clues about what was going on.

Here are some links I previously found for an XP user to do the latter.
I think the same links should apply to your OS or at least
a slight modification to the search will find more appropriate ones.


<paste>

<title>Microsoft Windows XP - Setting up Dr. Watson</title>
< http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/drwatson_setup.mspx >

(MSDN search for
drwtsn32 symbols xp
)


<title>How to Use the Microsoft Symbol Server</title>
< http://www.microsoft.com/whdc/devtools/debugging/symbols.mspx >

(Google web search for
inurl:symbols site:microsoft.com
)

</paste>


BTW I suspect that the above address is not in a module normally
loaded by IE. Another way to check on what module it might be within
would be to use Process Explorer (from SysInternals) with a lower pane
view of DLLs (e.g. press Ctrl-d) and all columns in that view checked
(especially Base Address). Sort by Base Address to simplify finding
a module which might bound your crash address.


HTH

Robert Aldwinckle
---

 

[Greg Hines]

You chopped the dump too soon.
The most useful part of a drwtsn32.log is the following section
called Stack Back Trace (only the one following the FAULT -> line)
If there are any interpreted characters in the section following that,
the Raw Stack Dump the words they display may be clues too.

It's really unfortunate that your OS doesn't match module names.
In the past I have suggested that W2K users might try activating
Dump Symbol Table to try to compensate for this deficiency.
If you can get full symbols in your Stack Back Trace you would
have even better clues about what was going on.

Here are some links I previously found for an XP user to do the latter.
I think the same links should apply to your OS or at least
a slight modification to the search will find more appropriate ones.


<paste>

<title>Microsoft Windows XP - Setting up Dr. Watson</title>
<

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/drwatson_setup.mspx >

(MSDN search for
drwtsn32 symbols xp
)


<title>How to Use the Microsoft Symbol Server</title>
< http://www.microsoft.com/whdc/devtools/debugging/symbols.mspx >

(Google web search for
inurl:symbols site:microsoft.com
)

</paste>


BTW I suspect that the above address is not in a module normally
loaded by IE. Another way to check on what module it might be within
would be to use Process Explorer (from SysInternals) with a lower pane
view of DLLs (e.g. press Ctrl-d) and all columns in that view checked
(especially Base Address). Sort by Base Address to simplify finding
a module which might bound your crash address.


HTH

Robert Aldwinckle
---

Robert,

Installed the MS Debugging Tools. Here's the complete dump.

Ideas appreciated.

Greg

Application exception occurred:
App: (pid=1096)
When: 7/11/2005 @ 08:08:36.410
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: GREGH
User Name: greg
Number of Processors: 1
Processor Type: x86 Family 15 Model 2 Stepping 9
Windows 2000 Version: 5.0
Current Build: 2195
Service Pack: 4
Current Type: Uniprocessor Free
Registered Organization: Remtech Australia
Registered Owner: Greg Hines

*----> Task List <----*
0 Idle.exe
8 System.exe
160 smss.exe
192 csrss.exe
212 winlogon.exe
240 services.exe
252 lsass.exe
392 SCardSvr.exe
464 svchost.exe
496 spoolsv.exe
588 DefWatch.exe
596 svchost.exe
620 llssrv.exe
648 LogWatNT.exe
744 Rtvscan.exe
760 nvsvc32.exe
808 regsvc.exe
832 MSTask.exe
912 SCARDS32.exe
932 uphclean.exe
956 vmware-authd.ex.exe
980 vmnat.exe
996 WinMgmt.exe
1016 mspmspsv.exe
1028 svchost.exe
1044 Dfssvc.exe
1112 PDSched.exe
1268 vmnetdhcp.exe
1364 Explorer.exe
768 svchost.exe
1548 iTouch.exe
1556 EM_EXEC.exe
1576 AtomTime.exe
1604 VPTray.exe
1616 jusched.exe
1444 Ad-Watch.exe
1440 issch.exe
1396 sched.exe
1620 wcescomm.exe
1664 getright.exe
1672 sqlmangr.exe
1688 getright.exe
1696 AcroTray.exe
1720 gcasDtServ.exe
1728 gcasServ.exe
1352 LUCOMS~1.exe
900 OUTLOOK.exe
1884 msimn.exe
1072 firefox.exe
1456 WINZIP32.exe
1248 NOTEPAD.exe
1800 msiexec.exe
1512 procexp.exe
1096 iexplore.exe
1636 drwtsn32.exe
0 _Total.exe

(00400000 - 00419000)
(77F80000 - 77FFD000)
(78000000 - 78045000)
(7C570000 - 7C623000)
(77E10000 - 77E6F000)
(77F40000 - 77F7B000)
(70BD0000 - 70C35000)
(7C2D0000 - 7C332000)
(77D30000 - 77DA1000)
(71000000 - 71149000)
(71710000 - 71794000)
(782F0000 - 78535000)
(77A50000 - 77B3F000)
(10000000 - 10007000)
(71160000 - 7125D000)
(71960000 - 71972000)
(775A0000 - 77630000)
(779B0000 - 77A4B000)
(70200000 - 70295000)
(7C740000 - 7C7C7000)
(77430000 - 77440000)
(77840000 - 7787E000)
(770C0000 - 770E3000)

State Dump for Thread Id 0x798

eax=00004265 ebx=0013a8bc ecx=00004200 edx=0015b693 esi=00157430
edi=ffffffff
eip=7830e1b1 esp=0012d194 ebp=0012d1b0 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000206


function: Ordinal152
7830e1a4 8b542404 mov edx,[esp+0x4]
ss:0094707b=????????
7830e1a8 33c0 xor eax,eax
7830e1aa 85d2 test edx,edx
7830e1ac 7414 jz Ordinal103+0x8d (78314bc2)
7830e1ae 6a02 push 0x2
7830e1b0 58 pop eax
FAULT ->7830e1b1 668b0a mov cx,[edx]
ds:0015b693=????
7830e1b4 6685c9 test cx,cx
7830e1b7 7409 jz DllGetClassObject+0xb2d (7830f0c2)
7830e1b9 0fb7c9 movzx ecx,cx
7830e1bc 03c1 add eax,ecx
7830e1be 03d1 add edx,ecx
7830e1c0 ebef jmp Ordinal171+0xb (7831a4b1)
7830e1c2 c20400 ret 0x4

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0012D1B0 71165504 0012E308 0012E308 711640E8 0013A8BC shell32!Ordinal152
0012D1E8 7119EC84 00000000 711640E8 0000A231 00000002 !Ordinal114
0012E32C 7119F812 00000000 711641F4 00000123 00000000 !Ordinal126
0012E36C 00310038 0031002D 00440031 002D0030 00320038 !Ordinal126
00410036 5889FF5A 6190FF57 5E8DFF5F 5B8BFF5C 5889FF5A <nosymbols>
5B8BFF5C 00000000 00000000 00000000 00000000 00000000 <nosymbols>

*----> Raw Stack Dump <----*
0012d194 d5 e1 30 78 30 74 15 00 - ff ff ff ff f8 40 16 71
[email protected]
0012d1a4 5a 9f 16 71 30 74 15 00 - 00 00 00 00 e8 d1 12 00
Z..q0t..........
0012d1b4 04 55 16 71 08 e3 12 00 - 08 e3 12 00 e8 40 16 71
[email protected]
0012d1c4 bc a8 13 00 08 e3 12 00 - 00 00 00 00 00 00 00 00
.................
0012d1d4 ca 67 17 71 11 00 00 00 - 00 00 00 00 e8 40 16 71
[email protected]
0012d1e4 10 67 16 71 2c e3 12 00 - 84 ec 19 71 00 00 00 00
..g.q,......q....
0012d1f4 e8 40 16 71 31 a2 00 00 - 02 00 00 00 00 00 00 00
[email protected]...........
0012d204 08 e3 12 00 dc e3 12 00 - cc e3 12 00 f8 70 14 00
..............p..
0012d214 00 00 12 00 44 1f 5c 7c - 50 24 57 7c ff ff ff ff
.....D.\|P$W|....
0012d224 48 d2 12 00 30 77 e1 77 - 04 00 e1 00 87 78 e1 77
H...0w.w.....x.w
0012d234 04 00 e1 00 00 00 71 71 - b8 1c 15 00 00 00 00 00
.......qq........
0012d244 7e 08 01 06 fa ed f5 77 - 7e 08 01 06 7e 08 01 06
~......w~...~...
0012d254 7e 08 01 06 0d 56 e1 77 - 7e 08 01 06 29 00 00 00
~....V.w~...)...
0012d264 b8 1c 15 00 35 c3 e1 77 - 44 c3 e1 77 5c 05 0c 00
.....5..wD..w\...
0012d274 b8 1c 15 00 3b 09 e2 77 - b8 1c 15 00 7e 08 01 06
.....;..w....~...
0012d284 00 00 00 00 b1 00 00 00 - b8 1c 15 00 f8 d2 12 00
.................
0012d294 2f 8f e1 77 b8 1c 15 00 - 00 00 00 00 01 00 00 00
/..w............
0012d2a4 c8 20 50 00 b8 1c 15 00 - 5c 05 0c 00 1a 02 00 00 .
P.....\.......
0012d2b4 08 00 00 00 60 d5 12 00 - 13 34 f8 77 70 01 fd 77
.....`....4.wp..w
0012d2c4 86 7c f8 77 5e 7c f8 77 - 16 00 00 00 b0 2b 13 00
..|.w^|.w.....+..

State Dump for Thread Id 0x63c

eax=77d358be ebx=0013eff0 ecx=0012d5c4 edx=00000000 esi=0013ee90
edi=00000100
eip=77f83310 esp=00cbfe28 ebp=00cbff74 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000202


function: ZwReplyWaitReceivePortEx
77f83305 b8ac000000 mov eax,0xac
77f8330a 8d542404 lea edx,[esp+0x4]
ss:014d9d0f=????????
77f8330e cd2e int 2e
77f83310 c21400 ret 0x14

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
00CBFF74 77D37B4C 77D35924 0013EE90 77D33E01 00130000
ntdll!ZwReplyWaitReceivePortEx
00CBFFA8 77D358D6 0013E618 00CBFFEC 7C57B388 0013EFF0
rpcrt4!NdrCorrelationInitialize
00CBFFB4 7C57B388 0013EFF0 77D33E01 00130000 0013EFF0 rpcrt4!RpcBindingFree
00CBFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW

State Dump for Thread Id 0x79c

eax=00148000 ebx=00000102 ecx=00dbfd0c edx=00000000 esi=77f82826
edi=00dbff74
eip=77f82831 esp=00dbff60 ebp=00dbff7c iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000206


function: NtDelayExecution
77f82826 b832000000 mov eax,0x32
77f8282b 8d542404 lea edx,[esp+0x4]
ss:015d9e47=????????
77f8282f cd2e int 2e
77f82831 c20800 ret 0x8
77f82834 53 push ebx
77f82835 51 push ecx
77f82836 6a00 push 0x0
77f82838 c70701000000 mov dword ptr [edi],0x1
ds:00dbff74=dc3cba00
77f8283e ff750c push dword ptr [ebp+0xc]
ss:015d9e62=????????
77f82841 50 push eax
77f82842 e879fdffff call RtlMultiByteToUnicodeN (77f825c0)
77f82847 e928fcffff jmp RtlConsoleMultiByteToUnicodeN+0x333
(77f82474)

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
00DBFF7C 7C59A20E 0000EA60 00000000 77AB9967 0000EA60 ntdll!NtDelayExecution
00007530 00000000 00000000 00000000 00000000 00000000 kernel32!Sleep

*----> Raw Stack Dump <----*
00dbff60 43 a2 59 7c 00 00 00 00 - 74 ff db 00 73 9f 59 7c
C.Y|....t...s.Y|
00dbff70 98 18 14 00 00 ba 3c dc - ff ff ff ff 30 75 00 00
.......<.....0u..
00dbff80 0e a2 59 7c 60 ea 00 00 - 00 00 00 00 67 99 ab 77
...Y|`.......g..w
00dbff90 60 ea 00 00 5b 5a ab 77 - 00 00 00 00 00 00 a5 77
`...[Z.w.......w
00dbffa0 98 18 14 00 ec ff db 00 - 98 18 14 00 b3 59 ab 77
..............Y.w
00dbffb0 85 7d a6 77 70 7d a6 77 - 88 b3 57 7c 98 18 14 00
..}.wp}.w..W|....
00dbffc0 85 7d a6 77 70 7d a6 77 - 98 18 14 00 00 c0 fd 7f
..}.wp}.w........
00dbffd0 64 02 66 02 c0 ff db 00 - 64 02 66 02 ff ff ff ff
d.f.....d.f.....
00dbffe0 44 1f 5c 7c 08 2b 57 7c - 00 00 00 00 00 00 00 00
D.\|.+W|........
00dbfff0 00 00 00 00 99 59 ab 77 - 98 18 14 00 00 00 00 00
......Y.w........
00dc0000 01 00 00 00 f0 57 14 00 - 01 00 00 00 18 58 14 00
......W.......X..
00dc0010 18 00 dc 00 00 00 00 00 - 20 00 dc 00 00 00 00 00 ........
........
00dc0020 28 00 dc 00 00 00 00 00 - 30 00 dc 00 00 00 00 00
(.......0.......
00dc0030 38 00 dc 00 00 00 00 00 - 40 00 dc 00 00 00 00 00
8.......@.......
00dc0040 48 00 dc 00 00 00 00 00 - 50 00 dc 00 00 00 00 00
H.......P.......
00dc0050 58 00 dc 00 00 00 00 00 - 60 00 dc 00 00 00 00 00
X.......`.......
00dc0060 68 00 dc 00 00 00 00 00 - 70 00 dc 00 00 00 00 00
h.......p.......
00dc0070 78 00 dc 00 00 00 00 00 - 80 00 dc 00 00 00 00 00
x...............
00dc0080 88 00 dc 00 00 00 00 00 - 90 00 dc 00 00 00 00 00
.................
00dc0090 98 00 dc 00 00 00 00 00 - a0 00 dc 00 00 00 00 00
.................

 

[Robert Aldwinckle]

Doesn't look as if you activated the Dump Symbol Table option yet.
Run... drwtsn32 and do that.

Here's the line which we would like to be associated with a module name

(782F0000 - 78535000)

This would be another way to get that information.

Robert,

Installed the MS Debugging Tools. Here's the complete dump.

....

The main thing you want to know is which module this is in.
Does the Event Viewer Application log have an entry?
Perhaps it would have recorded the module name and version
(e.g. in an Error Signature)

function: Ordinal152 ....
FAULT ->7830e1b1 668b0a mov cx,[edx] ....
*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0012D1B0 71165504 0012E308 0012E308 711640E8 0013A8BC shell32!Ordinal152

This is new because it is the first time we have seen the Stack Back Trace.

So at least we know that shell32.dll was involved somehow but I still doubt
that it will be the crashing module. Again, if you can't get a dump with modules
listed in it Process Explorer would clarify where shell32.dll is loaded and how
big it is.

The only additional potential resolution that this now suggests
(and I'm sorry I didn't think of earlier) is an IE Repair.
(E.g. Ref. KB194177) In fact you probably should try also
the additional manual regsvr32 commands recommended
in KB831429 since I think that only it recommends re-registering
shell32.dll.

If that module turns out to be a third-party extension
the repair steps may be premature... (OMG. Another oversight.)
You can try testing the hypothesis that a third-party extension
is involved by unchecking (in Internet Options, Advanced tab)
Enable third-party browser extensions (requires restart)
If you do that with the Control Panel app
(e.g. Run... control inetcpl.cpl)
while all IE windows are closed (i.e. while iexplore.exe is not
an active task) that would satisfy the restart requirement.

If a test in that state avoids the symptom you can try
reactivating that global option and find a specific BHO
to disable using a tool such as BHODemon (from
DefinitiveSolutions)


Good luck

Robert
---