NIS 2009: the iexplore.exe was hanging when the module Scxpx86 tried to unload

Norton Security | Norton Internet Security
1

Hello,

 

I was able to make some investigations with the WinDbg during the hanging iexplore.exe:

 

0:027> !cs -l
-----------------------------------------
DebugInfo          = 0x77004760
Critical section   = 0x77004300 (ntdll!LdrpLoaderLock+0x0)
LOCKED
LockCount          = 0xD
WaiterWoken        = No
OwningThread       = 0x000008d4
RecursionCount     = 0x1
LockSemaphore      = 0x1B4
SpinCount          = 0x00000000
-----------------------------------------


0:027> ~*kb250
...

  17  Id: 670.8d4 Suspend: 1 Teb: 7ffd9000 Unfrozen
ChildEBP RetAddr  Args to Child             
05aaf1d4 76fa4780 75829990 00000000 05aaf21c ntdll!KiFastSystemCallRet
05aaf1d8 75829990 00000000 05aaf21c 9483c88d ntdll!ZwDelayExecution+0xc
05aaf240 757e1c6c 0000000a 00000000 05aaf268 kernel32!SleepEx+0x62
05aaf250 04f04b8e 0000000a 05aaf270 76fa66ea kernel32!Sleep+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
05aaf268 04ed780c 04750000 75829a26 007c0000 Scxpx86!GetFactory+0x2a7ce
05aaf290 04edc647 949c764e 05070af8 05aaf2b0 Scxpx86+0x1780c
05aaf2a8 04edc569 05070af0 05aaf2c0 04ee266f Scxpx86!GetFactory+0x2287
05aaf2b4 04ee266f 05070af0 05aaf2e8 04ee25d8 Scxpx86!GetFactory+0x21a9
05aaf2c0 04ee25d8 00000001 fffffffe 69643eb9 Scxpx86!GetFactory+0x82af
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL -
05aaf2e8 6bf436c4 00000000 6bf43b55 6bf47648 Scxpx86!GetFactory+0x8218
05aaf340 6bf4da7e 6bf40000 6b7a287b 6bf40000 IPSBHO+0x36c4
05aaf364 6b7a28cc 6bf40000 00000000 00000000 IPSBHO!std::_Init_locks::operator=+0x61d
05aaf398 76f816ac 6bf40000 00000000 00000000 IEShims!CShimBindings::s_DllMainHook+0x3b
05aaf3b8 76f79f1b 6b7a2891 6bf40000 00000000 ntdll!LdrpCallInitRoutine+0x14
05aaf468 76f7ba96 6bf40000 05aaf48c 7c7db429 ntdll!LdrpUnloadDll+0x3d8
05aaf4ac 75823dcd 6bf40000 05aaf67c 05aaf4c8 ntdll!LdrUnloadDll+0x46
05aaf4bc 75ed8855 6bf40000 05aaf738 75ed8869 kernel32!FreeLibrary+0x76
05aaf4c8 75ed8869 05aaf6d0 00000000 75fc25b8 ole32!CClassCache::CDllPathEntry::CFinishObject::Finish+0x2f
05aaf4dc 75ee9202 75ee8b34 00000000 00000000 ole32!CClassCache::CFinishComposite::Finish+0x1d
05aaf738 75ee8d4a 949c72ee 003283c0 00000080 ole32!CClassCache::CleanUpDllsForApartment+0x1da
05aaf77c 75ee8c68 00000000 05aaf7cc 75fc164c ole32!FinishShutdown+0x120
05aaf79c 75ee8255 00000000 00000000 003283c0 ole32!ApartmentUninitialize+0x96
05aaf7b4 75ee832b 05aaf7cc 00000000 00000000 ole32!wCoUninitialize+0x88
05aaf7d0 6f2c5ba8 00000000 084a3a78 084a3a78 ole32!CoUninitialize+0x72
05aaf884 7575408d 00991e20 00000000 05aaf8a0 IEFRAME!LCIETab_ThreadProc+0x40c
05aaf894 7582d0e9 084a3a78 05aaf8e0 76f819bb iertutil!CIsoScope::RegisterThread+0xab
05aaf8a0 76f819bb 084a3a78 7c7db865 00000000 kernel32!BaseThreadInitThunk+0xe
05aaf8e0 76f8198e 7575407f 084a3a78 00000000 ntdll!__RtlUserThreadStart+0x23
05aaf8f8 00000000 7575407f 084a3a78 00000000 ntdll!_RtlUserThreadStart+0x1b
...

0:027> lm vm Scxpx86
start    end        module name
04ec0000 04f8e000   Scxpx86    (export symbols)       C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091111.001\Scxpx86.dll
    Loaded symbol image file: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091111.001\Scxpx86.dll
    Image path: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091111.001\Scxpx86.dll
    Image name: Scxpx86.dll
    Timestamp:        Wed Oct 28 07:37:01 2009 (4AE767FD)
    CheckSum:         000D5AE7
    ImageSize:        000CE000
    File version:     9.1.2.5
    Product version:  9.1.2.0
    File flags:       0 (Mask 4F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Symantec Corporation
    ProductName:      Symantec Intrusion Detection
    InternalName:     ScrptEng
    OriginalFilename: ScrptEng.dll
    ProductVersion:   9.1
    FileVersion:      9.1.2.5
    FileDescription:  IPS Script Engine DLL
    LegalCopyright:   Copyright (c) 2006-2008 Symantec Corporation
    LegalTrademarks:  Copyright (c) 2006-2008 Symantec Corporation

 

I've created the dump of iexplore.exe process so if you will wish to get more information about this problem than I'm ready to help

2

Hello,

 

I was able to make some investigations with the WinDbg during the hanging iexplore.exe:

 

0:027> !cs -l
-----------------------------------------
DebugInfo          = 0x77004760
Critical section   = 0x77004300 (ntdll!LdrpLoaderLock+0x0)
LOCKED
LockCount          = 0xD
WaiterWoken        = No
OwningThread       = 0x000008d4
RecursionCount     = 0x1
LockSemaphore      = 0x1B4
SpinCount          = 0x00000000
-----------------------------------------


0:027> ~*kb250
...

  17  Id: 670.8d4 Suspend: 1 Teb: 7ffd9000 Unfrozen
ChildEBP RetAddr  Args to Child             
05aaf1d4 76fa4780 75829990 00000000 05aaf21c ntdll!KiFastSystemCallRet
05aaf1d8 75829990 00000000 05aaf21c 9483c88d ntdll!ZwDelayExecution+0xc
05aaf240 757e1c6c 0000000a 00000000 05aaf268 kernel32!SleepEx+0x62
05aaf250 04f04b8e 0000000a 05aaf270 76fa66ea kernel32!Sleep+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
05aaf268 04ed780c 04750000 75829a26 007c0000 Scxpx86!GetFactory+0x2a7ce
05aaf290 04edc647 949c764e 05070af8 05aaf2b0 Scxpx86+0x1780c
05aaf2a8 04edc569 05070af0 05aaf2c0 04ee266f Scxpx86!GetFactory+0x2287
05aaf2b4 04ee266f 05070af0 05aaf2e8 04ee25d8 Scxpx86!GetFactory+0x21a9
05aaf2c0 04ee25d8 00000001 fffffffe 69643eb9 Scxpx86!GetFactory+0x82af
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL -
05aaf2e8 6bf436c4 00000000 6bf43b55 6bf47648 Scxpx86!GetFactory+0x8218
05aaf340 6bf4da7e 6bf40000 6b7a287b 6bf40000 IPSBHO+0x36c4
05aaf364 6b7a28cc 6bf40000 00000000 00000000 IPSBHO!std::_Init_locks::operator=+0x61d
05aaf398 76f816ac 6bf40000 00000000 00000000 IEShims!CShimBindings::s_DllMainHook+0x3b
05aaf3b8 76f79f1b 6b7a2891 6bf40000 00000000 ntdll!LdrpCallInitRoutine+0x14
05aaf468 76f7ba96 6bf40000 05aaf48c 7c7db429 ntdll!LdrpUnloadDll+0x3d8
05aaf4ac 75823dcd 6bf40000 05aaf67c 05aaf4c8 ntdll!LdrUnloadDll+0x46
05aaf4bc 75ed8855 6bf40000 05aaf738 75ed8869 kernel32!FreeLibrary+0x76
05aaf4c8 75ed8869 05aaf6d0 00000000 75fc25b8 ole32!CClassCache::CDllPathEntry::CFinishObject::Finish+0x2f
05aaf4dc 75ee9202 75ee8b34 00000000 00000000 ole32!CClassCache::CFinishComposite::Finish+0x1d
05aaf738 75ee8d4a 949c72ee 003283c0 00000080 ole32!CClassCache::CleanUpDllsForApartment+0x1da
05aaf77c 75ee8c68 00000000 05aaf7cc 75fc164c ole32!FinishShutdown+0x120
05aaf79c 75ee8255 00000000 00000000 003283c0 ole32!ApartmentUninitialize+0x96
05aaf7b4 75ee832b 05aaf7cc 00000000 00000000 ole32!wCoUninitialize+0x88
05aaf7d0 6f2c5ba8 00000000 084a3a78 084a3a78 ole32!CoUninitialize+0x72
05aaf884 7575408d 00991e20 00000000 05aaf8a0 IEFRAME!LCIETab_ThreadProc+0x40c
05aaf894 7582d0e9 084a3a78 05aaf8e0 76f819bb iertutil!CIsoScope::RegisterThread+0xab
05aaf8a0 76f819bb 084a3a78 7c7db865 00000000 kernel32!BaseThreadInitThunk+0xe
05aaf8e0 76f8198e 7575407f 084a3a78 00000000 ntdll!__RtlUserThreadStart+0x23
05aaf8f8 00000000 7575407f 084a3a78 00000000 ntdll!_RtlUserThreadStart+0x1b
...

0:027> lm vm Scxpx86
start    end        module name
04ec0000 04f8e000   Scxpx86    (export symbols)       C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091111.001\Scxpx86.dll
    Loaded symbol image file: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091111.001\Scxpx86.dll
    Image path: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091111.001\Scxpx86.dll
    Image name: Scxpx86.dll
    Timestamp:        Wed Oct 28 07:37:01 2009 (4AE767FD)
    CheckSum:         000D5AE7
    ImageSize:        000CE000
    File version:     9.1.2.5
    Product version:  9.1.2.0
    File flags:       0 (Mask 4F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Symantec Corporation
    ProductName:      Symantec Intrusion Detection
    InternalName:     ScrptEng
    OriginalFilename: ScrptEng.dll
    ProductVersion:   9.1
    FileVersion:      9.1.2.5
    FileDescription:  IPS Script Engine DLL
    LegalCopyright:   Copyright (c) 2006-2008 Symantec Corporation
    LegalTrademarks:  Copyright (c) 2006-2008 Symantec Corporation

 

I've created the dump of iexplore.exe process so if you will wish to get more information about this problem than I'm ready to help