Sysfader: Iexplore.exe application error (0xc0000417) occurred in the application at location 0x003da4d1

Posted on 2010-01-03
Last Modified: 2013-12-08
I'm having real trouble finding a solution to this problem. I've scanned the web for any solution available without any luck.

I can reproduce this error at any time by navigating IE to Sun's Java Test/Verification page at when logged on as a user without admin privileges on a windows 2003 R2 Terminal Server. If I add the user to Domain Admins and relogin with it, everything works okay.

I've tried every other solution available, been searching for several days without getting rid of this.

Attached underneath is a HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 23:18:01, on 03.01.2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Documents and Settings\goj\WINDOWS\System32\smss.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-66663234-2941838256-1045617787-1162\..\Run: []  (User 'klabri')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\goj\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CCS\Services\Tcpip\..\{BED5D480-6C21-400F-98EC-36FD99EB06C1}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9654EBB-028E-4780-8B76-6A6639E91E81}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O20 - AppInit_DLLs: pngdi32.dll pndmapi.dll pndmterm.dll pnfwhook.dll pntzapi.dll pndmredirc.dll pnviphk.dll pnuphk.dll PNFMMRHook.dll
O20 - Winlogon Notify: PNFMMR - pnfmmrwnp.dll (file missing)
O20 - Winlogon Notify: PNMIC - PNMICWNP.dll (file missing)
O20 - Winlogon Notify: pnmp - pnmpnp.dll (file missing)
O20 - Winlogon Notify: PNTS - pntshook.dll (file missing)
O20 - Winlogon Notify: PNUP - pnupwnp.dll (file missing)
O20 - Winlogon Notify: PNUSBWNP - PNUSBWNP.dll (file missing)
O20 - Winlogon Notify: PNVIPWNP - PNVIPWNP.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IBM Automatic Server Restart Service for IPMI (ibmiasrw) - IBM Corporation - C:\WINDOWS\system32\IBMIASRW.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Quest Data Collector (pndcsvc) - Quest Software - C:\WINDOWS\system32\pndcsvc.exe
O23 - Service: Quest Database Manager (pndmsvc) - Quest Software - C:\WINDOWS\system32\pndmsvc.exe
O23 - Service: Quest Max-IT VM Analysis Service (pnmaxitsvc) - Quest Software - C:\WINDOWS\system32\pnMaxItSvc.exe
O23 - Service: Quest Multimedia Redirection Service (pnmmrsvc) - Quest Software - C:\WINDOWS\system32\PNMMRSVC.exe
O23 - Service: Quest MetaProfiles Agent (pnmpts) - Quest Software - C:\WINDOWS\system32\pnmpts.exe
O23 - Service: Quest Registry Service (pnregsvc) - Quest Software - C:\WINDOWS\system32\pnregsvc.exe
O23 - Service: Quest Time Zones (pntzsvc) - Quest Software - C:\WINDOWS\system32\pntzsvc.exe
O23 - Service: Quest Universal Printer (pnupsvc) - Quest Software - C:\WINDOWS\system32\pnupsvc.exe
O23 - Service: Quest Terminal Services Helper Service - Quest Software - C:\WINDOWS\system32\pntermhlp.exe


As far as I can see, there is neither any viruses or spyware/malware on the server. I think this happened after the last windows update, but I am unsure which update caused it.

I've tried downgrading to IE6 and IE7 without any help. I've scanned the computer for malware/spyware, I've disabled all transition effects both on computer level and IE level. Current Java version is 1.6_17, I tried downgrading to 1.6_15 without any improvement as well.

Any help and/or solution would be appreciated.


Geir-Otto Jakobsen
Question by:beester
    LVL 27

    Expert Comment

    by:Jason Watkins
    Hello this sounds like a rights issue?  Why would you think it is a potential browser hijack.  Can regualr TS users load the JVM in IE?  What version of IE is in play?
    LVL 7

    Author Comment

    Sounds like a rights issue, yes, but what rights? NTFS security on all java directories are set to full access for domain users.

    The regular users have been running java applets on that server for a year now without any problems at all. Right now it's IE8, but I've also tried downgrading to IE6 and IE7.
    LVL 27

    Expert Comment

    by:Jason Watkins
    There is more too it than just the Java install directories.  Regular users do not have the rights to some of the registry keys you have listed in the report above.  Add the web-site to the Trusted Sites zone in IE, and see if that works out better.
    LVL 7

    Author Comment

    I've added * and * in trusted sites, and reset permissions for trusted sites to the lowest possible, still no luck. Which registry keys are you thinking about?
    LVL 7

    Author Comment

    Noone else have any tips here?

    At the moment I have to give the users local administrative rights on the terminal server to workaround this problem, and it's really not an option in the long term...
    LVL 7

    Accepted Solution

    No solutions offered here.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
    Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now