asked on

Sysfader: Iexplore.exe application error (0xc0000417) occurred in the application at location 0x003da4d1

I'm having real trouble finding a solution to this problem. I've scanned the web for any solution available without any luck.

I can reproduce this error at any time by navigating IE to Sun's Java Test/Verification page at http://www.java.com/en/download/help/testvm.xml when logged on as a user without admin privileges on a windows 2003 R2 Terminal Server. If I add the user to Domain Admins and relogin with it, everything works okay.

I've tried every other solution available, been searching for several days without getting rid of this.

Attached underneath is a HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 23:18:01, on 03.01.2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Documents and Settings\goj\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IBMIASRW.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pndcsvc.exe
C:\WINDOWS\system32\pndmsvc.exe
C:\WINDOWS\system32\pnMaxItSvc.exe
C:\WINDOWS\system32\PNMMRSVC.exe
C:\WINDOWS\system32\pnmpts.exe
C:\WINDOWS\system32\pnregsvc.exe
C:\WINDOWS\system32\pntzsvc.exe
C:\WINDOWS\system32\pnupsvc.exe
C:\WINDOWS\system32\pntermhlp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ibm.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.4.55.250:3128
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-66663234-2941838256-1045617787-1162\..\Run: [] (User 'klabri')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\goj\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231577456375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231577510468
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://business.fokus.no/html/activex/e-Safekey/FOK/e-Safekey.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asp.it.no
O17 - HKLM\Software\..\Telephony: DomainName = asp.it.no
O17 - HKLM\System\CCS\Services\Tcpip\..\{BED5D480-6C21-400F-98EC-36FD99EB06C1}: NameServer = 212.4.55.54
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9654EBB-028E-4780-8B76-6A6639E91E81}: NameServer = 212.4.55.54
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asp.it.no
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = asp.it.no
O20 - AppInit_DLLs: pngdi32.dll pndmapi.dll pndmterm.dll pnfwhook.dll pntzapi.dll pndmredirc.dll pnviphk.dll pnuphk.dll PNFMMRHook.dll
O20 - Winlogon Notify: PNFMMR - pnfmmrwnp.dll (file missing)
O20 - Winlogon Notify: PNMIC - PNMICWNP.dll (file missing)
O20 - Winlogon Notify: pnmp - pnmpnp.dll (file missing)
O20 - Winlogon Notify: PNTS - pntshook.dll (file missing)
O20 - Winlogon Notify: PNUP - pnupwnp.dll (file missing)
O20 - Winlogon Notify: PNUSBWNP - PNUSBWNP.dll (file missing)
O20 - Winlogon Notify: PNVIPWNP - PNVIPWNP.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IBM Automatic Server Restart Service for IPMI (ibmiasrw) - IBM Corporation - C:\WINDOWS\system32\IBMIASRW.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Quest Data Collector (pndcsvc) - Quest Software - C:\WINDOWS\system32\pndcsvc.exe
O23 - Service: Quest Database Manager (pndmsvc) - Quest Software - C:\WINDOWS\system32\pndmsvc.exe
O23 - Service: Quest Max-IT VM Analysis Service (pnmaxitsvc) - Quest Software - C:\WINDOWS\system32\pnMaxItSvc.exe
O23 - Service: Quest Multimedia Redirection Service (pnmmrsvc) - Quest Software - C:\WINDOWS\system32\PNMMRSVC.exe
O23 - Service: Quest MetaProfiles Agent (pnmpts) - Quest Software - C:\WINDOWS\system32\pnmpts.exe
O23 - Service: Quest Registry Service (pnregsvc) - Quest Software - C:\WINDOWS\system32\pnregsvc.exe
O23 - Service: Quest Time Zones (pntzsvc) - Quest Software - C:\WINDOWS\system32\pntzsvc.exe
O23 - Service: Quest Universal Printer (pnupsvc) - Quest Software - C:\WINDOWS\system32\pnupsvc.exe
O23 - Service: Quest Terminal Services Helper Service - Quest Software - C:\WINDOWS\system32\pntermhlp.exe

----

As far as I can see, there is neither any viruses or spyware/malware on the server. I think this happened after the last windows update, but I am unsure which update caused it.

I've tried downgrading to IE6 and IE7 without any help. I've scanned the computer for malware/spyware, I've disabled all transition effects both on computer level and IE level. Current Java version is 1.6_17, I tried downgrading to 1.6_15 without any improvement as well.

Any help and/or solution would be appreciated.

BR

Geir-Otto Jakobsen

Jason Watkins

Hello this sounds like a rights issue? Why would you think it is a potential browser hijack. Can regualr TS users load the JVM in IE? What version of IE is in play?

beester

ASKER

Sounds like a rights issue, yes, but what rights? NTFS security on all java directories are set to full access for domain users.

The regular users have been running java applets on that server for a year now without any problems at all. Right now it's IE8, but I've also tried downgrading to IE6 and IE7.

Jason Watkins

There is more too it than just the Java install directories. Regular users do not have the rights to some of the registry keys you have listed in the report above. Add the web-site to the Trusted Sites zone in IE, and see if that works out better.

beester

ASKER

I've added *.sun.com and *.java.com in trusted sites, and reset permissions for trusted sites to the lowest possible, still no luck. Which registry keys are you thinking about?

beester

ASKER

Noone else have any tips here?

At the moment I have to give the users local administrative rights on the terminal server to workaround this problem, and it's really not an option in the long term...

ASKER CERTIFIED SOLUTION

beester

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial