TechSpot

Internet Explorer Error that won't go away! "Sorry for the Inconvenience" INFECTED?

By sactotechie
Sep 10, 2005
  1. Windows XP HOme SP2

    The error message does not come up in safe mode at all. I checked the application log in event viewer here:
    Event Type: Error
    Event Source: Application Error
    Event Category: None
    Event ID: 1000
    Date: 9/10/2005
    Time: 8:19:33 AM
    User: N/A
    Computer: RODNEY-N6HFA64E
    Description:
    Faulting application tsditpki.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 41 70 70 6c 69 63 61 74 Applicat
    0008: 69 6f 6e 20 46 61 69 6c ion Fail
    0010: 75 72 65 20 20 74 73 64 ure tsd
    0018: 69 74 70 6b 69 2e 65 78 itpki.ex
    0020: 65 20 30 2e 30 2e 30 2e e 0.0.0.
    0028: 30 20 69 6e 20 20 30 2e 0 in 0.
    0030: 30 2e 30 2e 30 20 61 74 0.0.0 at
    0038: 20 6f 66 66 73 65 74 20 offset
    0040: 30 30 30 30 30 30 30 30 00000000
    0048: 0d 0a ..

    I've never seen this file before"tsditpki.exe" but I did find it in the C:\Program Files\Medreal Folder?? WTH is medreal? I couldn't delete it. So I booted to a boot cd and deleted the folder and rebooted the PC..BLUE SCREEN and doesnt reference any files. I was able to boot to safe mode. So I restored the medreal folder and was able to boot into windows again with that IE error.
    I found something simply named command in the add/remove programs and uninstalled it.....it took me to an adserv website and downloaded an uninstaller program. AFter the uninstall....I didn't see the error!!!!....but it came back about 15 minutes later. So i'm back to square 1. Here are a few logs:

    Find-QooLogic

    Find Qoologic last edited 8/30/2005
    PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    some examples are MRT.EXE NTDLL.DLL.
    »»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    If this string search find's both and an exe and dat it's bad.
    »»»»»»»»»»»»»»»»»»»»»»»» Packed files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    * UPX! C:\WINDOWS\TSC.EXE
    * UPX! C:\WINDOWS\VSAPI32.DLL
    * aspack C:\WINDOWS\System32\MRT.EXE
    * aspack C:\WINDOWS\System32\NTDLL.DLL
    * aspack C:\WINDOWS\VSAPI32.DLL
    »»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    »»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

    (fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

    Global Startup:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    .
    ..
    desktop.ini

    User Startup:
    C:\Documents and Settings\RODNEY WHITFIELD\Start Menu\Programs\Startup
    .
    ..
    desktop.ini

    »»»»» Search by size and name...
    »»»»» Files found by this method are not necessarily bad...
    »»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...

    Trackqoo

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
    "AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"

    -----------------
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


    Subkey --- AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
    C:\Program Files\Grisoft\AVG Free\avgse.dll

    Subkey --- ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
    C:\Program Files\ewido\security suite\context.dll

    Subkey --- Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}
    C:\WINDOWS\System32\cscui.dll

    Subkey --- Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}
    C:\WINDOWS\system32\SHELL32.dll

    Subkey --- Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}
    C:\WINDOWS\system32\SHELL32.dll

    Subkey --- Yahoo! Mail
    {5464D816-CF16-4784-B9F3-75C0DB52B499}
    C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll

    Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin
    C:\WINDOWS\system32\SHELL32.dll

    =====================

    HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


    Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    C:\WINDOWS\system32\SHELL32.dll

    Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
    C:\WINDOWS\system32\SHELL32.dll

    Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
    C:\WINDOWS\system32\SHELL32.dll

    Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
    C:\WINDOWS\system32\SHELL32.dll

    ==============================
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup

    desktop.ini
    ==============================
    C:\Documents and Settings\RODNEY WHITFIELD\Start Menu\Programs\Startup

    desktop.ini
    desktop.ini
    ==============================
    C:\WINDOWS\system32 cpl files


    access.cpl Microsoft Corporation
    appwiz.cpl Microsoft Corporation
    bthprops.cpl Microsoft Corporation
    desk.cpl Microsoft Corporation
    FINDFAST.CPL Microsoft Corporation
    firewall.cpl Microsoft Corporation
    hdwwiz.cpl Microsoft Corporation
    inetcpl.cpl Microsoft Corporation
    intl.cpl Microsoft Corporation
    irprops.cpl Microsoft Corporation
    joy.cpl Microsoft Corporation
    jpicpl32.cpl Sun Microsystems, Inc.
    main.cpl Microsoft Corporation
    MLCFG32.CPL Microsoft Corporation
    mmsys.cpl Microsoft Corporation
    ncpa.cpl Microsoft Corporation
    netsetup.cpl Microsoft Corporation
    nusrmgr.cpl Microsoft Corporation
    odbccp32.cpl Microsoft Corporation
    powercfg.cpl Microsoft Corporation
    prefscpl.cpl RealNetworks, Inc.
    QuickTime.cpl Apple Computer, Inc.
    sysdm.cpl Microsoft Corporation
    telephon.cpl Microsoft Corporation
    timedate.cpl Microsoft Corporation
    wscui.cpl Microsoft Corporation
    wuaucpl.cpl Microsoft Corporation

    Hijackthis

    Logfile of HijackThis v1.99.1
    Scan saved at 12:03:52 PM, on 9/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and

    Settings\Administrator\Desktop\spyware_adware\hijackthis\HijackThis.exe

    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

    AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

    http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

    Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program

    Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program

    Files\ewido\security suite\ewidoguard.exe

    Any help would be appreciated.
     
  2. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    run an anti-vrisu with current updates.
    run an anti trojan horse like spybot and ad-aware

    report what happened.
     
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  4. sactotechie

    sactotechie TS Rookie Topic Starter

    I've run AVG, Ad-Aware, Microsoft Antispyware, and Ewido. And all are clean. I'll run spybot and spysweeper and report back...thanks!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...