Windows XP HOme SP2
The error message does not come up in safe mode at all. I checked the application log in event viewer here:
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 9/10/2005
Time: 8:19:33 AM
User: N/A
Computer: RODNEY-N6HFA64E
Description:
Faulting application tsditpki.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 74 73 64 ure tsd
0018: 69 74 70 6b 69 2e 65 78 itpki.ex
0020: 65 20 30 2e 30 2e 30 2e e 0.0.0.
0028: 30 20 69 6e 20 20 30 2e 0 in 0.
0030: 30 2e 30 2e 30 20 61 74 0.0.0 at
0038: 20 6f 66 66 73 65 74 20 offset
0040: 30 30 30 30 30 30 30 30 00000000
0048: 0d 0a ..
I've never seen this file before"tsditpki.exe" but I did find it in the C:\Program Files\Medreal Folder?? WTH is medreal? I couldn't delete it. So I booted to a boot cd and deleted the folder and rebooted the PC..BLUE SCREEN and doesnt reference any files. I was able to boot to safe mode. So I restored the medreal folder and was able to boot into windows again with that IE error.
I found something simply named command in the add/remove programs and uninstalled it.....it took me to an adserv website and downloaded an uninstaller program. AFter the uninstall....I didn't see the error!!!!....but it came back about 15 minutes later. So i'm back to square 1. Here are a few logs:
Find-QooLogic
Find Qoologic last edited 8/30/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
If this string search find's both and an exe and dat it's bad.
»»»»»»»»»»»»»»»»»»»»»»»» Packed files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\VSAPI32.DLL
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\NTDLL.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
User Startup:
C:\Documents and Settings\RODNEY WHITFIELD\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
Trackqoo
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll
Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll
Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll
Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll
==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini
==============================
C:\Documents and Settings\RODNEY WHITFIELD\Start Menu\Programs\Startup
desktop.ini
desktop.ini
==============================
C:\WINDOWS\system32 cpl files
access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
MLCFG32.CPL Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 12:03:52 PM, on 9/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and
Settings\Administrator\Desktop\spyware_adware\hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program
Files\ewido\security suite\ewidoguard.exe
Any help would be appreciated.
The error message does not come up in safe mode at all. I checked the application log in event viewer here:
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 9/10/2005
Time: 8:19:33 AM
User: N/A
Computer: RODNEY-N6HFA64E
Description:
Faulting application tsditpki.exe, version 0.0.0.0, faulting module , version 0.0.0.0, fault address 0x00000000.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 74 73 64 ure tsd
0018: 69 74 70 6b 69 2e 65 78 itpki.ex
0020: 65 20 30 2e 30 2e 30 2e e 0.0.0.
0028: 30 20 69 6e 20 20 30 2e 0 in 0.
0030: 30 2e 30 2e 30 20 61 74 0.0.0 at
0038: 20 6f 66 66 73 65 74 20 offset
0040: 30 30 30 30 30 30 30 30 00000000
0048: 0d 0a ..
I've never seen this file before"tsditpki.exe" but I did find it in the C:\Program Files\Medreal Folder?? WTH is medreal? I couldn't delete it. So I booted to a boot cd and deleted the folder and rebooted the PC..BLUE SCREEN and doesnt reference any files. I was able to boot to safe mode. So I restored the medreal folder and was able to boot into windows again with that IE error.
I found something simply named command in the add/remove programs and uninstalled it.....it took me to an adserv website and downloaded an uninstaller program. AFter the uninstall....I didn't see the error!!!!....but it came back about 15 minutes later. So i'm back to square 1. Here are a few logs:
Find-QooLogic
Find Qoologic last edited 8/30/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
If this string search find's both and an exe and dat it's bad.
»»»»»»»»»»»»»»»»»»»»»»»» Packed files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\VSAPI32.DLL
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\NTDLL.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e
Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
User Startup:
C:\Documents and Settings\RODNEY WHITFIELD\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...
Trackqoo
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll
Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll
Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll
Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll
==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini
==============================
C:\Documents and Settings\RODNEY WHITFIELD\Start Menu\Programs\Startup
desktop.ini
desktop.ini
==============================
C:\WINDOWS\system32 cpl files
access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
FINDFAST.CPL Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
MLCFG32.CPL Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 12:03:52 PM, on 9/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and
Settings\Administrator\Desktop\spyware_adware\hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program
Files\ewido\security suite\ewidoguard.exe
Any help would be appreciated.
