mssync.sys PAGE_FAULT_IN_NONPAGED_AREA

[pt49]

Quote:

Originally Posted by Vikesrock8411

Can you download files with IE now?

Sorry, no I can't ... the download window flashes up and dissapears instantly. However as you can see I was able to save the Panda scan log.

[Vikesrock8411]

It sounds like some restricitons have been placed in the Registry, let's see what else this reveals...

Download combofix.exe-Save it to your Desktop, we will need this later.

Double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[pt49]

Here's the latest ComboFix log:

Start Time= Wed 08/09/2006 13:14:11.64
Running from: C:\Documents and Settings\Russell\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-08 17:13:32 86496 ( A.... ) "C:\Documents and Settings\Russell\Application Data\GDIPFONTCACHEV1.DAT"
2006-08-05 14:36:38 528446 ( A.... ) "C:\WINDOWS\gmer.dll"
2006-07-26 13:51:24 ( .D... ) "C:\Program Files\Sales Letter Creator"
2006-07-23 13:20:22 0 ( A..H. ) "C:\Documents and Settings\Russell\Application Data\L84577898.5v1"
2006-07-23 13:18:08 ( .D... ) "C:\Program Files\FileMaker"
2006-07-23 10:37:02 ( .D... ) "C:\Program Files\!Cool Programs"
2006-07-22 15:38:22 ( .D... ) "C:\Program Files\myownarticles rewriter"
2006-07-20 19:35:04 ( .D... ) "C:\Program Files\UseNeXT"
2006-07-20 15:11:10 ( .D... ) "C:\Program Files\TechSmith"
2006-07-12 03:12:18 ( .D... ) "C:\Program Files\Domain Suggestion Tool"
2006-06-15 17:18:40 ( .D... ) "C:\Program Files\Cody Moya's .doc to .txt converter"
2006-06-15 03:12:00 45056 ( A.... ) "C:\WINDOWS\system32\CSvidcap.dll"
2006-06-14 22:26:06 ( .D... ) "C:\Program Files\The Keyword Bible Pro"
2006-06-14 21:13:42 102400 ( A.... ) "C:\WINDOWS\system32\tsccvid.dll"
2006-06-12 01:17:26 ( .D... ) "C:\Program Files\KA Sitebuilder"
2006-06-10 22:28:16 442 ( A.... ) "C:\Program Files\Shortcut to IVS.lnk"
2006-06-10 21:51:30 ( .D... ) "C:\Program Files\IVS"
2006-06-10 01:45:54 ( .D... ) "C:\Program Files\Web Audio Plus"
2006-06-09 16:15:46 5161 ( A.... ) "C:\Documents and Settings\Russell\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log"
2006-06-06 20:49:18 745531 ( A.... ) "C:\WINDOWS\gmer.exe"
2006-01-19 15:18:06 1135579 ( A.... ) "C:\Program Files\DocToTxtSetup.exe"
2005-11-19 22:12:46 1309840 ( A.... ) "C:\Program Files\a2freesetup.exe"
2005-11-19 21:30:44 777142 ( A.... ) "C:\Program Files\aaupd2012.exe"
2005-11-18 21:35:10 2693614 ( A.... ) "C:\Program Files\orwell.exe"
2005-11-15 00:39:48 13244 ( A.... ) "C:\Program Files\rssg2.zip"
2005-11-13 21:19:16 1014477 ( A.... ) "C:\Program Files\wrar351.exe"
2004-01-15 01:34:18 259539966 ( A.... ) "C:\Program Files\Microsoft Office XP Publisher 2003.zip"
2001-04-04 17:11:30 1499904 ( A...R ) "C:\Program Files\INSTMSIW.EXE"
2001-04-04 17:11:28 1489152 ( A...R ) "C:\Program Files\INSTMSI.EXE"
2001-04-04 17:11:28 184 ( A..HR ) "C:\Program Files\AUTORUN.INF"
2001-04-02 19:50:14 29 ( A...R ) "C:\Program Files\cd-key.txt"
2001-03-01 23:38:12 3485184 ( A...R ) "C:\Program Files\PROPLUS.MSI"
2001-03-01 23:35:58 306688 ( A...R ) "C:\Program Files\OWC10.MSI"
2001-03-01 14:35:26 224771818 ( A..HR ) "C:\Program Files\OFFICE1.CAB"
2001-02-28 12:14:46 476576 ( A...R ) "C:\Program Files\SETUP.EXE"
2001-02-21 12:18:24 7929 ( A...R ) "C:\Program Files\README.HTM"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-07 20:08 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-07 20:08 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-08-07 00:04 1,073,270,784 C:\hiberfil.sys
2006-08-05 14:36 745,531 C:\WINDOWS\gmer.exe
2006-08-05 14:36 528,446 C:\WINDOWS\gmer.dll
2006-07-20 15:11 45,056 C:\WINDOWS\system32\CSvidcap.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SMSERIAL"="sm56hlpr.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"Prolific_PLUtil"="C:\\Program Files\\Prolific\\USB Flash Disk Utility\\PLBkMon.exe"
"PLFFAP"="C:\\WINDOWS\\system32\\HotfixQ0306270.exe"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"StatusClient 2.6"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"TomcatStartup 2.5"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"UltraMon"="\"C:\\Program Files\\UltraMon\\UltraMon.exe\" /auto"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"PCPitstop Optimize Registration Reminder"="C:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SoundMan"="SOUNDMAN.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Update Service"="\"C:\\Program Files\\Common Files\\Teknum Systems\\update.exe\" /startup"
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"Uniblue Registry Booster"="C:\\Program Files\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,02,00,00,00,00,00,00,80,02,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,0d,02,00,00,00,00,00,00,f3,02,00,00,de,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,0d,02,00,00,00,00,00,00,f3,02,00,00,de,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""




Contents of the 'Scheduled Tasks' folder

Completion time: Wed 08/09/2006 13:14:29.03
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-05.211253.txt
ComboFix.2006-08-06.200215.txt
ComboFix.2006-08-06.201622.txt
ComboFix.2006-08-06.202939.txt
ComboFix.2006-08-09.131411.txt

[Vikesrock8411]

Download the file I have attatched to this post, pt49.zip and unzip it to your desktop. Double click on pt49.bat to run it. It should produce 2 .reg files in at C:\ named machinepolicies.reg and userpolicies.reg. I need you to zip up these two files and post them here using the "Manage Attatchments" button

[pt49]

When I try to run pt49.bat it gives a black screen, then I see the dos mode screen for 1 second then it disappears.

I tried different compatability modes to no avail.

I tried it in the "Run" box and get
"Windows cannot find 'pt49.bat'. Make sure you typed the file path correctly and try again.

[Vikesrock8411]

Where the 2 files not created at C:\ ?

[pt49]

No trace of the files on the computer.

I then installed pt49.bat on the desktop of this computer and ran it and after running it, I searched for both files to no avail.

[Vikesrock8411]

Okay we'll do it manually then.

Click Start>Run and type Regedit. Navigate to each of the following entries and right click on them. Select Export and save the file somewhere you will be able to locate it later.

Hkey_Local_Machine\Software\Policies\Microsoft\Internet Explorer\Restrictions

Hkey_Current_User\Software\Policies\Microsoft\Internet Explorer\Restrictions

Zip up the two Reg files and attatch them using Manage Attatchments

[pt49]

OK, the problem is I can't find those files. Maybe I have deleted them out of the system at some stage. Reinstall Windows?

Attached two screen shots of the Hkey Directories paths.
[ATTACH]HKey Current User Software Policies.zip[/ATTACH]

[Vikesrock8411]

No need ofr anything so drastic yet. I don't have those keys either They are just the most common source of the problem you mentioned.

Because your remaining issues are IE related and not malware related and we are quickly leaving my realm of expertise you will need to post in the IE forum if you need further assistance.

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Setting a new Restore Point
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.

• Tick the checkbox - Turn off System Restore on all drives
• Click Apply
• Turn it back 'On' by unticking the same checkbox & click OK

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

[pt49]

As AVG was running yesterday I got a warning that I had PSW.Agent.~ something in 3 or 4 files... sys files I think. I'm running AVG again now to find if they are still there and get the exact name.

I had this virus warning early in the week if you remember. They were in C:\System Volume Information\... and I cannot not get access to that folder.

I'll post when AVG finishes

[Vikesrock8411]

Following the instructions under "Setting a New Restore Point" in my previous post should remove those entries. They are System Restore's copies of files we have already dealt with.

[pt49]

Thanks for all the help in restoring my system. You guys are doing an amazing job here.