Hi,
Quote:
|
I had a slight problem running SDFix in safe mode.. something completely disabled the mouse (I kept going using the keyboard) & there were approximately 50-75 (!!) identical pop-ups during that scan that read "SDFix SYSTEM\CurrentControlSet\Control\VirtualDeviceDivers. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application. I opted for 'close' thinking I would reboot and try again, but it kept running the scan.
|
I don't think it's malware related. The following link has some information on the error message you were getting.
http://support.microsoft.com/kb/q254914/
=============================
Quote:
|
And... I am seeing some improvement. :) Our system is becoming much more stable...
|
That's good.
Quote:
|
the affected accounts still have blue desktops but the actual yellow banner warning of infection is gone. The display settings on the accounts are still missing some tabs (desktop & screen saver).
|
We'll fix that.
=============================
Did you set your home page to this yourself. It's alright if you did. I just want to make sure:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://drudgereport.com/
=============================
The infected items reported by Kaspersky are in the Thunderbird mail client and in Genevieve's "My Documents",
Thunderbird and
misc folders, probably backups. Please delete them.
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\
auctions259
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\
Inbox28
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\
Inbox428
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\
Inbox62
C:\Documents and Settings\GENEVIEVE\Application Data\Thunderbird\Profiles\itu78xa7.default\Mail\Local Folders\
mine391
C:\Documents and Settings\GENEVIEVE\My Documents\
Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr-1.com\Inbox.sbd\
mine
C:\Documents and Settings\GENEVIEVE\My Documents\
Thunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\Inbox.sbd\
auctions
C:\Documents and Settings\GENEVIEVE\My Documents\T
hunderbird\Profiles\default.3ve\Mail\pop-server.san.rr.com\
Inbox.sbd
C:\Documents and Settings\GENEVIEVE\My Documents\
misc\pop-server.san.rr-1.com\
Inbox
C:\Documents and Settings\GENEVIEVE\My Documents\
misc\
Thunderbird 1.5 en-US - 2006-01-13.pcv
============================
- Open notepad (Start>All programs>accessories>notepad )
- Copy the entire contents of the Quote Box below to Notepad.
- Name the file as CFScript.txt
- Change the Save as Type to All Files
- and Save it on the desktop
(It must be notepad, not wordpad, or it won't work):
Code:
KILLALL::
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=-
"NoDispScrSavPage"=-
Rootkit::
C:\DOCUME~1\GENEVI~1\LOCALS~1\Temp\DMSKSSRh.sys
Driver::
DMSKSSRh
Save this as
CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall