Single-clicking _sometimes_ produces double-click in IE8

[Dan]

"Mammoth" <Mammoth@discussions.microsoft.com> wrote in message
newsF2A53CA-5B4C-468B-A91D-F7502A0330AE@microsoft.com...
> Well, so far so good: further anti-virus testing raised a rootkit
> warning -
> "spcm.sys". Though, the problem is that I'm unable ot find it (using
> search),
> I'm unable to trace its startup (can't find in registry), and virus
> checker
> which has found it - died as soon as I've ordered it to delete this
> file...
>
> Now the question is: how do I find it?

If you feel up to it, I would recommend you look into ComboFix - it's a
collection of really intensive tools that can get rid of rootkit infections
that many other applications cannot. I've used it twice in the past couple
of months to clean friend's PCs and have removed infections that
Malwarebytes, Hijackthis, and AVAST couldn't even see, I did find another
tool that claimed to remove them but as these were also embedded in the boot
sector the PC was reinfected at reboot. One of the tools in ComboFix will
prevent a boot sector infection from reloading - it can't remove it entirely
due to the risk of wrecking the boot sector, but it can overwrite part of
the execution code to render it useless.

It also creates a set of undo files so it's reasonably idiot proof, but it
does take some time to run and if you stop it during execution there is a
risk you could make a mess of Windows - make sure you have system restore
enabled so ComboFix can create a restore point when it first runs.

--
Dan

 

[Mammoth]

"Dan" wrote:

> If you feel up to it, I would recommend you look into ComboFix - it's a
> collection of really intensive tools that can get rid of rootkit infections
> that many other applications cannot.

Thanks! Problem solved. The rootkit was named sptd.sys (691696 bytes long)
and it was hiding in %systemroot%/system32/drivers (invisible while
resident). At each startup it created copy of itself with names like
spcm.sys, sppt.sys etc, and launched it, making it intercept 7 kernel
interrupts. Now I've archived it and prolly going to send it to Eset (NOD32
developer). The thing I'd really want to know is: what does this rootkit
do/which passwords do I have to change now...

 

[Mammoth]

"PA Bear [MS MVP]" wrote:

> Back-up any personal data (none of which should be considered 100%
> trustworthy at this point) then format the HDD & do a clean install of
> Windows.

There is no need to tell anyone that clean install is a panacea - I think
everyone knows it already. Though, it is like curing dandruff with
decapitating. Reinstall, as well as nuclear bombing, shouldn't be used until
everything else has proven ineffective.

 

[Dan]

"Mammoth" <Mammoth@discussions.microsoft.com> wrote in message
news:B0B9E2FB-0C39-4A1E-BF8B-B30F24B354B8@microsoft.com...
>
>
> "Dan" wrote:
>
>> If you feel up to it, I would recommend you look into ComboFix - it's a
>> collection of really intensive tools that can get rid of rootkit
>> infections
>> that many other applications cannot.
>
> Thanks! Problem solved. The rootkit was named sptd.sys (691696 bytes long)
> and it was hiding in %systemroot%/system32/drivers (invisible while
> resident). At each startup it created copy of itself with names like
> spcm.sys, sppt.sys etc, and launched it, making it intercept 7 kernel
> interrupts. Now I've archived it and prolly going to send it to Eset
> (NOD32
> developer). The thing I'd really want to know is: what does this rootkit
> do/which passwords do I have to change now...

That looks like the same name as the ones I cleaned recently - they were
proxying the HTTP connections and popping up faked banking and credit card
authentication pages asking for far more details than they should have been.
I'd suggest checking your card statements regularly, and change your online
banking password just in case.

Rootkits can hide themselves (both in the processes list and file listings)
from Windows using some devious API calls which is why you couldn't spot it
before.

--
Dan

 

[PA Bear [MS MVP]]

Mammoth wrote:
>> Back-up any personal data (none of which should be considered 100%
>> trustworthy at this point) then format the HDD & do a clean install of
>> Windows.
>
> There is no need to tell anyone that clean install is a panacea - I think
> everyone knows it already. Though, it is like curing dandruff with
> decapitating. Reinstall, as well as nuclear bombing, shouldn't be used
> until
> everything else has proven ineffective.

Do some research on rootkit infections.

 

[Jo-Anne]

"Dan" <news@worldofspack.com> wrote in message
newsNrRoweELHA.1996@TK2MSFTNGP06.phx.gbl...
>
> "Mammoth" <Mammoth@discussions.microsoft.com> wrote in message
> newsF2A53CA-5B4C-468B-A91D-F7502A0330AE@microsoft.com...
>> Well, so far so good: further anti-virus testing raised a rootkit
>> warning -
>> "spcm.sys". Though, the problem is that I'm unable ot find it (using
>> search),
>> I'm unable to trace its startup (can't find in registry), and virus
>> checker
>> which has found it - died as soon as I've ordered it to delete this
>> file...
>>
>> Now the question is: how do I find it?
>
> If you feel up to it, I would recommend you look into ComboFix - it's a
> collection of really intensive tools that can get rid of rootkit
> infections that many other applications cannot. I've used it twice in the
> past couple of months to clean friend's PCs and have removed infections
> that Malwarebytes, Hijackthis, and AVAST couldn't even see, I did find
> another tool that claimed to remove them but as these were also embedded
> in the boot sector the PC was reinfected at reboot. One of the tools in
> ComboFix will prevent a boot sector infection from reloading - it can't
> remove it entirely due to the risk of wrecking the boot sector, but it can
> overwrite part of the execution code to render it useless.
>
> It also creates a set of undo files so it's reasonably idiot proof, but it
> does take some time to run and if you stop it during execution there is a
> risk you could make a mess of Windows - make sure you have system restore
> enabled so ComboFix can create a restore point when it first runs.
>
> --
> Dan

I gather from the Bleeping Computer website that you always want to run the
latest version of ComboFix. If you download the program and install it, does
it allow you to update it from the program? Or is it best to download it
when you need it?

Thank you!

Jo-Anne

 

[Jeff Strickland]

"Jo-Anne" <Jo-Anne@nowhere.com> wrote in message
news:hvqq33$ehn$1@news.eternal-september.org...
> "Dan" <news@worldofspack.com> wrote in message
> newsNrRoweELHA.1996@TK2MSFTNGP06.phx.gbl...
>>
>> "Mammoth" <Mammoth@discussions.microsoft.com> wrote in message
>> newsF2A53CA-5B4C-468B-A91D-F7502A0330AE@microsoft.com...
>>> Well, so far so good: further anti-virus testing raised a rootkit
>>> warning -
>>> "spcm.sys". Though, the problem is that I'm unable ot find it (using
>>> search),
>>> I'm unable to trace its startup (can't find in registry), and virus
>>> checker
>>> which has found it - died as soon as I've ordered it to delete this
>>> file...
>>>
>>> Now the question is: how do I find it?
>>
>> If you feel up to it, I would recommend you look into ComboFix - it's a
>> collection of really intensive tools that can get rid of rootkit
>> infections that many other applications cannot. I've used it twice in the
>> past couple of months to clean friend's PCs and have removed infections
>> that Malwarebytes, Hijackthis, and AVAST couldn't even see, I did find
>> another tool that claimed to remove them but as these were also embedded
>> in the boot sector the PC was reinfected at reboot. One of the tools in
>> ComboFix will prevent a boot sector infection from reloading - it can't
>> remove it entirely due to the risk of wrecking the boot sector, but it
>> can overwrite part of the execution code to render it useless.
>>
>> It also creates a set of undo files so it's reasonably idiot proof, but
>> it does take some time to run and if you stop it during execution there
>> is a risk you could make a mess of Windows - make sure you have system
>> restore enabled so ComboFix can create a restore point when it first
>> runs.
>>
>> --
>> Dan
>
> I gather from the Bleeping Computer website that you always want to run
> the latest version of ComboFix. If you download the program and install
> it, does it allow you to update it from the program? Or is it best to
> download it when you need it?
>
> Thank you!
>
> Jo-Anne
>

It _should_ go out and check for updates all by itself. If it can't get its
own updates, you probably don't want it.

 

[Jo-Anne]

"Jeff Strickland" <crwlrjeff@yahoo.com> wrote in message
news:hvr8sn$ud6$1@news.eternal-september.org...
>
> "Jo-Anne" <Jo-Anne@nowhere.com> wrote in message
> news:hvqq33$ehn$1@news.eternal-september.org...
>> "Dan" <news@worldofspack.com> wrote in message
>> newsNrRoweELHA.1996@TK2MSFTNGP06.phx.gbl...
>>>
>>> "Mammoth" <Mammoth@discussions.microsoft.com> wrote in message
>>> newsF2A53CA-5B4C-468B-A91D-F7502A0330AE@microsoft.com...
>>>> Well, so far so good: further anti-virus testing raised a rootkit
>>>> warning -
>>>> "spcm.sys". Though, the problem is that I'm unable ot find it (using
>>>> search),
>>>> I'm unable to trace its startup (can't find in registry), and virus
>>>> checker
>>>> which has found it - died as soon as I've ordered it to delete this
>>>> file...
>>>>
>>>> Now the question is: how do I find it?
>>>
>>> If you feel up to it, I would recommend you look into ComboFix - it's a
>>> collection of really intensive tools that can get rid of rootkit
>>> infections that many other applications cannot. I've used it twice in
>>> the past couple of months to clean friend's PCs and have removed
>>> infections that Malwarebytes, Hijackthis, and AVAST couldn't even see, I
>>> did find another tool that claimed to remove them but as these were also
>>> embedded in the boot sector the PC was reinfected at reboot. One of the
>>> tools in ComboFix will prevent a boot sector infection from reloading -
>>> it can't remove it entirely due to the risk of wrecking the boot sector,
>>> but it can overwrite part of the execution code to render it useless.
>>>
>>> It also creates a set of undo files so it's reasonably idiot proof, but
>>> it does take some time to run and if you stop it during execution there
>>> is a risk you could make a mess of Windows - make sure you have system
>>> restore enabled so ComboFix can create a restore point when it first
>>> runs.
>>>
>>> --
>>> Dan
>>
>> I gather from the Bleeping Computer website that you always want to run
>> the latest version of ComboFix. If you download the program and install
>> it, does it allow you to update it from the program? Or is it best to
>> download it when you need it?
>>
>> Thank you!
>>
>> Jo-Anne
>>
>
> It _should_ go out and check for updates all by itself. If it can't get
> its own updates, you probably don't want it.
>
>

Thank you, Jeff!

Jo-Anne

 

[Dan]

"Jeff Strickland" <crwlrjeff@yahoo.com> wrote in message
news:hvr8sn$ud6$1@news.eternal-september.org...
>
> "Jo-Anne" <Jo-Anne@nowhere.com> wrote in message
> news:hvqq33$ehn$1@news.eternal-september.org...
>> "Dan" <news@worldofspack.com> wrote in message
>> newsNrRoweELHA.1996@TK2MSFTNGP06.phx.gbl...
>>>
>>> "Mammoth" <Mammoth@discussions.microsoft.com> wrote in message
>>> newsF2A53CA-5B4C-468B-A91D-F7502A0330AE@microsoft.com...
>>>> Well, so far so good: further anti-virus testing raised a rootkit
>>>> warning -
>>>> "spcm.sys". Though, the problem is that I'm unable ot find it (using
>>>> search),
>>>> I'm unable to trace its startup (can't find in registry), and virus
>>>> checker
>>>> which has found it - died as soon as I've ordered it to delete this
>>>> file...
>>>>
>>>> Now the question is: how do I find it?
>>>
>>> If you feel up to it, I would recommend you look into ComboFix - it's a
>>> collection of really intensive tools that can get rid of rootkit
>>> infections that many other applications cannot. I've used it twice in
>>> the past couple of months to clean friend's PCs and have removed
>>> infections that Malwarebytes, Hijackthis, and AVAST couldn't even see, I
>>> did find another tool that claimed to remove them but as these were also
>>> embedded in the boot sector the PC was reinfected at reboot. One of the
>>> tools in ComboFix will prevent a boot sector infection from reloading -
>>> it can't remove it entirely due to the risk of wrecking the boot sector,
>>> but it can overwrite part of the execution code to render it useless.
>>>
>>> It also creates a set of undo files so it's reasonably idiot proof, but
>>> it does take some time to run and if you stop it during execution there
>>> is a risk you could make a mess of Windows - make sure you have system
>>> restore enabled so ComboFix can create a restore point when it first
>>> runs.
>>>
>>> --
>>> Dan
>>
>> I gather from the Bleeping Computer website that you always want to run
>> the latest version of ComboFix. If you download the program and install
>> it, does it allow you to update it from the program? Or is it best to
>> download it when you need it?
>>
>> Thank you!
>>
>> Jo-Anne
>>
>
> It _should_ go out and check for updates all by itself. If it can't get
> its own updates, you probably don't want it.
>

Jeff, please stop posting incorrect answers about things you haven't
actually tried.

ComboFix does not try to update itself. Just check Bleeping Computer for a
new version from time to time, or when you need to use it use another
computer to get the latest version.

Why do you think every piece of software should have automatic updates? Why
do you think software should share files with other applications by
unrelated developers?

--
Dan

 

[Jo-Anne]

"Dan" <news@worldofspack.com> wrote in message
news:uuoz7WrELHA.588@TK2MSFTNGP06.phx.gbl...
<snip>
>>> I gather from the Bleeping Computer website that you always want to run
>>> the latest version of ComboFix. If you download the program and install
>>> it, does it allow you to update it from the program? Or is it best to
>>> download it when you need it?
>>>
>>> Thank you!
>>>
>>> Jo-Anne
>>>
>>
>> It _should_ go out and check for updates all by itself. If it can't get
>> its own updates, you probably don't want it.
>>
>
> Jeff, please stop posting incorrect answers about things you haven't
> actually tried.
>
> ComboFix does not try to update itself. Just check Bleeping Computer for a
> new version from time to time, or when you need to use it use another
> computer to get the latest version.
>
> Why do you think every piece of software should have automatic updates?
> Why do you think software should share files with other applications by
> unrelated developers?
>
> --
> Dan

Thank you, Dan! Does "use another computer to get the latest version" mean I
can download an installation program to another computer or to a flash drive
and then copy it to the desktop of the computer that needs it and install it
there?

Thank you again!

Jo-Anne

 

[Dan]

"Jo-Anne" <Jo-Anne@nowhere.com> wrote in message
news:hvtckh$ru7$1@news.eternal-september.org...
> "Dan" <news@worldofspack.com> wrote in message
> news:uuoz7WrELHA.588@TK2MSFTNGP06.phx.gbl...
> <snip>
>>>> I gather from the Bleeping Computer website that you always want to run
>>>> the latest version of ComboFix. If you download the program and install
>>>> it, does it allow you to update it from the program? Or is it best to
>>>> download it when you need it?
>>>>
>>>> Thank you!
>>>>
>>>> Jo-Anne
>>>>
>>>
>>> It _should_ go out and check for updates all by itself. If it can't get
>>> its own updates, you probably don't want it.
>>>
>>
>> Jeff, please stop posting incorrect answers about things you haven't
>> actually tried.
>>
>> ComboFix does not try to update itself. Just check Bleeping Computer for
>> a new version from time to time, or when you need to use it use another
>> computer to get the latest version.
>>
>> Why do you think every piece of software should have automatic updates?
>> Why do you think software should share files with other applications by
>> unrelated developers?
>>
>> --
>> Dan
>
> Thank you, Dan! Does "use another computer to get the latest version" mean
> I can download an installation program to another computer or to a flash
> drive and then copy it to the desktop of the computer that needs it and
> install it there?
>
> Thank you again!
>
> Jo-Anne
>

Yes. The ComboFix.exe is entirely self contained. It's designed to be run
only on a compromised machine - and the first thing you should always do
with a compromised machine is to disconnect it from any network and isolate
it.

There are plenty of malicious apps going around that hide themselves and
download a multitude of other add-ons - the ones I cleaned recently do just
this, you spend ages cleaning up with Hijackthis, Malwarebytes, and other
tools, they report it clean, you reboot and the infection starts again and
it connects out to the internet and pulls down even more malicious
components, you think you have a new infection as the symptoms are different
but it's still the same root problem. Keeping the machine disconnected while
cleaning helps minimise the risk of massive reinfection during any reboots
that are required.

--
Dan

 

[Jo-Anne]

"Dan" <news@worldofspack.com> wrote in message
news:ulpOkc3ELHA.5700@TK2MSFTNGP04.phx.gbl...
>
> "Jo-Anne" <Jo-Anne@nowhere.com> wrote in message
> news:hvtckh$ru7$1@news.eternal-september.org...
>> "Dan" <news@worldofspack.com> wrote in message
>> news:uuoz7WrELHA.588@TK2MSFTNGP06.phx.gbl...
>> <snip>
>>>>> I gather from the Bleeping Computer website that you always want to
>>>>> run the latest version of ComboFix. If you download the program and
>>>>> install it, does it allow you to update it from the program? Or is it
>>>>> best to download it when you need it?
>>>>>
>>>>> Thank you!
>>>>>
>>>>> Jo-Anne
>>>>>
>>>>
>>>> It _should_ go out and check for updates all by itself. If it can't get
>>>> its own updates, you probably don't want it.
>>>>
>>>
>>> Jeff, please stop posting incorrect answers about things you haven't
>>> actually tried.
>>>
>>> ComboFix does not try to update itself. Just check Bleeping Computer for
>>> a new version from time to time, or when you need to use it use another
>>> computer to get the latest version.
>>>
>>> Why do you think every piece of software should have automatic updates?
>>> Why do you think software should share files with other applications by
>>> unrelated developers?
>>>
>>> --
>>> Dan
>>
>> Thank you, Dan! Does "use another computer to get the latest version"
>> mean I can download an installation program to another computer or to a
>> flash drive and then copy it to the desktop of the computer that needs it
>> and install it there?
>>
>> Thank you again!
>>
>> Jo-Anne
>>
>
> Yes. The ComboFix.exe is entirely self contained. It's designed to be run
> only on a compromised machine - and the first thing you should always do
> with a compromised machine is to disconnect it from any network and
> isolate it.
>
> There are plenty of malicious apps going around that hide themselves and
> download a multitude of other add-ons - the ones I cleaned recently do
> just this, you spend ages cleaning up with Hijackthis, Malwarebytes, and
> other tools, they report it clean, you reboot and the infection starts
> again and it connects out to the internet and pulls down even more
> malicious components, you think you have a new infection as the symptoms
> are different but it's still the same root problem. Keeping the machine
> disconnected while cleaning helps minimise the risk of massive reinfection
> during any reboots that are required.
>
> --
> Dan


Thank you, Dan! What I think I'll do is download the installation program to
each of my computers and to a flash drive, so I can run it when needed. A
few more questions:

* I have three computers, with the modem and wireless router connected to a
desktop computer. My laptop computer is able to access the internet and the
printer--but I think that's all. My netbook can access only the internet
(with a password). Should I assume that the laptop and desktop computers are
part of a network but the netbook isn't?

* When you say to disconnect from the network, I'm guessing that I would
have to unplug the modem and router while running the program--right? Is
there anything else I'd need to do to keep the two possibly networked
computers from infecting each other?

Thank you again! My apologies for being such a pest!

Jo-Anne

 

[Dan]

"Jo-Anne" <Jo-Anne@nowhere.com> wrote in message
news:i00bi9$vhe$1@news.eternal-september.org...
> "Dan" <news@worldofspack.com> wrote in message
> news:ulpOkc3ELHA.5700@TK2MSFTNGP04.phx.gbl...
>>
>> "Jo-Anne" <Jo-Anne@nowhere.com> wrote in message
>> news:hvtckh$ru7$1@news.eternal-september.org...
>>> "Dan" <news@worldofspack.com> wrote in message
>>> news:uuoz7WrELHA.588@TK2MSFTNGP06.phx.gbl...
>>> <snip>
>>>>>> I gather from the Bleeping Computer website that you always want to
>>>>>> run the latest version of ComboFix. If you download the program and
>>>>>> install it, does it allow you to update it from the program? Or is it
>>>>>> best to download it when you need it?
>>>>>>
>>>>>> Thank you!
>>>>>>
>>>>>> Jo-Anne
>>>>>>
>>>>>
>>>>> It _should_ go out and check for updates all by itself. If it can't
>>>>> get its own updates, you probably don't want it.
>>>>>
>>>>
>>>> Jeff, please stop posting incorrect answers about things you haven't
>>>> actually tried.
>>>>
>>>> ComboFix does not try to update itself. Just check Bleeping Computer
>>>> for a new version from time to time, or when you need to use it use
>>>> another computer to get the latest version.
>>>>
>>>> Why do you think every piece of software should have automatic updates?
>>>> Why do you think software should share files with other applications by
>>>> unrelated developers?
>>>>
>>>> --
>>>> Dan
>>>
>>> Thank you, Dan! Does "use another computer to get the latest version"
>>> mean I can download an installation program to another computer or to a
>>> flash drive and then copy it to the desktop of the computer that needs
>>> it and install it there?
>>>
>>> Thank you again!
>>>
>>> Jo-Anne
>>>
>>
>> Yes. The ComboFix.exe is entirely self contained. It's designed to be run
>> only on a compromised machine - and the first thing you should always do
>> with a compromised machine is to disconnect it from any network and
>> isolate it.
>>
>> There are plenty of malicious apps going around that hide themselves and
>> download a multitude of other add-ons - the ones I cleaned recently do
>> just this, you spend ages cleaning up with Hijackthis, Malwarebytes, and
>> other tools, they report it clean, you reboot and the infection starts
>> again and it connects out to the internet and pulls down even more
>> malicious components, you think you have a new infection as the symptoms
>> are different but it's still the same root problem. Keeping the machine
>> disconnected while cleaning helps minimise the risk of massive
>> reinfection during any reboots that are required.
>>
>> --
>> Dan
>
>
> Thank you, Dan! What I think I'll do is download the installation program
> to each of my computers and to a flash drive, so I can run it when needed.
> A few more questions:
>
> * I have three computers, with the modem and wireless router connected to
> a desktop computer. My laptop computer is able to access the internet and
> the printer--but I think that's all. My netbook can access only the
> internet (with a password). Should I assume that the laptop and desktop
> computers are part of a network but the netbook isn't?
>

They are all part of the network if they are connected to anything via a
network device (network card, wireless, bluetooth, etc). Just because the
netbook can only access the internet it doesn't mean it ceases to be part of
your local network as well.

> * When you say to disconnect from the network, I'm guessing that I would
> have to unplug the modem and router while running the program--right? Is
> there anything else I'd need to do to keep the two possibly networked
> computers from infecting each other?

You could just disconnect the infected PC from our router (or disable it's
WIFI is using wireless), but if you suspect you have an infection it's safer
to disconnect all of them (both from the internet and each other!) and scan
them all. Have you got firewalls running on each of them to help mitigate
the risk of cross infection?

> Thank you again! My apologies for being such a pest!
>
> Jo-Anne

You're not being a pest, you're asking very sensible questions

--
Dan

 

[Jo-Anne]

"Dan" <news@worldofspack.com> wrote in message
newsChj$XFFLHA.588@TK2MSFTNGP06.phx.gbl...
>
> "Jo-Anne" <Jo-Anne@nowhere.com> wrote in message
> news:i00bi9$vhe$1@news.eternal-september.org...
>> "Dan" <news@worldofspack.com> wrote in message
>> news:ulpOkc3ELHA.5700@TK2MSFTNGP04.phx.gbl...
>>>
>>> "Jo-Anne" <Jo-Anne@nowhere.com> wrote in message
>>> news:hvtckh$ru7$1@news.eternal-september.org...
>>>> "Dan" <news@worldofspack.com> wrote in message
>>>> news:uuoz7WrELHA.588@TK2MSFTNGP06.phx.gbl...
>>>> <snip>
>>>>>>> I gather from the Bleeping Computer website that you always want to
>>>>>>> run the latest version of ComboFix. If you download the program and
>>>>>>> install it, does it allow you to update it from the program? Or is
>>>>>>> it best to download it when you need it?
>>>>>>>
>>>>>>> Thank you!
>>>>>>>
>>>>>>> Jo-Anne
>>>>>>>
>>>>>>
>>>>>> It _should_ go out and check for updates all by itself. If it can't
>>>>>> get its own updates, you probably don't want it.
>>>>>>
>>>>>
>>>>> Jeff, please stop posting incorrect answers about things you haven't
>>>>> actually tried.
>>>>>
>>>>> ComboFix does not try to update itself. Just check Bleeping Computer
>>>>> for a new version from time to time, or when you need to use it use
>>>>> another computer to get the latest version.
>>>>>
>>>>> Why do you think every piece of software should have automatic
>>>>> updates? Why do you think software should share files with other
>>>>> applications by unrelated developers?
>>>>>
>>>>> --
>>>>> Dan
>>>>
>>>> Thank you, Dan! Does "use another computer to get the latest version"
>>>> mean I can download an installation program to another computer or to a
>>>> flash drive and then copy it to the desktop of the computer that needs
>>>> it and install it there?
>>>>
>>>> Thank you again!
>>>>
>>>> Jo-Anne
>>>>
>>>
>>> Yes. The ComboFix.exe is entirely self contained. It's designed to be
>>> run only on a compromised machine - and the first thing you should
>>> always do with a compromised machine is to disconnect it from any
>>> network and isolate it.
>>>
>>> There are plenty of malicious apps going around that hide themselves and
>>> download a multitude of other add-ons - the ones I cleaned recently do
>>> just this, you spend ages cleaning up with Hijackthis, Malwarebytes, and
>>> other tools, they report it clean, you reboot and the infection starts
>>> again and it connects out to the internet and pulls down even more
>>> malicious components, you think you have a new infection as the symptoms
>>> are different but it's still the same root problem. Keeping the machine
>>> disconnected while cleaning helps minimise the risk of massive
>>> reinfection during any reboots that are required.
>>>
>>> --
>>> Dan
>>
>>
>> Thank you, Dan! What I think I'll do is download the installation program
>> to each of my computers and to a flash drive, so I can run it when
>> needed. A few more questions:
>>
>> * I have three computers, with the modem and wireless router connected to
>> a desktop computer. My laptop computer is able to access the internet and
>> the printer--but I think that's all. My netbook can access only the
>> internet (with a password). Should I assume that the laptop and desktop
>> computers are part of a network but the netbook isn't?
>>
>
> They are all part of the network if they are connected to anything via a
> network device (network card, wireless, bluetooth, etc). Just because the
> netbook can only access the internet it doesn't mean it ceases to be part
> of your local network as well.
>
>> * When you say to disconnect from the network, I'm guessing that I would
>> have to unplug the modem and router while running the program--right? Is
>> there anything else I'd need to do to keep the two possibly networked
>> computers from infecting each other?
>
> You could just disconnect the infected PC from our router (or disable it's
> WIFI is using wireless), but if you suspect you have an infection it's
> safer to disconnect all of them (both from the internet and each other!)
> and scan them all. Have you got firewalls running on each of them to help
> mitigate the risk of cross infection?
>
>> Thank you again! My apologies for being such a pest!
>>
>> Jo-Anne
>
> You're not being a pest, you're asking very sensible questions
>
> --
> Dan

Thank you! I run the Windows firewall on all three computers, but I have a
bunch of exceptions, including Internet Explorer and File and Printer
Sharing. If I do get a rootkit infection, should I uncheck all the
exceptions?

So far (fingers crossed) my only bad infection came a few years ago while I
was running Norton Anti-Virus and hadn't done Windows Updates for a while. I
now use Avira AntiVir, always do the Microsoft Updates, and regularly check
Secunia PSI for security updates for other programs (such as Adobe Flash).
The only thing out of date right now is that on two of the computers I still
use IE7.

Thank you again!

Jo-Anne