Single-clicking _sometimes_ produces double-click in IE8

Discussion in 'Internet Explorer' started by Mammoth, Jun 17, 2010.

  1. Mammoth

    Dan Guest

    If you feel up to it, I would recommend you look into ComboFix - it's a
    collection of really intensive tools that can get rid of rootkit infections
    that many other applications cannot. I've used it twice in the past couple
    of months to clean friend's PCs and have removed infections that
    Malwarebytes, Hijackthis, and AVAST couldn't even see, I did find another
    tool that claimed to remove them but as these were also embedded in the boot
    sector the PC was reinfected at reboot. One of the tools in ComboFix will
    prevent a boot sector infection from reloading - it can't remove it entirely
    due to the risk of wrecking the boot sector, but it can overwrite part of
    the execution code to render it useless.

    It also creates a set of undo files so it's reasonably idiot proof, but it
    does take some time to run and if you stop it during execution there is a
    risk you could make a mess of Windows - make sure you have system restore
    enabled so ComboFix can create a restore point when it first runs.
     
    Dan, Jun 22, 2010
    #41
    1. Advertisements

  2. Mammoth

    Mammoth Guest

    Thanks! Problem solved. The rootkit was named sptd.sys (691696 bytes long)
    and it was hiding in %systemroot%/system32/drivers (invisible while
    resident). At each startup it created copy of itself with names like
    spcm.sys, sppt.sys etc, and launched it, making it intercept 7 kernel
    interrupts. Now I've archived it and prolly going to send it to Eset (NOD32
    developer). The thing I'd really want to know is: what does this rootkit
    do/which passwords do I have to change now...
     
    Mammoth, Jun 22, 2010
    #42
    1. Advertisements

  3. Mammoth

    Mammoth Guest

    There is no need to tell anyone that clean install is a panacea - I think
    everyone knows it already. Though, it is like curing dandruff with
    decapitating. Reinstall, as well as nuclear bombing, shouldn't be used until
    everything else has proven ineffective.
     
    Mammoth, Jun 22, 2010
    #43
  4. Mammoth

    Dan Guest

    That looks like the same name as the ones I cleaned recently - they were
    proxying the HTTP connections and popping up faked banking and credit card
    authentication pages asking for far more details than they should have been.
    I'd suggest checking your card statements regularly, and change your online
    banking password just in case.

    Rootkits can hide themselves (both in the processes list and file listings)
    from Windows using some devious API calls which is why you couldn't spot it
    before.
     
    Dan, Jun 22, 2010
    #44
  5. Do some research on rootkit infections.
     
    PA Bear [MS MVP], Jun 22, 2010
    #45
  6. Mammoth

    Jo-Anne Guest

    I gather from the Bleeping Computer website that you always want to run the
    latest version of ComboFix. If you download the program and install it, does
    it allow you to update it from the program? Or is it best to download it
    when you need it?

    Thank you!

    Jo-Anne
     
    Jo-Anne, Jun 22, 2010
    #46
  7. It _should_ go out and check for updates all by itself. If it can't get its
    own updates, you probably don't want it.
     
    Jeff Strickland, Jun 22, 2010
    #47
  8. Mammoth

    Jo-Anne Guest

    Thank you, Jeff!

    Jo-Anne
     
    Jo-Anne, Jun 23, 2010
    #48
  9. Mammoth

    Dan Guest

    Jeff, please stop posting incorrect answers about things you haven't
    actually tried.

    ComboFix does not try to update itself. Just check Bleeping Computer for a
    new version from time to time, or when you need to use it use another
    computer to get the latest version.

    Why do you think every piece of software should have automatic updates? Why
    do you think software should share files with other applications by
    unrelated developers?
     
    Dan, Jun 23, 2010
    #49
  10. Mammoth

    Jo-Anne Guest

    Thank you, Dan! Does "use another computer to get the latest version" mean I
    can download an installation program to another computer or to a flash drive
    and then copy it to the desktop of the computer that needs it and install it
    there?

    Thank you again!

    Jo-Anne
     
    Jo-Anne, Jun 23, 2010
    #50
  11. Mammoth

    Dan Guest

    Yes. The ComboFix.exe is entirely self contained. It's designed to be run
    only on a compromised machine - and the first thing you should always do
    with a compromised machine is to disconnect it from any network and isolate
    it.

    There are plenty of malicious apps going around that hide themselves and
    download a multitude of other add-ons - the ones I cleaned recently do just
    this, you spend ages cleaning up with Hijackthis, Malwarebytes, and other
    tools, they report it clean, you reboot and the infection starts again and
    it connects out to the internet and pulls down even more malicious
    components, you think you have a new infection as the symptoms are different
    but it's still the same root problem. Keeping the machine disconnected while
    cleaning helps minimise the risk of massive reinfection during any reboots
    that are required.
     
    Dan, Jun 24, 2010
    #51
  12. Mammoth

    Jo-Anne Guest


    Thank you, Dan! What I think I'll do is download the installation program to
    each of my computers and to a flash drive, so I can run it when needed. A
    few more questions:

    * I have three computers, with the modem and wireless router connected to a
    desktop computer. My laptop computer is able to access the internet and the
    printer--but I think that's all. My netbook can access only the internet
    (with a password). Should I assume that the laptop and desktop computers are
    part of a network but the netbook isn't?

    * When you say to disconnect from the network, I'm guessing that I would
    have to unplug the modem and router while running the program--right? Is
    there anything else I'd need to do to keep the two possibly networked
    computers from infecting each other?

    Thank you again! My apologies for being such a pest!

    Jo-Anne
     
    Jo-Anne, Jun 24, 2010
    #52
  13. Mammoth

    Dan Guest

    They are all part of the network if they are connected to anything via a
    network device (network card, wireless, bluetooth, etc). Just because the
    netbook can only access the internet it doesn't mean it ceases to be part of
    your local network as well.
    You could just disconnect the infected PC from our router (or disable it's
    WIFI is using wireless), but if you suspect you have an infection it's safer
    to disconnect all of them (both from the internet and each other!) and scan
    them all. Have you got firewalls running on each of them to help mitigate
    the risk of cross infection?
    You're not being a pest, you're asking very sensible questions :)
     
    Dan, Jun 25, 2010
    #53
  14. Mammoth

    Jo-Anne Guest

    Thank you! I run the Windows firewall on all three computers, but I have a
    bunch of exceptions, including Internet Explorer and File and Printer
    Sharing. If I do get a rootkit infection, should I uncheck all the
    exceptions?

    So far (fingers crossed) my only bad infection came a few years ago while I
    was running Norton Anti-Virus and hadn't done Windows Updates for a while. I
    now use Avira AntiVir, always do the Microsoft Updates, and regularly check
    Secunia PSI for security updates for other programs (such as Adobe Flash).
    The only thing out of date right now is that on two of the computers I still
    use IE7.

    Thank you again!

    Jo-Anne
     
    Jo-Anne, Jun 25, 2010
    #54
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.