See Quads post ...was hoping Quads would chime in....
OK before we connect...two items trouble me
C:\Program Files\Java\jre6\bin\java.exe is preparing to access the internet" is detected. Java Platform SE 6 U13 6.0.130.3--Java Plug In 1.6.0_13 for Netscape Navigator (DLL Helper)
Are you running any other real time protection software ...Like Windows Defender
Re Cookies it may look different in 3.5.5 ...been some time ...one more try and then we'll forget cookies
FF > Tools > Options > Privacy Tab > Accept third party cookies ~ untick
Open Windows Defender > Tools > Software Explorer > Startup Programs > Show for all Users ~ You should findan orange Java Platform listing > highlight it so Java shows rt side of screen > then click Disable....all this will dois Disable Java at Startup which is not needed. If Java is required if will still open. Feel funny about Java\jre6\bin\java.exe is preparing to access the internet" is detected. Have no idea what app you may have that is asking for Java to access the Internet or why Java needs to access the Internet.
FF > Addons > Extensions and Plugins > anything Java Disable....fully reversible if required. Although 6 U 13 is not safe to run. Old and has known security holes. Have no idea why you haveJava Plug In 1.6.0_13 for Netscape Navigator (DLL Helper)
Do what you can ....connect to Internet ...watch for smoke...Run Norton Live Update and Full Scan and if still no smoke...open FF and download MBAM and update and run Full Scan
bjm_ fingers crossed.
Your in good hands now ~ thanks for being so patient ....
Did you see Quads post? I'm wondering if I should try to remove the Antivirus suite the way it is shown in his attachment first before connecting to the intenet. I think the screen shots that they showed are the same as the one I saw yesterday.
Or, did Norton detect and remove it? I guess I'm confused--is the infection the three Trojans or is it the rogue AntiVirus suite--or are they the same thing?
Wait to hear from you or Quads before I do anything,
Yes I saw Quads post and link ....I've been hanging on hoping Quads would see all my posts and look in.
Quads is the be all and end all when it come to Malware
Go with Quads ..read and print out and follow all that link offers...we may have danced around the issue...now the professional will take over.... I hope !
The "Trojans" and the Rogue files "[random]tssd.exe" looks like one and the same, Norton may have detected file(s) as that, but the rest needs to be reset and removed, from any leftover files, registry entries and the internet connection reset.
Exactly as the instructions in order stated including the Safe Mode with Networking , 21 steps
Thanks so much Quads--i'll print out the instructions and follow them. One question--if I use safe mode with networking I need to reconnect the cable to the DSL, correct? (That's how we had it before the attack--this PC is not wirelessly connected.)
Yes, as the instructions reset the proxy setting ans then while in safe mode with networking you can download the other programs the instructions state.
Just take it slowly step by step with what is being said to do, and download etc.
All I could see was an infected box with outdated / vulnerable / unpatched apps. She was offered Safe Mode w SysRestore and was ready to go down that rabbit hole as long as someone would tell her how. I got in thinking....OP knows less than me... I'll try to dissuade OP away from SysRestore (for obvious reasons) and then I was in for a pinch and before I knew it I was in for a pound. I have a list of Malware Removal sites ready to offer....but, the hole I was digging just kept getting deeper and deeper. I just kept thinking... If only Quads would chime in...I could stop digging.
I got in thinking....OP knows less than me... I'll try to dissuade OP away from SysRestore (for obvious reasons)
bjm_
Would you care to elaborate on those obvious reasons? Specifically what dire consequences would have resulted if the OP had tried System Restore? The worst that would have happened is that the restore operation would have failed because the malware had corrupted the restore points or blocked access to System Restore.
I think what we can learn from Quad's post is that the most important beginning procedure is to identify the problem before changing anything. Rather than discussing the viability of any particular action, the fact is that any action at all should be based on some understanding of the infection itself.
From a lay person's perspective, when something like this hits your computer, you are thankful for any help whatsoever--it feels like a treat to not be sitting on some 800 number for hours waiting for help. I think each of you have been a fantastic help--I'm the dope who messed up my machine, so anyone that helps me out is a hero in my book.
And, for the record, I don't mind the process of taking some time trying various options to find an answer--I'm here to learn, too.
That said--it's late once again here and I've got kids to get to bed. I will run Quad's AntiVirus Suite removal link first thing in the morning--I'm fairly tired and this looks like a pretty detailed procedure--want to get it right.
Thanks for figuring all this out (including the hopelessly non-updated state of my computer). I never could have done this on my own. I hope that Quads and the rest of you fine folks will be around in the morn--
I agree, next time I'll try to persuade OP to run SysRestore (for obvious reasons) that the worst that would have happened is that the restore operation would have failed because the malware had corrupted the restore points or blocked access to System Restore.
I'll ignore the fact that the most important beginning procedure is to identify the problem before changing anything.
I'll ignore the fact that any action at all should be based on some understanding of the infection itself.
In the instructions is says to login to safe mode with netowrking and login with the username you normally use. We normally use the "online and email " limited account--and this is the one that I was on when the infection occurred. It is not an administrative account--should I log on into that account or to the administrative account?
I took the guide at its word and tried the limited online account. Reset the proxy settings and downloaded rkill.com. The DOS screen opens and it starts, but then I get this message:
Windows cannot open this file: pev.rkexe
and asks if I want to find associations on the computer or the web for the file. I tried running rkill while the warning was up many, many times but it just kept coming back. (I did close the warnings after a while.) I then tried downloading iExplore.exe (a renamed rkill) and it did the same thing with the same warning.
I can't get anywhere. Any ideas? Perhaps I should login under the Administrator's account.
The thing is Quads is in like a whole nother time zone across the other side of the globe...so, we're waiting for Quads.
We've learned ...when Quads take on a project ...out of respect and gratitude for Quads...it's undertsood step aside and wait for Quads... too many cooks spoil the stew
Surprisingly, I managed to get into the Admin account in Normal mode, download Hijackthis and run it. I did get this message: "System denied write access to the Hosts file." It suggested that I right click on the icon and run as administrator--this did not come up as an option so it wasn't done.
This was not run from the infected account--this was run from Normal mode in the Admin account (which looks like normal--the desktop of the infected account, Online and Email, is all messed up.) I can try running it from the infected account in normal mode, if you want. (I'm not sure if that will work.)
The reason to run it in the infected account is that if the rogue has used the O4 HKCU entry it means that the registry entries for HKCU are only for that user account and only to start up when logging into that account.
If Not Normal Mode, Safe Mode with Networking with infected account
