Another great tip and one I'd used years and years ago. All but forgotten it in the mists of time and the false sense of security, that comes from running an up to date anti virus product.

Thanks again.

Another one too: Secunia's free Personal Software Inspector. It runs automatic weekly scans and let's informs you when you need to take care of something: http://secunia.com/vulnerability_scanning/personal/

Another cool tool.

You appear to have a sound knowledge of what is safe to use and how.

So can I ask if I was to prep a memory stick with some must have tools to help myself and others. What would you suggest. When I look generally I find more scams and dangerous downloads than helpful ones

OK, here you go.

• Mailwasher Freebie version: http://www.mailwasher.net/ Allows you to view emails straight off your ISP's server and delete them without the need to download them to your own machine first.
  
  
• IPNetInfo will resolve a URL to an IP address and tell you who it belongs to: http://www.nirsoft.net/utils/ipnetinfo.html.
  
  
• What's Running http://www.whatsrunning.net/ Screenshots on the site more or less explain that one I think ;)
  
  
• Keepass which is an open source password manager: http://keepass.info/
  
  
• HijackThis, now in the hands of Trend Micro: http://free.antivirus.com/hijackthis/
  
  
• Ransom key. There's Trojan floating about which demands a fee for providing a key to unlock your system if you're unfortunate enough to install it: Info and link @ http://www.h-online.com/security/news/item/Trojan-demands-money-for-internet-access-873853.html
  
  
• Magic Jelly Bean will retrieve your Windows product key: http://www.magicaljellybean.com/keyfinder/
  
  
• Sophos anti-rootkit and removal tool (you have to register, but it's free) http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx
  
  
• Faststone Photo Resizer: http://www.faststone.org/FSResizerDetail.htm not a security tool, but useful if you want to upload images taken with a digital camera which are too big. Can also reduce the dimensions without loss of quality.
  
  
• MRU Blaster wipes the "Most Recent Used" list: http://www.javacoolsoftware.com/mrudownload.html
  
  

If I think of anymore, I'll let you know ;)

Thanks again,, :-)

All very useful stuff. Much appreciated.

Do you work with PC's?

Not anymore, but I did at one time. Also I build my own systems these days, so I have to keep up with IT because there's nobody I can call if things go pear-shaped.

Here's a link in return. I used this to great effect on someone elses PC a few days ago.

http://www.surfright.nl/en/hitmanpro

It's not free though. Thanks anyway.

It did allow a full 30 day trial so as an emergency scanner it was ok.

I'm most perplexed this morning. My Firefox has just refused to connect to the Internet again and it's the same proxy refusing connection error. The same settings have returned to the prefs.js file.

I am currently running the Sophos scanner but I have already ran Malwarebytes, Windows defender, Spyhunter, Symantec NIS, Microsoft Security Essentials and Sunbelt Vipre.

I've trawled through What's Running but can't find anything odd.

It's a good job the weather isn't great this bank holiday! :-)

Have you got Firefox configured to clear history on shutdown?

The setting is located via Options | Options | Privacy.

If you've got "Clear History when Firefox closes" checkmarked, click the Settings button and have a look at the submenu. You can disable certain options in there.

Its set to never remember history. I've cleared cookies and old history.

I've even tried overwriting the rogue entry 127.0.0.1 port 64586 in network settings and still no joy. Something is re writing them back as soon as I close Firefox.

Which leads me to wonder whether is is being re-written on closure or on the re-open.

Ok. Looking at my profile folder which is under appdata,roaming/firefx/profiles/default

I see that the prefs.js file dynamicaly changes when I set the network options button to no proxy.

After I close firefox the correct setting is still there.

As soon as I openfirefox the prefs file is updated with the rogue network proxy settings.

Question: Is there a way of overiding a users pref.js from a central point say if a network admin had wanted to ensure everyone used the same proxy settings for example. like a master prefs file which is read on startup?

It's probably a good idea to create a new Profile. See Profiles - Where Firefox stores your bookmarks, passwords and other user data.

You can recover the data from the current one like passwords, bookmarks etc., and move them to the new profile. See Managing Profiles

Ok

I'm going to do that. :-)

I'm also going to copy the current profile to a laptop and see if it exhibits the same behaviour.  pesky thing!

New laptop removed original default profile

Copied entire profile from affected PC

Initial startup of Firefox proxy denied connection

however I can now modify the profile and the settings don't return

Conclusion the profile is sound and something else on the PC is overwriting the prefs.js

http://www.freedrweb.com/download+cureit/?nc=t&lng=en

Here is a free scanner it has a pretty neat way of scanning in protected mode. And it's free :-)

It didn't find anything after a full scan. I'm presuming I've got some residual firefox settings left over from the original infection

There's an add-on you can install which you can use to scan links before you go to a site: https://addons.mozilla.org/en-US/firefox/addon/drweb-anti-virus-link-checker/

It's useful for displaying redirects even if the site is clean.

Try deleting the user.js since it's not there by default. It might be interesting to find out whether it reappears or not without user intervention.

Also, could you install this utility: http://free.antivirus.com/rubotted/ It monitors whether your machine is connecting to a botnet. Sometimes it displays a false positive related to Kraken (see http://www.theregister.co.uk/2010/06/29/kraken_botnet_resurgence/), but that was patched by Microsoft sometime ago.

C:\Users\conxxx\AppData\Roaming\Mozilla\Firefox\Profiles\170kzam7.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}\defaults\preferences

I have found the critter I believe. In that folder is a single prefs.js file which contains

Localized Description http://kb.mozillazine.org/Localize_extension_descriptions

Also see Bug 257155 https://bugzilla.mozilla.org/show_bug.cgi?id=257155

pref("extensions.{37E4D8EA-8BDA-4831-8EA1-89053939A250}.description", "chrome://pdfdownload/locale/pdfdownload.properties"); pref("extensions.pdfdownload.defaultAction","showPopup"); pref("extensions.pdfdownload.openPDF","defaultViewer"); pref("extensions.pdfdownload.openPDFtoHTML","openHTMLNewTab"); pref("extensions.pdfdownload.openPDFLink","openPDFNewTab"); pref("extensions.pdfdownload.showImagesInHTML",true); pref("extensions.pdfdownload.showToolsMenuItem",true); pref("extensions.pdfdownload.showFileMenuItem",true); pref("extensions.pdfdownload.showTooltips",true); pref("extensions.pdfdownload.firstInstallation",true); pref("extensions.pdfdownload.webToPDF.pageOrientation","0"); pref("extensions.pdfdownload.webToPDF.margins.top","0.5"); pref("extensions.pdfdownload.webToPDF.margins.bottom","0.5"); pref("extensions.pdfdownload.webToPDF.margins.left","0.5"); pref("extensions.pdfdownload.webToPDF.margins.right","0.5"); pref("extensions.pdfdownload.webToPDF.action","download"); pref("extensions.pdfdownload.webToPDF.emailAddress",""); pref("extensions.pdfdownload.showEnableDisableIcon",false);

/* debugging prefs */ pref("browser.dom.window.dump.enabled", true); pref("javascript.options.showInConsole", true); pref("javascript.options.strict", true); pref("nglayout.debug.disable_xul_cache", true); pref("nglayout.debug.disable_xul_fastload", true); user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 64586); user_pref("network.proxy.type", 1);

It was part of the PDF download addin which I've had in their for ages and ages. It used to work under FF 3x but since upgrading to 4 it had become disabled.

Still it either already contained those setting or they were added by the Trojan. Either way I think I can safely say my system is good now.

(fingers crossed)

Thank's Xircal for sticking with me I picked up some useful tips along the way!

You're welcome.