Both Firefox and Thunderbird crash before even opening

Avast Free Antivirus / Premium Security
1

Firefox and TB worked fine the day before. Now, when I click on them I only get a crash report message. The first time I tried to open TB, I got a security message with a specific virus mentioned as the threat, but then message disappeared quick and I could not get the name of the virus. I did a total uninstall and reinstall of Avast Pro, then did a total uninstall/reinstall of Firefox. I did a boot scan twice. Still get the same crash message. Any other suggestions?

2
The first time I tried to open TB, I got a security message with a[b] specific virus mentioned as the threat[/b],
so you may have a infection ..... follow instructions at top in [b]Viruses and wroms[/b] forum section when logs are attached a malware expert will take a look
3

I’m pretty certain that the problem is SearchProtector malware because I uninstalled it several days ago but it still persisted. I quarantined and then deleted what Malwarebytes scan found. However, I STILL cannot open Firefox or TB. When I do an Avast browser cleaner and then change the default search from malware-generated Yahoo page to “clean” Bing page, it just changes back again.

ANY FURTHER SUGGESTIONS??
Thanks,
fsorganizing

Below Ive posted the log-generated Malwarebytes scan:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/24/2014
Scan Time: 12:06:46 PM
Logfile: Malwarebytes log_7-24-14.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.24.04
Rootkit Database: v2014.07.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Michael

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 269563
Time Elapsed: 15 min, 10 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.SProtector.A, HKU\S-1-5-21-3857975840-67816974-3038054564-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SProtector, Quarantined, [df75049f7a0153e3bbaa36d36c98827e],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 4
PUP.Optional.OneClickDownloader.A, C:$Recycle.Bin\S-1-5-21-3857975840-67816974-3038054564-1000$RVKTZOT.exe, Quarantined, [2331b1f2f18a2016723347d3df2249b7],
PUP.Optional.Conduit.A, C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wzd0rgkr.default\searchplugins\conduit-search.xml, Quarantined, [6aeac3e0b5c66dc9a911d254f113b749],
PUP.Optional.Babylon.A, C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wzd0rgkr.default\prefs.js, Good: (), Bad: (user_pref(“extensions.BabylonToolbar.prtkDS”, 0);), Replaced,[b69e2281bcbf48eed371eef347bd966a]
PUP.Optional.Babylon.A, C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wzd0rgkr.default\prefs.js, Good: (), Bad: (user_pref(“extensions.BabylonToolbar.prtkHmpg”, 0);), Replaced,[0f45950e22590d298cb8b22fc3412cd4]

Physical Sectors: 0
(No malicious items detected)

(end)

4

Thanks.

Could you please attach all logs? (Look under the text box you are writing in and click that).

5

See attached. Thx

6

We need the farbar recovery scan tool logs

7

Please run and attach resulting logs for Farbar and aswMBR.exe: https://forum.avast.com/index.php?topic=53253.0

A certified malware removal expert has been contacted for you. Please be patient.

8

Attached are the logs for Farbar and aswMBR.

Thanks again for your help and assistance,
fsorganizing

9

Good job. ;D

10

There is nothing apparent showing as to why FF crashes. But I will look deeper at the drivers/services area

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

SearchScopes: HKCU - {699EC0C9-F60D-4978-A5C7-13630F5765E8} URL = http://search.about.com/fullsearch.htm?terms={searchTerms} Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKCU - No Name - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - No File CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

11

Both Firefox and TB are still crashing before opening. Oh well…I really appreciate the time you have taken to look at this issue. Hopefully, others will benefit from this experience/situation.

The logs are attached for FRST fixlist and ComboFix.

Take care,
fsorganizing

12

Does Firefox give an error report when it crashes ?

Also can you run Firefox in safe mode https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

13

Unfortunately, I cannot get it to start in safe mode with the shift key or otherwise.

Report of one thing I investigated on my own:
The first time I ran it, Malwarebytes quarantined the prefs.js file in the default profile. Every time I try to delete this file, it comes back again. When I tried to open the file in MS Windows based script host, it gives the following error message:
Line: 1
Char: 1
Error: Invalid character
Code: 800A03F6
Source: Microsoft JScript compilation error

Also, here is the text from the C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wzd0rgkr.default\searchplugins Yahoo plugin. Does this indicate an attack from the malware?

Yahoo! Yahoo Search UTF-8 data:image/x-icon;base64,PCFET0NUWVBFIGh0bWw+CjwhLS1baWYgbHQgSUUgNyBdPgo8aHRtbCBjbGFzcz0iaWUgaWU2IiBsYW5nPSJlbiI+IDwhW2VuZGlmXS0tPgo8IS0tW2lmIElFIDcgXT4KPGh0bWwgY2xhc3M9ImllIGllNyIgbGFuZz0iZW4iPiA8IVtlbmRpZl0tLT4KPCEtLVtpZiBJRSA4IF0+CjxodG1sIGNsYXNzPSJpZSBpZTgiIGxhbmc9ImVuIj4gPCFbZW5kaWZdLS0+CjwhLS1baWYgKGd0ZSBJRSA5KXwhKElFKV0+PCEtLT4KPGh0bWwgbGFuZz0iZW4iPiA8IS0tPCFbZW5kaWZdLS0+CiAgICA8IS0tIHNidXgtcG9ydGFsLWF1dGhlbnRpY2F0ZWQgLS0+CiAgICA8aGVhZD4KICAgICAgICA8bWV0YSBodHRwLWVxdWl2PSJSRUZSRVNIIiBjb250ZW50PSI0O3VybD1odHRwOi8vZGlnaXRhbC5zdGFyYnVja3MuY29tP3ZoPThlNzlmZTZhODA3MGJkMzQyMDMyN2ZjZTA0MmU0Y2YxJk1hY0FkZHI9MGMlM0FlZSUzQWU2JTNBZGMlM0FmNiUzQTQ0JnZlbnVlPTA4NDY3JnRzPTE0MDUzNjQ4NzkiPgogICAgPC9oZWFkPgogICAgPGJvZHk+CiAgICAgICAgUmVkaXJlY3RpbmcuLi4KICAgIDwvYm9keT4KPC9odG1sPg== https://search.yahoo.com/search?fr=chr-greentree_ff&ilc=12&type=282369
14

It looks like there may be an error in there

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

15

After running AdwCleaner.exe, issue still persists. Because the issue is NOT happening on Chrome and IE, I’m just going to migrate to them for the short term. Hopefully, by or before the end of the year I’m going to get a new computer and install a robust version of Linux.

I’m really going to miss TB – it’s the best email reader I’ve used to date…

fsorganizing

16

Are you using the recently released version of Thunderbird… If so could you install the previous version and see if you still have the problem