Firefox won't start after "Windows 7 repair" virus

So Sunday night I was browsing around in Firefox and came across a site loaded with viruses. I quickly exited the tab but lazily pressed OK when prompted by Windows to make changes to my computer. I'm stupid... Turns out it was the Windows 7 repair virus and I've followed all the steps in this thread to remove it. At this point I think it's gone, and yet everytime I try to open Firefox, I'm getting this: "Firefox had a problem and crashed. We'll try to restore your tabs and windows when it restarts." Neither clicking "Restart Firefox" or "Quit Firefox" works. I'm pretty dang dittily sure this virus has been wiped clean from my machine so any suggestions on how to get FF working again would be greatly appreciated.

Here are all the logs from my attempt at removing the nasty malware.
I couldn't get rootrepeal to work. It comes up with an error saying "Attempt to read from address," and "Attempt to write to address."

 

Hi and Welcome to Majorgeeks

I am currently reviewing your logs and will post back with a response as soon as possible. This takes time so your patience is appreciated.

 

There are a few things that need to be done; the following should be uninstalled:
PageRage Toolbar
Conduit Engine
GoodSearch Toolbar


We are going to be uninstalling your old version of FireFox and installing the new version. As you cannot run Firefox and you have a multi-user computer, you'll need to locate via the Windows Search function, each of the most recent versions of bookmarks.html for each Firefox user:

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox




Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following line but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Code:

KILLALL::

Folder::
c:\program files\whitesmoke
C:\Users\J Man\AppData\Roaming\WhiteSmoke
c:\users\Jake\xhsyrefu
    


File::
C:\ProgramData\29744888
C:\ProgramData\29941496
C:\ProgramData\~29744888
C:\ProgramData\~29744888r
C:\ProgramData\~29941496
C:\ProgramData\~29941496r
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Launch WhiteSmoke.lnk

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone) 

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Then REBOOT and reinstall Firefox and test:
After reboot, delete the below folders:

where UserAccount is the actual user account name being used.

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file:

Make sure you tell me how things are working now!

 

Here are the logs you asked for.

I have one quick question before I reinstall Firefox. I had lots of important bookmarks that I need/want. When I look in my Firefox profile folder I did not find any bookmarks.html document. However, apparently when I first installed FF couple years back, I must have installed it to my external hard drive for whatever reason. I found a profile folder in there with the bookmarks.html document, but it says it hasn't been modified since 2009. Does this mean my bookmarks were not saved and kept up to date as of a couple days ago when I got the virus? Am I out of luck here?

 

You may be out of luck but hold tight, I'll do some checking.

 

It looks like there were a few more variables than the Mozilla articles I checked with initially implied. I think it should be recoverable with a little luck and a small piece of software.

Download FreeUndelete, save it then open it. double-click the *.msi inside to begin the install, agree to the terms then click the Advanced button and choose "Run without installing".

The program then starts, select your C: and click Scan C:. When the scan is complete (it should only take a few minutes), in the "Filter found files" box, type bookmarks.html and, once the contents has changed, select the file(s) you need to save. Then in the Undelete selected files to:, click Browse and select the folder to save to, then click Undelete. Open the file(s) in IE to check then report back.

I'll finish checking the logs and post the follow up soon.

 

On rechecking your posts and logs, it appears that Firefox has not been uninstalled and that the location of your Bookmark backups should be found by the following method.

First we need to locate the Firefox bookmark backup files:
SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  *.json*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply so we can supply instructions on which files to copy and to which destination.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

This was all I got from the system look. Nothing new really... Are the "bookmarkbackups" files what I need?

 

Yes, the bookmarks***.json files are those needed to import your bookmarks into Firefox.

As there were only Firefox bookmark backups related to the Jake profile found, simply find the below file and copy it to your Desktop:

Now we need to uninstall the following:
Mozilla Firefox


Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following line but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.


Now we need to use ComboFix:

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Code:

KILLALL::
DirLook::
C:\Users\J Man\AppData\Local\{581E582B-A753-4286-B5DE-23C2433BF96C}
C:\Users\J Man\AppData\Local\{9591A736-A5A3-4196-8C17-1F7FE4282A94}
C:\Users\J Man\AppData\Local\{AD6AE630-E8BF-40F1-BE83-8E742721DC08}
C:\Users\J Man\AppData\Local\{D434E55B-82DA-45CE-91E0-49E64C734186}

Files::
c:\windows\system32\ConduitEngine.tmp

Folders::
c:\users\Alyssa\AppData\Local\Conduit
c:\Users\Public\Start Menu\Programs\WhiteSmoke
c:\users\Alyssa\AppData\Local\Conduit

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e86e69ac-a2ce-415a-967e-70ded47d72e2}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


*Please reboot now*.


After reboot, delete the below folders:

where UserAccount is the actual user account name being used, this needs to be done for each User.

Now reinstall FireFox from the file previously downloaded.

Restore your bookmarks:

Then attach the below logs:

• C:\MGlogs.zip
• c:\combofix.txt

Make sure you tell me how things are working now!