Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran Junkware Removal Tool and now Firefox will not launch


  • Please log in to reply
8 replies to this topic

#1 MarkSc

MarkSc

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 12 June 2015 - 10:02 AM

I just ran JRT and now when I try to launch Firefox I get the following error:[/size]
 
______________________________________________________________[/size]
 
Configuration Error[/size]
 
Failed to read the configuration file. Please contact your system administrator.[/size]
 
_______________________________________________________________[/size]
 
I see in JRT.txt (full contents of which are pasted below) the following line:[/size]
 
Successfully deleted: [File] C:\Program Files\mozilla firefox\Mozilla.cfg[/size]
 
Does this suggest that this configuration file was found to be infected?[/size]
 
Background Info:[/size]
 
I was attempting to use JRT Version: 6.9.1 (06.08.2015:1) downloaded from bleepingcomputer.com today to stop Conduit files from reappearing continuously. They repeatedly reappear even after Malewarebytes finds them each day and I repeatedly quarantine them. Malewarebytes had successfully stopped Conduit browser hijacking in IE and Firefox previously. It failed to stop it in Chrome but I no longer use Chrome so I just uninstalled it. [/size]
 
While running JRT[/size]
 
Having never used JRT previously I mistakenly thought it could take hours to scan files during which time it could run in the background while I continued my work. I attempted to launch Firefox while JRT was running and it did not launch. Not sure if that caused the problem, so I have pasted JRT.txt below for review. After JRT scan was finished I tried to launch Firefox again and that was when I first got the Configuration Error message above. I rebooted but I still get the configuration error message. Here is contents or JRT.txt..[/size]
 
I thought about restoring deleted file Mozilla.cfg file but did not for reason mentioned above. I also considered uninstalling and reinstalling Firefox or restoring registry from backup that JRT created. On second though however, I figure I might be better off seeking expert support here before digging myself in any deeper.[/size]
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.1 (06.08.2015:1)
OS: Windows 7 Professional x86
Ran by MarkSc on Fri 06/12/2015 at  9:54:07.77
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
~~~ Services
 
~~~ Tasks
 
~~~ Registry Values
 
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011441193}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441193}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Update FindRight
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Util FindRight
 
~~~ Files
Successfully deleted: [File] C:\end
Successfully deleted: [File] C:\Program Files\mozilla firefox\Mozilla.cfg
 
~~~ Folders
Successfully deleted: [Empty Folder] C:\Users\marksc\appdata\local\{313AE105-214B-4AE5-A1B6-934A1FA41E76}
Successfully deleted: [Empty Folder] C:\Users\marksc\appdata\local\{48CEA086-B8D5-4556-8F50-420AE0BA6A3A}
Successfully deleted: [Folder] C:\ai_recyclebin
Successfully deleted: [Folder] C:\Program Files\media freeware
Successfully deleted: [Folder] C:\ProgramData\apn
Successfully deleted: [Folder] C:\ProgramData\conduit
Successfully deleted: [Folder] C:\ProgramData\microsoft\windows\start menu\programs\free window registry repair
Successfully deleted: [Folder] C:\ProgramData\microsoft\windows\start menu\programs\strongvault online backup
Successfully deleted: [Folder] C:\ProgramData\strongvault online backup
Successfully deleted: [Folder] C:\ProgramData\tarma installer
Successfully deleted: [Folder] C:\Users\marksc\appdata\locallow\conduit
Successfully deleted: [Folder] C:\Users\marksc\appdata\locallow\foxtab
Successfully deleted: [Folder] C:\Users\marksc\AppData\Roaming\getrighttogo
Successfully deleted: [Folder] C:\Users\marksc\AppData\Roaming\media freeware
Successfully deleted: [Folder] C:\Users\marksc\local settings\application data\conduit
Successfully deleted: [Folder] C:\Users\marksc\local settings\application data\nativemessaging
Successfully deleted: [Folder] C:\Users\marksc\local settings\application data\strongvault online backup
Successfully deleted: [Folder] C:\Users\marksc\local settings\application data\strongvault
Successfully deleted: [Folder] C:\Windows\System32\ai_recyclebin
 
~~~ FireFox
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 06/12/2015 at  9:57:15.67
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by Queen-Evie, 12 June 2015 - 10:29 AM.
moved from Web Browsing/Email to appropriate forum


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:39 PM

Posted 12 June 2015 - 10:31 AM

Hello there,

A member of the Malware Response Team told me that the file is malicious as it contains an injection script. There is a good chance your machine is infected.

Please run these.

MiniToolbox by Farbar

Avast users please disable your antivirus before downloading!
Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

===

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options. If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Full Scan button to start the scan.
  • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and attach it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
Regards,
Alex

#3 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:39 AM

Posted 12 June 2015 - 10:59 AM

Hi MarkSc,

 

I'm sorry  for the inconvenience this has caused you. I will do some more research but my understanding was that those type of .cfg files do not belong in that directory.

 

Let me know show you what a clean install of Mozilla Firefox looks like in the C:\Program Files\mozilla firefox folder: (c:\program files(x86)\Mozilla Firefox for me since I am running a 64-bit operating system).

 

OOPaXHA.png

 

As you can see, there is no such "Mozilla.cfg" file here hence why JRT considers any type of .cfg file in this particular directory/folder as malicious. I've had reports from other users and malware helpers saying that malware can hide there. We've seen for example a file called "my.cfg" being placed in this directory which then loads malicious javascript into FireFox creating popups for the user. However, this doesn't seem to be the case for you since there was not a mutual malicious javascript (.js) file detected.

 

Once again, I am sorry for the inconvenience. Were you having any trouble with while browsing in FireFox (pop ups, intrusive ads, etc)?

 

Lastly, I noticed the JRT log you linked appears to be incomplete. JRT detected FireFox hence the

~~~ FireFox

entry in the log

 

However, JRT will only include the above line if something related to FireFox was deleted. And while the "Mozilla.cfg" file is related to FireFox, it was deleted by a different and more generic portion of the tool; nonexclusive to FireFox.

 

Can you try repasting the log you received? I have a strong feeling that we are missing what is after the ~~~ FireFox line.

 

Nevertheless, thank you for the report. I will look further into the issue. In the meantime, I do think you're safe to reinstall FireFox if you'd like to.

 

Regards

 

edited for typos


Edited by thisisu, 12 June 2015 - 11:35 AM.


#4 MarkSc

MarkSc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 12 June 2015 - 12:19 PM

I am running Win7 Pro SP1 on 32-bit platform and Firefox.exe is in directory

C:\Program Files\Mozilla Firefox\ 

 

There is nothing in JRT.txt besides what I pasted below. As I mentioned in my first email below, "I attempted to launch Firefox while JRT was running and it did not launch". I realize now it was not a good idea to attempt to lauunch firefox at that time. Might that explein why " ~~~ FireFox " appears as the last line in the JRT.txt log?.

 

I am by no means an expert so let me just tell you my hunch. It is that  JRT rightfully removed "mozilla.cfrg"  which based on some quick research appears to be at least a low-level threat. However, it appears firefox.exe is targeting "mozilla.cfrg" which is now missing so firefox.exe aborts.Do you agree and whether you agree or disagree what can you suggest I do next? Uninstall and reinstall Firefox maybe? 

Thank you!

 



#5 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:39 AM

Posted 12 June 2015 - 12:56 PM

I am running Win7 Pro SP1 on 32-bit platform and Firefox.exe is in directory

C:\Program Files\Mozilla Firefox\ 

 

Yep, completely normal.

 

 

There is nothing in JRT.txt besides what I pasted below. As I mentioned in my first email below, "I attempted to launch Firefox while JRT was running and it did not launch". I realize now it was not a good idea to attempt to lauunch firefox at that time. Might that explein why " ~~~ FireFox " appears as the last line in the JRT.txt log?.

 

 

I kind of doubt it as JRT will close FireFox right before it starts to scan it. More than likely it's a bug with JRT that I haven't found yet.

 

 

 However, it appears firefox.exe is targeting "mozilla.cfrg"

 

 

That's something interesting/new to me. Just so I understand correctly, the Mozilla FireFox shortcut on your desktop, and/or in the start menu points to the mozilla.cfg file instead of firefox.exe?

 

Uninstall and reinstall Firefox maybe? 

 

 

I think this is your best route. I would recommend this. If your bookmarks are important to you and you'd like to save them, read: https://support.mozilla.org/en-US/kb/restore-bookmarks-from-backup-or-move-them


Edited by thisisu, 12 June 2015 - 01:03 PM.


#6 MarkSc

MarkSc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 12 June 2015 - 01:17 PM

Desktop Shortcut and Quick Launch icon both point to "firefox.exe" and just ot be sure I attempted to launch "firefox.exe" from Windows Explorer filelist and got same error message. That is what leaves me thinking that "firefox.exe" is pointing to "mozilla.cfg". 

 

This are specifics of what I propose to do. Please advise if you think this sounds ok:

1.) Uninstall Firefox with REVO Uninstaller since i have had better success with it in the past with programs that were corrupted.

2.) Next I am thinking I should run JRT again just to establish a baseline and see if there is more to be done past that "~~~ FireFox" entry.

3.) Reinstall latest version of Firefox. Hopefully it launch it successfully.

4.) Rerun JRT to make sure it fully executes and returns a clean log.  

 

Thanks again!



#7 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:39 AM

Posted 12 June 2015 - 01:19 PM

That sounds good. I actually prefer to uninstall using Revo as well :)

 

Desktop Shortcut and Quick Launch icon both point to "firefox.exe" and just ot be sure I attempted to launch "firefox.exe" from Windows Explorer filelist and got same error message. That is what leaves me thinking that "firefox.exe" is pointing to "mozilla.cfg". 

 

This are specifics of what I propose to do. Please advise if you think this sounds ok:

1.) Uninstall Firefox with REVO Uninstaller since i have had better success with it in the past with programs that were corrupted.

2.) Next I am thinking I should run JRT again just to establish a baseline and see if there is more to be done past that "~~~ FireFox" entry.

3.) Reinstall latest version of Firefox. Hopefully it launch it successfully.

4.) Rerun JRT to make sure it fully executes and returns a clean log.  

 

Thanks again!



#8 MarkSc

MarkSc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 14 June 2015 - 11:14 AM

I uninstalled Firefox and ran JRT a secont time. As you can see below the log came back perfectly clean. Also, pleased to say in the past 2 days since the first run of JRT that MalewareBytes has not reported a single reoccurances of Conduit files. As reporteed below, prior to first running JRT it was finding them daily. Today I reinstalled Firefox and it is running fine.

 

My hunch is that an unwanted program caused modifications to firefox,exe including making it point to mozilla.cfg. JRT rightfully detected mozilla.cfg as a threat and deleted it thereby causing my corrupted incidence of Firefox to fail to launch.I probably should wait a day or two to see if Firefox web browsing allows Conduit file reinfestation but for now all looks good.

 

Thanks again!

 

_____________________________________________________________

Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.1 (06.08.2015:1)
OS: Windows 7 Professional x86
Ran by MarkSc on Sun 06/14/2015 at 11:25:09.37
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Tasks
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 06/14/2015 at 11:28:03.60
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 



#9 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:39 AM

Posted 14 June 2015 - 12:30 PM

You're welcome. Surf safely :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users