Mozilla Firefox Browser Crashed as well as IE Browser after Win32/cryptor remove

Yesterday after you guys so kindly helped me and pretty much saved my PC from that nasty little win32 cryptor bug. I was following your recommendations and installed Avira/ Antivirus program as well as recommended spyware programs. I used the links that geeks provided for Avir which worked great once installed and setup i located the other programs and installed them. as i was looking for your recommended firewall programs, when my mozilla browser stopped dead in it tracks and then crashed. After it closed down i was not able to open mozilla at all except in safe mode. i checked the task manger and the CPU's were maxed. So i closed windows down. and did a restart. still the same thing. I was going to come back to this site and have you guys check and see if somthing else downloaded itself to my PC or if there was somthing else hidiing out in my system and decided to spring into action after the geekspolice tech removed those other trojans and rootkits from my system. Also After the mozilla crash i attempted to open my IE browser and it slowly loaded as it was finishing its loading process 5 other internet explorer browser windows attempted to open all at once. each one crashed like a domino effect. after getting them all closed and shutdown. I did a reboot and mozilla still would not open though IE did. I am not sure what is going on but....... Please Help.....

I uninstalled mozilla and was bale to install a newer verison of firefox Ver: 3.0.10 It is currently working fairly well. I closed my system down yesterday evening and and turned it back on a short time ago. (upon loading at start up Spybot seek & destroy notified me of a change in windows startup programs (it stated that
C:\WINDOWS\system32\ctfmon.exe had been changed. when that windows opened cpus jumped and the screen and all running programs froze for 4 or 5 minutes..... What do you think?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:09 AM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2009\MemOptimizer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mark\Desktop\hijackgpthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: TBSB00982 - {DA3D342F-FF20-4E31-9E82-22334155730C} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: SpywareGuard.lnk.disabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240574688126
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICSer_WPC54 - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 5635 bytes

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
  O2 - BHO: TBSB00982 - {DA3D342F-FF20-4E31-9E82-22334155730C} - (no file)
  O4 - Startup: SpywareGuard.lnk.disabled
  O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Lets get an updated uninstall list.

• Open HijackThis.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

when i rebooted after the hijack this fix and reboot as start up was loading i got a message saying that DR watson post mortem debugger had encountered a problem and need to close. everything froze up for 4 - 5 mins...

heres an updated uninstall list from Hijackthis:

GOM Player
HijackThis 2.0.2
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 13
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.10)
Revo Uninstaller 1.80
RPS CRT
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Spybot - Search & Destroy
SpywareBlaster 4.2
SpywareGuard v2.2
TuneUp Utilities 2009
Update for Windows Internet Explorer 8 (KB968220)
Verizon Help and Support Tool
Verizon High Speed Internet
Verizon Servicepoint 1.5.23
Verizon Yahoo! Applications
Windows Internet Explorer 8
Wireless-G Notebook Adapter

sorry i misses a couple when i copied and pasted it before..... this is accurate

7-Zip 4.57
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Avira AntiVir Personal - Free Antivirus
GOM Player
HijackThis 2.0.2
Intel(R) Extreme Graphics Driver
Java(TM) 6 Update 13
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.10)
Revo Uninstaller 1.80
RPS CRT
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Spybot - Search & Destroy
SpywareBlaster 4.2
SpywareGuard v2.2
TuneUp Utilities 2009
Update for Windows Internet Explorer 8 (KB968220)
Verizon Help and Support Tool
Verizon High Speed Internet
Verizon Servicepoint 1.5.23
Verizon Yahoo! Applications
Windows Internet Explorer 8
Wireless-G Notebook Adapter

Hello.

Lets try this. I want to try uninstalling TuneUp because using TuneUp programs can alter/modify the registry and doing so can cause serious harm and damage.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

• 7-Zip 4.57 <== old version
  
• TuneUp Utilities 2009
  

I recommend you remove the Java Quick Starter because it's not needed.
To do so, follow these instructions.

Go to Start > Control Panel > Java.
In the Java control panel, open the click the Advanced tab. Click the + in front of Miscellaneous and uncheck the Java Quick Starter box.

See here for more info.

If you use 7Zip, then download and install the newest version. 7-Zip 4.65 Stable

Reboot normally.
Let me know if there is any change.

okay tune up utilities 2009 has been uninstalled and i uninstalled 7 zip i have downloaded the new verison and the Java Quick starter has been disabled. I rebooted there was no error message for dr watson post mortem debugger.

The system seems to be running a bit smoother, but the cpu's are still getting hung up.

Hello.
Post a NEW Hijack This log now, there is some more optional things we can kill.

Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mark\Desktop\hijackgpthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240574688126
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICSer_WPC54 - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--
End of file - 4370 bytes

Firefox seems to be running well.. but something is keeping firefox from saving any new settings it keeps going back to default and udating any and all addons and the browser. this is a new thing. i so appericate all the help that you are providing to me.

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
  O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
  O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Reboot normally again.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
  
• Click Select All found at the bottom of the list.
  
• Click the Empty Selected button.
  

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

okay ran hijack this and followed your directions. downloaded the atf cleaner and ran both windows clean up and firefox saved passwords. but first the system was rebooted . upon starting up the same dr watson post mortem debugger encountered a problem and had to close.

I looked into the more info options on that window. and copied the files that would be reported in the message: here they are maybee it helps :

C:\DOCUME~1\MARK\LOCALS~1\Temp\WERe799.dir00\drwtsn32.exe.mdmp

C:\DOCUME~1\MARK\LOCALS~1\Temp\WERe799.dir00\Appcompat.txt

also the atf cleaner was not responding after the above occurred i would close so i had to enter the tak manager and close the app from there.

If you don't clean temp files out very often, it can take a few minutes for ATF-Cleaner to run.

If TuneUp caused this, whatever you did has already done the damage and we can't always reverse it.

Them files reported are temp files anyhow, ATF-Cleaner should delete them.

I just remembered when i had CCleaner installed not to long ago when i would run it send up an error message saying the original 237 0r 327 could not be found.

i do xtract and delete temp files regularly. i have used various programs such as cc leaner, wipe, advanced systems care pro. i just downloaded the tune up utilities2009 a couple of days ago. i only cleaned with it once. i also used AML free registry cleaner for quite some time. it had a disc cleaner in it.

Okay, this should be fine now though.

thanks so very much for all of your patients and help