Hello everyone!

Thank you for your reply if any.

I will start with the same old sentence. ‘I have a problem and I think my system is being infected. Help pls!’.

I first tried using MS Security Essentials and it stopped scanning after 4 items with CPU usage:00% and physical memory :27% when Windows Task Manager is opened.

When Windows Task Manager is not open during MS Security Essentials scanning and MS Security Essentials stopped scanning the Windows Task Manager cannot be opened and not responding. My system freezed.

This same with Malwarebytes Anti-malware.

The aswMBR stopped scanning after 5 minutes , I pressed save scan log, I saved the log, then exit, BSOD or crashed occurred and my system restarted making minidump.

Then I started TDSSkiller as stated in the below forum posting:

http://forum.avast.com/index.php?topic=111552.0

Then TDSSkiller rebooted adn asked me whether to run a Kaspersky file.exe, I pressed yes and it
crashed, BSOD occurred, my system restarted going into DOS and making minidump.

What is your advice,pls?
Thank you again

follow this guide and attach the logs…not copy and paste

http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

if you have problems running any of the tools, try run it from safe mode

when done the removal experts will be notified and will help you when they arrive

Hello Pondus!
Thank you for the reply.

The below process took me 4hrs or more to complete, slow processing, not responding, and pressing the radio button when opening IE and IE not responding, Windows not responding upon startup, Explorer not responding.

I forgot to inform you that I had installed Spybot S&D2, Prevx 3.0,Adaware,Super Antispyware Scan and uninstalled Adaware,Super Antispyware Scan, Prevx 3.0, Spybot S&D2, in such order that may have corrupted Windows.

I have tried running AdwCleaner with success .

Malwarebytes with partial success as it stopped and not responding then continuing to complete the scan.

2 logs completed

OTL and aswMBR without success or failed both in normal and safe mode.

OTL stopped responding after a few minutes at win32\C_28593.NLS the same folder that caused MS Security Essentials to stop scanning and unresponsive.

aswMBR repeated the same old thing . aswMBR stopped scanning after 5 minutes , I pressed save scan log, I saved the log, then exit, BSOD or crashed occurred and my system restarted making minidump.

All two failed to successfully scan in both normal and safe mode.

Hi what is your operating system and do you have a USB drive

Hi essexboy!

Thank you for the reply. My slow system made me struggled to complete this reply in 2 hours and posted it 20 hours later. Apps not responding, cannot get online.

I am using Windows 7 Home Premium without the installation DVD disc as my [u]OS was preloaded at the

factory[/u]. Yes, I do have a USB drive.

My Windows security is turned off and can’t be started.
My Network Access Protection (NAP) Agent service is also turned off.

Windows 7 under safe mode without internetworking is fast so is with internetworking. However, all the preset

settings are deleted and I cannot access the www as the PNP is not working and can’t detect the modem.

As I am writing this reply, my Windows Explorer freezed as I opened the wrong folder. Only the cursor can work.
IE is not responding so is Windows Task Manager, Chrome for awhile , my ISP software stopped responding and my

USB modem is getting hot.
The unresponsive app like IE is closed before other apps can response.

I am frequently disconnected from the WWW after updating from IE9 to IE10 and can’t uninstall IE10 as all my

created System Restore points are deleted or hidden. Everything is a snail pace even downloading is at XX.XX

kbps instead of Mbps. Ha!Ha!Ha! what an idiot!That’s me.

The good news is AdwCleaner cleaned Freezed.com from Google Chrome according to the log.
Using msconfig to run devmgmt.msc , I cleaned and uninstall WRkrn from my hidden PNP device drivers list.

I have tried running devmgmt.msc 2x, and it’s not running after WRkrn is deleted.
Oops! false alarm! Device Manager (Not responding).

Microsoft Management Console is not responding and cannot be closed. Windows is collecting the information for

reporting purposes. I closed this box and MMC is closed.

I might have to clean my browsers 2x and generate a 2nd AdwCleaner log as I am blind right now, might have

visited dangerous sites without warning from siteadvisor and WOT.

System File Checker/scannow failed at 21% as SFC Windows Resource Protection cannot perform the requested

operation.

My hard disk is OK as I already defrag it and chdsk/f in CMD.

Sorry about my rambles, rants and raves. You are sure is cool!

Thanks again.

OK so it appears normal in safe mode, is that correct ?

If so we will turn normal mode into a safe type mode and see if that improves it any

From Safe Mode

Step 1: Start MSConfig

Click Start, type msconfig in the Start Search box, and then press ENTER.
If you are prompted for an administrator password or for a confirmation, type the password, or provide confirmation.

Step 2: Configure Selective Startup options

1.In the System Configuration Utility dialog box, click Selective Startup on the General tab.

https://dl.dropbox.com/u/73555776/Cleanboot1.JPG

2.Click to clear the Load Startup Items check box.
Note The Use Original Boot.ini check box is unavailable.

3.Click the Services tab.

https://dl.dropbox.com/u/73555776/cleanboot2.JPG

4.Click to select the Hide All Microsoft Services check box.
5.Click Disable All, and then click OK.
6. When you are prompted, click Restart.

Allow to go to normal windows is it behaving any better ?

If so then run OTL from there, if not run OTL from safe mode

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Hi essexboy!

Thank you again.

I will follow your advice.
My friend told me to shut down my system for 2 days to allow me to cool down. I did so.
Finally, I hit something right.

To all the readers:
Beware of legitimate Windows updates or downloads if your system is infected. Your infected system with all those nice stuffs will connect with ‘other infected unknown system to ask you to download other viruses,malware, trojan,etc masked/disguised as legitimate drivers,updates, etc.’

My Windows updates told me to update my Realtek Audio so I did.

I searched in Google and found out that RAVCpl64.exe is Trojan BtcMine.30.
I ended the process in Windows Task Manager (WTM).
I also ended the process of SyTPEnh.exe Windows Task Manager. Totally delighted.

Windows not responding stopped rather abruptly. In WTM, looked out for *32 next to the running processes.
Win 7 file system is NTFS not FAT 32. FAT 32 is for Windows 95-Me and XP. Correct me if I am wrong.

Will follow and return answer in a few days probably 3-5 days from now.
Thanks

Actually they are legitimate

*32 means it is running a 32bit programme on a 64bit system

Hi essexboy,

OK so it appears normal in safe mode, is that correct ?

Turn normal mode into a safe type mode and there is no still improvement at all except crashing stopped but freezing a norm.

I followed your instructions.

After the restart without all the MS drivers, a box with the caption ‘Please Wait’ appeared before Windows Explorer showed.

My system remained the same.
Not responding no longer appears but Windows still not responding.Snail pace respond.
I have repeat an action in order to get it done ie Copy and Paste, I have to do it twice and pressing Enter 2x before any response.

I can say that drivers or startup problem can be omitted.

Something is there.

Ran OTL from normal mode after changes, still not responding after 5 minutes into scan.
Stopped at C:\Windows\Sysnative\C_28593.CLS

Safe mode failed. The good thing is that my system did not go into BSOD and started making minidumps. It just freezed and I had to restart via the off/on button.

Can I used ddr.com?

Thank you very much.

I think I have to use the USB drive option. Very tiring process.
Thank you.

Download the following three programmes to your desktop :

1. Rufus

For 64bit systems
2. Windows 7 64bit RC
3. Farbar Recovery Scan Tool x64

For 32bit systems
2. Windows 7 RC
3. Farbar Recovery Scan Tool

Insert the USB stick Then run Rufus

https://dl.dropbox.com/u/73555776/rufus.JPG

Select the ISO file on the desktop via the ISO icon.

Press Start Burn

https://dl.dropbox.com/u/73555776/RufusISO.JPG

Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Hi essexboy!

Thank you for the reply.

I will follow your advice.

It has been 3 disastrous days for me. After my last reply to you on the 28th March 2013.

I ran DDS in safe mode, it successfully generated 2 logs.
Then disaster hit my system.

Windows Explorer (Not Responding) in safe mode.

I have to hit the radio button after 30 minutes.

Windows restarted in Startup Repair mode for 1 hour

Startup Repair cannot resolved the problem. I shut it off and restarted . It boot into Startup Repair mode and I cancelled it.

It went into System Restore automatically even when I cancelled it.

Now, my system is in a mess. It’s a mix of the old with the new! New files are hidden, old are useless. It’s like in safe mode working as normal mode.

IE can’t work, PnP can’t detect, DVD is now CD. I can’t go online or transfer my file to USB drive. Wow! what a big basket of mess.

Can Rufus work on CD or DVD?

Me the troublemaker! Sorry about giving you so much trouble.

Nope but I do have one that will. You should have internet access via Firefox from the Reatogo desktop

Please print these instruction out so that you know what you are doing

[*]Download OTLPENet.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Drag and drop this attached scan.txt into the Custom scans and fixes box
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.

Hi essexboy,

Sorry to about the late reply.

I think I can only get all the logs in by 15th April if I can get everything working.

Thank you again.

Hi essexboy,

Thank you for waiting.

Sorry to about the late reply.

I could not get all the logs in by 15th April as everything was not working according to plan.
I managed to get the log (FRST.txt) on the flash drive.
I also found out FRST.txt log is also in the C: HDD. in the FRST folder.

Please copy and paste it to your reply.
I post it here and not as an attachment.

The FRST log showed the mix of old Avira which was deleted long ago with the new (on Desktop).
After the unauthorised System Restore at Startup Repair on 28th March 2013. Windows 7 is wrecked!

Download OTLPENet.exe to your desktop
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.

I double clicked but it want to install on the HDD and run from another PC.

Yes you can burn OTLPE on any computer and it will then boot the sick one to allow you to backup any files you wish or to run an analysis for me to look at

Hi essexboy!

I got OTLPENET burn into the CD and ran it.

Faced some problems again.

•Select the Windows folder of the infected drive if it asks for a location.
I selected D:Windows 7, it responded ‘Run Scanner Error. Target is Windows 2000 or later’.
I cannot get to scan the whole HDD.
I had to access D:Windows 7> Windows 7> Users to scan the HDD.

The task below,I did not perform:
•When asked “Do you wish to load the remote registry”, select Yes. It responded ‘Run Scanner Error. Target is Windows 2000 or later’ when I selected D:Windows 7. I scanned the C:\ Users folder not the whole C:\ HDD.

I accessed D:Windows 7> Windows 7> Users and performed the following tasks:
•When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
•Ensure the box “Automatically Load All Remaining Users” is checked and press OK
•OTL should now start.
•Drag and drop this attached scan.txt into the Custom scans and fixes box

64bit scan failed and used 32bits only. Scan OK.
Tried 64bits scan first time and failed as Not Responding at the same Win32\C_28593.NLS file.
Scan 1 32bit and Scan2 64bit all without loading the remote registry.
Tried 64bit scan second time, scan OK but staggered with Not Responding before all done.

Do I need to do another round of scan since not all tasks are completed?

Did OTL produce a log at all ?