[Resolved] Avast won't open, and http doesn't work

[essexboy]

Hi lets try this first, if it fails go to Plan B

 Note: If using Firefox right-click on any download links and choose Save As as these are .scr files and FF interprets them as text

Please download OTH to your desktop
Please download OTL  to your desktop
Please download the attached file Scan.txt to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.



Then select Start OTL. OTL will now run

• Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
  Select Scan.txt that you downloaded
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
• Click the Internet Explorer button, post these logs in your Virus Removal topic.
  

Plan B

Download Rkill from here : there are several flavours to choose from, if one does not work then try the next

* rkill.com
* rkill.scr
* rkill.pif


Once it is downloaded, double-click on rkill in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Central when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Central . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of my instructions.

Do not reboot your computer after running rkill as the malware programs will start again.

Then run OTL as above

[Classic]

The process of dragging the OTH to my desktop causes everything to lock up. The dialog box is frozen and won't change. I tried running rkill, but it's stuck too. The circle over the cursor is just spinning, nothing is happening.

[Classic]

Windows eventually crashed. I'm trying to restart explorer.exe without rebooting, but it's still locked up. I can't access the start menu, let alone the drive that rkill is on.  :'(

[essexboy]

Do you have access to a cd and computer with a cd burner ?

Please print these instruction out so that you know what you are doing

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A

• Download OTLPENet.exe to your desktop
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
  
  
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads   
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start.
• Drag and drop this attached scan.txt into the Custom scans and fixes box
  
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive. 
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.
  

[Classic]

Okay, the PC finally became unusable, so I was forced to reboot. I ran OTH, and used that to run OTL with the custom scan.txt

Thanks essexboy. I've attached the two text files.

What's my next step?

[essexboy]

Looks like we may have a well hidden rootkit here

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[essexboy]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 6.81 Gb Free Space | 2.92% Space Free | Partition Type: NTFS
Drive D: | 596.17 Gb Total Space | 4.94 Gb Free Space | 0.83% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 0.77 Gb Free Space | 0.08% Space Free | Partition Type: NTFS

This is also a very severe problem - you have no drive space left - you will need to clear at least 15% from each drive

[Classic]

Thanks for the quick response.

Can this Combofix actually fix what's wrong, or just produce more reports? I did something similar to this last year, and ended up having to reformat. If I have to do that again anyway, I'd just assume not waste Sunday downloading virus programs. If you had to guess based on the OTL report, what's my next step after pasting the Combofix report?

[Classic]

Also, should I try to install Malwarebytes now that OTH can kill processes, or is Combofix better than Malwarebytes?

[essexboy]

In fact in retrospect - I reckon if you clear at least 10 - 15% from your C drive things may well start working again.  Ignore combofix for now and lets try to make some room to work with.  This programme will clear your temporary files - but you do need to move some files (MP3, Pictures, movies) over to the drive which has lots of room on it  Drive J: | 973.17 Mb Total Space | 531.34 Mb Free Space | 54.60% Space Free | Partition Type: FAT

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

[Classic]

I'm pretty sure I have malware, specifically a variant of the Gumblar virus. I don't think clearing space on my harddrive is going to solve that. It's not running slowly since the reboot, I just believe it to be infected still. I could be wrong though, what's the best way to check that?

[essexboy]

When windows operates memory and data is continually swapped from RAM to the HDD as more programmes are used, at the moment you have no spare capacity on your hard drive so the system will get slower and slower as all available RAM is used until it freezes.  OTH cleared all processes from memory so the system could commence working again.  From the OTL scan there was nothing running that would stop your programmes from running

Run TFC and let me know how much space that clears, then you must look at either deleting unused programmes or moving data file to another drive.  Otherwise any removal tools I use could break your system 

[Classic]

I have 7 gigs free on my C drive, and 4 gigs ram. How am I going to break my system by removing a virus? I don't quite follow.

[essexboy]

There will be a lot of file movement whilst the tools are working and if the system runs out of RAM or swap space a file switch may be disrupted halway through - you could then end up with a missing system file that stops the boot or system operation

[Classic]

Okay, I'm going to clear about 80 gigs from my C drive and come back. It should take a while.

What's next after that?

Also, Avast is working now, so I'm running a full scan while I move some larger files from drive C. I'll report what it says.