Can't delete Desktop.ini

[snoman]

I hope this is the right place to post this:

Avast is telling me there's a problem with two desktop.ini files, but can't do anything with them. 

(the general problem I was hoping avast could help me with is something like a DNS redirect when I use the web)

I'm including the requested files from OTL and aswMBR.

Thanks in advance!

[Pondus]

Essexboy has logged out for today, check back tomorrow

he is usually here around 08:00pm - 11:59pm UK time

[essexboy]

Hi I see you have run combofix, could you post the log please.  You HOST file has been hijacked, hence the redirects
 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O3 - HKU\S-1-5-21-563604048-2274448410-1346171028-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[snoman]

I got an error when running the fix:  "Cannot create file c:\Windows\System32\drivers\etc\Hosts."

Upon rebooting, I got this:
"Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

Registry entries deleted on Reboot..."

**

attached is the requested combofix and the new OTL files.

(Thanks!)

[argus]

Combofix 3x 
Running from: F:\ComboFix2.exe (flash drive)

You do not have antivirus.

[snoman]

I installed avast after running this combofix a few days ago.  My understanding is I was supposed to upload the previously run combofix log?  Should I run it again?

[essexboy]

Yes please but download to the desktop, as the run you did previously was in the minimal mode..  I.e. it could not do much

Do you still have the redirect, did OTL fail to reset the host file

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[snoman]

I ran combofix, but I'm not sure it successfully completed?  It didn't output the big log like it usually does.  I've included what it did output.  It did reboot, and I did get some errors about programs being marked for deletion.  I did reboot (a couple of times).

My browser is still sometimes being hijacked (specifically to activitycatalogue.com, then someplace else).  It's not consistent (it never has been), but it definitely happens.

[essexboy]

Could you ruin this MSFixit please to reset your Host file and let me know if that clears the redirects http://support.microsoft.com/kb/972034

If it does not could you run a fresh OTL scan please and attach that (There will only be one log)

[snoman]

I ran MSFixit, and my browser is still getting hijacked.

I've attached the new OTL log.

(thanks for all your help on this!)

[essexboy]

Yep the Hosts file is still hijacked, lets see if OTL can remove the individual lines.  After the OTL run could you retry combofix please (allow it to update) 

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O1 - Hosts: 69.72.252.254 www.google-analytics.com.
  O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
  O1 - Hosts: 69.72.252.254 www.statcounter.com.
  O1 - Hosts: 184.95.41.155 www.google-analytics.com.
  O1 - Hosts: 184.95.41.155 ad-emea.doubleclick.net.
  O1 - Hosts: 184.95.41.155 www.statcounter.com.
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[snoman]

When I tried running the fix, I got an error, "Cannot create file c:\windows\System32\drivers\etc\Hosts", and then OTL just sat there.

I'm incluiding the OTL log and the combofix log.

(And I'm still getting hijacked)

[snoman]

...and the OTL log

[essexboy]

Until we can reset the host file the hijacks will continue

Download the HostsXpert 3.7 - Hosts File Manager.

• Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  
• Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  
• Click "Make Hosts Writable?"  in the upper right corner (If available).
  
• Click Restore Microsoft's Hosts file and then click OK.
  
• Click the X to exit the program.
  
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

[snoman]

When I ran HostsXpert, I clicked "ok" to the dialog boxes that asked if I wanted to remove the system file attribute and the hidden file attribute.  The "make writable" was locked and red, and clicking "Restore MS Hosts" file gave me this error:  "Cannot create file c:\windows\System32\drivers\etc\Hosts".

(bummer)