Can't delete Desktop.ini

I hope this is the right place to post this:

Avast is telling me there’s a problem with two desktop.ini files, but can’t do anything with them.

(the general problem I was hoping avast could help me with is something like a DNS redirect when I use the web)

I’m including the requested files from OTL and aswMBR.

Thanks in advance!

Essexboy has logged out for today, check back tomorrow

he is usually here around 08:00pm - 11:59pm UK time

Hi I see you have run combofix, could you post the log please. You HOST file has been hijacked, hence the redirects

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKU\S-1-5-21-563604048-2274448410-1346171028-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I got an error when running the fix: “Cannot create file c:\Windows\System32\drivers\etc\Hosts.”

Upon rebooting, I got this:
"Files\Folders moved on Reboot…
File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.

Registry entries deleted on Reboot…"

**

attached is the requested combofix and the new OTL files.

(Thanks!)

Combofix 3x :o
Running from: F:\ComboFix2.exe (flash drive)

You do not have antivirus.

I installed avast after running this combofix a few days ago. My understanding is I was supposed to upload the previously run combofix log? Should I run it again?

Yes please but download to the desktop, as the run you did previously was in the minimal mode… I.e. it could not do much

Do you still have the redirect, did OTL fail to reset the host file

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I ran combofix, but I’m not sure it successfully completed? It didn’t output the big log like it usually does. I’ve included what it did output. It did reboot, and I did get some errors about programs being marked for deletion. I did reboot (a couple of times).

My browser is still sometimes being hijacked (specifically to activitycatalogue.com, then someplace else). It’s not consistent (it never has been), but it definitely happens.

Could you ruin this MSFixit please to reset your Host file and let me know if that clears the redirects http://support.microsoft.com/kb/972034

If it does not could you run a fresh OTL scan please and attach that (There will only be one log)

I ran MSFixit, and my browser is still getting hijacked.

I’ve attached the new OTL log.

(thanks for all your help on this!)

Yep the Hosts file is still hijacked, lets see if OTL can remove the individual lines. After the OTL run could you retry combofix please (allow it to update)

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O1 - Hosts: 69.72.252.254 www.google-analytics.com. O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net. O1 - Hosts: 69.72.252.254 www.statcounter.com. O1 - Hosts: 184.95.41.155 www.google-analytics.com. O1 - Hosts: 184.95.41.155 ad-emea.doubleclick.net. O1 - Hosts: 184.95.41.155 www.statcounter.com.

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

When I tried running the fix, I got an error, “Cannot create file c:\windows\System32\drivers\etc\Hosts”, and then OTL just sat there.

I’m incluiding the OTL log and the combofix log.

(And I’m still getting hijacked)

…and the OTL log

Until we can reset the host file the hijacks will continue

Download the HostsXpert 3.7 - Hosts File Manager.

[*]Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
[*]Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
[*]Click “Make Hosts Writable?” in the upper right corner (If available).
[*]Click Restore Microsoft’s Hosts file and then click OK.
[*]Click the X to exit the program.
[*]Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

When I ran HostsXpert, I clicked “ok” to the dialog boxes that asked if I wanted to remove the system file attribute and the hidden file attribute. The “make writable” was locked and red, and clicking “Restore MS Hosts” file gave me this error: “Cannot create file c:\windows\System32\drivers\etc\Hosts”.

(bummer)

OK lets remove that protection permanently

  1. Please download The Avenger by Swandog46 to your Desktop.

[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop

  1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Files to delete:
C:\WINDOWS\system32\drivers\etc\hosts


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, open the avenger folder and start The Avenger program by clicking on its icon.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerico.gif

[*]Accept the disclaimer

http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerdisclaimer.gif

[*] Right click on the window under Input script here:, and select Paste.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerfront.gif

[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute

[*] Answer “Yes” twice when prompted.

  1. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

  1. Please copy/paste the content of c:\avenger.txt into your reply.

I ran the program with the text pasted into it. The computer restarted, and I briefly got the black command window, but I don’t see a log file (I searched the whole drive), and there’s no c:\avenger\ directory. I tried it twice to be sure I did it right, and got the same result.

Could you run a quick OTL scan please

Sure!

O1 - Hosts: 69.72.252.254 www.google-analytics.com. O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net. O1 - Hosts: 69.72.252.254 www.statcounter.com. O1 - Hosts: 184.95.41.155 www.google-analytics.com. O1 - Hosts: 184.95.41.155 ad-emea.doubleclick.net. O1 - Hosts: 184.95.41.155 www.statcounter.com.
Still there - it will not beat me
  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

File:: C:\WINDOWS\system32\drivers\etc\hosts

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.