Hi I see you have run combofix, could you post the log please. You HOST file has been hijacked, hence the redirects
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O3 - HKU\S-1-5-21-563604048-2274448410-1346171028-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
I installed avast after running this combofix a few days ago. My understanding is I was supposed to upload the previously run combofix log? Should I run it again?
Yes please but download to the desktop, as the run you did previously was in the minimal mode… I.e. it could not do much
Do you still have the redirect, did OTL fail to reset the host file
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
I ran combofix, but I’m not sure it successfully completed? It didn’t output the big log like it usually does. I’ve included what it did output. It did reboot, and I did get some errors about programs being marked for deletion. I did reboot (a couple of times).
My browser is still sometimes being hijacked (specifically to activitycatalogue.com, then someplace else). It’s not consistent (it never has been), but it definitely happens.
Yep the Hosts file is still hijacked, lets see if OTL can remove the individual lines. After the OTL run could you retry combofix please (allow it to update)
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
[*]Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
[*]Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
[*]Click “Make Hosts Writable?” in the upper right corner (If available).
[*]Click Restore Microsoft’s Hosts file and then click OK.
[*]Click the X to exit the program.
[*]Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
When I ran HostsXpert, I clicked “ok” to the dialog boxes that asked if I wanted to remove the system file attribute and the hidden file attribute. The “make writable” was locked and red, and clicking “Restore MS Hosts” file gave me this error: “Cannot create file c:\windows\System32\drivers\etc\Hosts”.
Please downloadThe Avenger by Swandog46 to your Desktop.
[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Files to delete:
C:\WINDOWS\system32\drivers\etc\hosts
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Now, open the avenger folder and start The Avenger program by clicking on its icon.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.
The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.
I ran the program with the text pasted into it. The computer restarted, and I briefly got the black command window, but I don’t see a log file (I searched the whole drive), and there’s no c:\avenger\ directory. I tried it twice to be sure I did it right, and got the same result.