jacked, locked Hosts file

Help please?
First off - I've lurked here for years and have cleaned many a PC with knowledge picked up here - thanks for that.

My problem. I bought my wife this cute Toshiba 64bit windows 7 laptop a month or so ago. She was thrilled, but, against my advice, loaned it to our 10 year old before I had a chance to load it up with protection. My wife started using it for real a few days ago and started complaining about its weird behavior.

I loaded AVIRA, SS&D and HJT. Booted to safe mode and ran Avira and it found hundreds of infections and cleaned them all. I thought all was cool. But, before turning it back over to my wife I browsed the registry and saw a couple of DNS IP addresses I knew were wrong. Curious, I ran HJT and it told me the Hosts file cannot be accessed. I open it with Notepad (run as administrator) and see dozens of entries that don't belong, delete them... and sure enough I get a "read only" error when I try to save.

Then I ran SS&D. It found several hijacks, but also said it cannot access the Hosts file to correct them. I tried HostsXpert to change the read/write parameters - no luck; same error.

Any suggestions?

I've run through the "read and run first" steps and will post the resulting log files below in a few minutes. After running though all the steps, I still have a hijacked hosts file and HJT and SS&D still error out.

FWIW, the redirects in my Hosts file are almost all 74.125.45.100 and 98.142.243.60

Thanks

 

Adding logs ...

 

Thanks, TimW. Yes, I followed those steps with the addition of right-clicking on HostsXpert and "Run as Administrator". It will not make the file writeable and when I clikc "restore" I get an error messge that the Hosts file is inaccessible.

I'm wondering if fileassassin or something like that might be able to delete the hosts file, so I can recreate it with HostsXpert?

ETA: nope, FileASSASSIN cannot unlock or delete it. WTF?

 

Dang - no dice. It ran and self deleted. I then opened HostsXpert thinking that would be the fastest way to check - the bad hosts file is still there, still won't let me restore.

 

I know its bad when I'm sent to MS support. I didn't mention in my opening post, but I had already found and tried this fix. I've tried both the manual and "fix it for me" versions, they don't work.

Surely there is a way to unlock or delete this damned file!

 

I've tried all of the steps in safe mode as well as regular boot. I Have Spybot and it runs and finds the errors. But, when I click "fix" it also gives the the no access error.

It finds 3 entries for "Microsoft.Windows.RedirectedHosts" and 15 entries for "Fraud.WindowsProtectionSuite". But, it can't do anything about them!

 

Hi TimW, sorry, I was away for the weekend. Here is the spybot log:

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
4-open-davinci.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
securitysoftwarepayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure.privatesecuredpayments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.getantivirusplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.secure-plus-payments.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.getavplusnow.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
safebrowsing-cache.google.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
urs.microsoft.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
paysoftbillsolution.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
protected.maxisoftwaremart.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $B89FBA81] Redirected host (Redirected host, nothing done)
www.securesoftwarebill.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $19781685] Redirected host (Redirected host, nothing done)
secure.paysecuresystem.com=74.125.45.100

Microsoft.Windows.RedirectedHosts: [SBI $CEFF52BA] Redirected host (Redirected host, nothing done)
paysoftbillsolution.com=74.125.45.100


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-10-15 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-10-12 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-09-22 Includes\Dialer.sbi (*)
2010-10-12 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-10-12 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-10-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-09-13 Includes\Malware.sbi (*)
2010-10-12 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-10-12 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-10-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-10-12 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-08-04 Includes\Trojans.sbi (*)
2010-10-12 Includes\TrojansC-02.sbi (*)
2010-10-12 Includes\TrojansC-03.sbi (*)
2010-10-12 Includes\TrojansC-04.sbi (*)
2010-10-12 Includes\TrojansC-05.sbi (*)
2010-10-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

 

Thanks TimW!

I also had posted this problem over at the spybot forums and Blad81 there also suggested OTM just a little while ago today. I ran it twice, using scan/fix parameters I was given (VERY similar to yours) and the problem seems to have been fixed - the hosts file is no longer hijacked nor locked.

I'm now updating JRE and a few other things, then removing several of the malware tools I've installed, and then I think my wife's computer will be good to go.

Thanks for all of your help - you guys are indispensable.

Here is my thread at spybot in case it helps:
http://forums.spybot.info/showthread.php?t=59946