Browser Hijacker has p0wn3d me. Help!
 

I'm somewhat of a techie, actually. I keep getting pop-up browser windows on a PC. Here's the system details: Windows 2000 SP4, Athlon 1600 ghz, 256mb DDR. Internet Explorer (of course).

I cannot get rid of this hijacker. They way it works is it puts 25-30 web URL's for shopping sites and shit in my Hosts file (C:\WINNT\System32\Drivers\Etc). I delete them from my Hosts file and they're back in 30 seconds. I delete the Hosts file alltogether and it's back in 30 seconds. I set the Etc directory to read-only and it doesn't matter. I scan with Ad-Aware and Spybot and remove everything and it doesn't matter. AVG anti-virus detects nothing except a change in the Hosts file. Originally, it detected the Trojan.Dropper virus but that appears to be gone after numerous cleanings. I ran Hijack This but didn't seem to find what I needed. I also ran CW Shredder but it's clean. Is there a way to log and record chages to the Host file and which file did the changes? Does this ring familiar with anyone? Does anyone just know the answer?

I am much appreciative in advance.

Do all of the above in safe mode, but make sure you update your definitions beforehand.

I've found that sometimes a manual clean of ALL the active x stuff in internet explorer works (you can redownload the controls as needed... flash, shockwave, etc)
"c:\winnt\Downloaded Program Files" is the dir that those things hide, just delete anything you are not familiar with... especailly stuff that is labeled as weird letters and numbers (basically the windows GUID).

Also you may want to manually look at what's in your startup to see if there is something that's loading and hasn't been put into a definition yet.

My fav program to look at what's in your startup http://www.mlin.net/StartupCPL.shtml

Show us your hijackthis scan.

must be some running process that dosnt belong something thats installing that stuff over as soon as you remove it. after you do figure it out and get it cleaned off i suggest using internet explorer one last time only. go and download mozilla firefox install it and then only use IE when you update windows or on the few rare times firefox dosnt work for some random website.

Thanks for all the suggestions so far! I should know this stuff (hangs head in shame) but I've been on a one-year drinking binge since my divorce and my brain is getting soft :-) (my liver, on the other hand, seems to be getting harder).

I'll let you people know what I find out!

/spyware writers should be shipped to a country that hangs people, like Singapore. Once there, they should be hanged. Twice.

ummm we hang people in he US also...as a matter of fact in Wa. state

I would say grab hijack this
http://www.spywareinfo.com/~merijn/downloads.html
run it and post your log for people to help you with removing the baddies, along with spybot
http://reviews.cnet.com/Spybot_Searc....html?tag=prod
and as always adware
http://reviews.cnet.com/Lavasoft_Ad_...-31349711.html

the most likely culprit right now sounds like theres a .dll file or two that fills in your hosts file. There is probably a temp file of some sort (guard.tmp)? in your profile folder that loads up on bootup to install the .dll files. I find that killbox is a great utility for these kinds of hijackers.

try turning off your system restore, then run your spycheckers and virus checkers on a FULL SYSTEM scan---from safe mode...
they sometimes hide in your system restore files---found seven of them in there myself..VG