MustLoveCorn

I'm somewhat of a techie, actually. I keep getting pop-up browser windows on a PC. Here's the system details: Windows 2000 SP4, Athlon 1600 ghz, 256mb DDR. Internet Explorer (of course).

I cannot get rid of this hijacker. They way it works is it puts 25-30 web URL's for shopping sites and shit in my Hosts file (C:\WINNT\System32\Drivers\Etc). I delete them from my Hosts file and they're back in 30 seconds. I delete the Hosts file alltogether and it's back in 30 seconds. I set the Etc directory to read-only and it doesn't matter. I scan with Ad-Aware and Spybot and remove everything and it doesn't matter. AVG anti-virus detects nothing except a change in the Hosts file. Originally, it detected the Trojan.Dropper virus but that appears to be gone after numerous cleanings. I ran Hijack This but didn't seem to find what I needed. I also ran CW Shredder but it's clean. Is there a way to log and record chages to the Host file and which file did the changes? Does this ring familiar with anyone? Does anyone just know the answer?

I am much appreciative in advance.

__________________
Remember last year when my Sig File advocated voting wisely in the 2004 Election? Well, we now have an Attorney General who is sicking the FBI on pr0n. All I can say is, I told you so!

MikeSty

Do all of the above in safe mode, but make sure you update your definitions beforehand.

heyal256

I've found that sometimes a manual clean of ALL the active x stuff in internet explorer works (you can redownload the controls as needed... flash, shockwave, etc)
"c:\winnt\Downloaded Program Files" is the dir that those things hide, just delete anything you are not familiar with... especailly stuff that is labeled as weird letters and numbers (basically the windows GUID).

Also you may want to manually look at what's in your startup to see if there is something that's loading and hasn't been put into a definition yet.

My fav program to look at what's in your startup http://www.mlin.net/StartupCPL.shtml

cyrnel

Show us your hijackthis scan.

__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195

Plaid13

must be some running process that dosnt belong something thats installing that stuff over as soon as you remove it. after you do figure it out and get it cleaned off i suggest using internet explorer one last time only. go and download mozilla firefox install it and then only use IE when you update windows or on the few rare times firefox dosnt work for some random website.

MustLoveCorn

Thanks for all the suggestions so far! I should know this stuff (hangs head in shame) but I've been on a one-year drinking binge since my divorce and my brain is getting soft :-) (my liver, on the other hand, seems to be getting harder).

I'll let you people know what I find out!

/spyware writers should be shipped to a country that hangs people, like Singapore. Once there, they should be hanged. Twice.

cj2112

ummm we hang people in he US also...as a matter of fact in Wa. state

__________________
"If gun laws in fact worked, the sponsors of this type of legislation should have no difficulty drawing upon long lists of examples of crime rates reduced by such legislation. That they cannot do so after a century and a half of trying--that they must sweep under the rug the southern attempts at gun control in the 1870-1910 period, the northeastern attempts in the 1920-1939 period, the attempts at both Federal and State levels in 1965-1976--establishes the repeated, complete and inevitable failure of gun laws to control serious crime." Senator Orrin Hatch, Chairman, Senate Judiciary Committee Subcommittee on the Constitution, 97th Cong., 2d Sess., The Right to Keep and Bear Arms, Committee Print I-IX, 1-23 (1982).

MontanaXVI

I would say grab hijack this
http://www.spywareinfo.com/~merijn/downloads.html
run it and post your log for people to help you with removing the baddies, along with spybot
http://reviews.cnet.com/Spybot_Searc....html?tag=prod
and as always adware
http://reviews.cnet.com/Lavasoft_Ad_...-31349711.html

__________________
Spank you very much

dksuddeth

the most likely culprit right now sounds like theres a .dll file or two that fills in your hosts file. There is probably a temp file of some sort (guard.tmp)? in your profile folder that loads up on bootup to install the .dll files. I find that killbox is a great utility for these kinds of hijackers.

__________________
"On every question of construction, let us carry ourselves back to the time when the Constitution was adopted, recollect the spirit manifested in the debates, and instead of trying what meaning may be squeezed out of the text, or invented against it, conform to the probable one in which it was passed."
thomas jefferson

viejo gringo

try turning off your system restore, then run your spycheckers and virus checkers on a FULL SYSTEM scan---from safe mode...
they sometimes hide in your system restore files---found seven of them in there myself..VG