My brother in law got a hijacker installed somehow.
Now what this particular one does is add to the host file:
<IP address> auto.search.msn.com
<IP address> search.msn.com
<IP address> msn.com
<IP address> www.msn.com
The IP address is for royalsearch.net. Apon googling, I got symantec:

(Full symantec reponse here)
http://www.symantec.com/avcenter/ven....bootconf.html
HOWEVER, when the instructions are followed, apon reboot it just redoes it all again.
Virus defs are completely up to date. Its not finding it. Tried the cleaner and adaware, Adaware nailed some hijacking reg entires, only to have them come back on reboot. The cleaner produced nothing.
Its getting executed from reboot somewhere, yet theres nothing in hklm/blah blah/run, or runonce, all the usual spots, noting in msconfig and notiing in startup.

Also it changes the start page to coolwebsearch ... thats somethign NOT mentioned in symantec.


So my guesses are its NOT bootconf, though it acts JUST like it, or its a variant of it that symantec hasnt got yet... or...????

He is running a free 6 month trial from MS of windows 2003 server. I wish he would just buy XP.
But I cant convince him otherwise since free is good...

I think Ive gone all I can, google and all, and now I turn to you for help after spending hours on it.
Thanks in advance.
Avenger