OK - I'm like pulling my hair out with frustration down here in Aus land. This is my last resort so I am asking for help from people more knowledgable than me.

I kept getting pop up ads and so I got SpyBot to try and remove it....it removed a lot of stuff but didn't remove the pop up ads. When I type into the address bar the web address of www.google.com, I get a page called RoyalSearch.net.....what the hell?!?!?? So then I went to the registry and had a play around there......no joy, so I used IE Eradicator and installed Mozilla instead (bloody MS).......and yet after all this I still get the same problem.....i.e -> type in google.com or yahoo.com and get RoyalSearch.net instead.

So now I'm here asking for your help.

Should i reinstall my Windows 2K op.sys or is there something better I could do??


Any help is greatly appreciated.


Thanks


P.S -> Go the Wallabies!! :D

Definitely sounds like you have picked up a nasty hijacker.

Aside from the usual AV scans try downloading and running HijackThis (http://www.spywareinfo.com/~merijn/index.html) then copy and paste the log here for the experts to have a look at.

Come on the Wallabies!! Waltz that freakin Matilda!! :D

Seems that you have been hijacked. Download HijackThis (http://www.spywareinfo.com/~merijn/files/hijackthis.zip) , run it and post the log for analysis here.

edit: oops pave_spectre. :p

Hey Team,

Thanks for the quick responses - here are the results from hijackthis

Logfile of HijackThis v1.97.7
Scan saved at 00:38:24, on 22/11/03
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\WF2K.EXE
C:\Program Files\Gigabyte\EasyTune4\et4Tray.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
E:\Winamp\Winamp3\winampa.exe
C:\WINNT\System32\DirectXset.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\PwsTray.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\loadqm.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINNT\svchost.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
E:\ZoneAlarm\zonealarm.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 66.98.142.163 yahoo.com
O1 - Hosts: 66.98.142.163 www.yahoo.com
O1 - Hosts: 66.98.142.163 google.com
O1 - Hosts: 66.98.142.163 www.google.com
O1 - Hosts: 66.98.142.163 thenun.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Administrator.AIRBUS.000\Application Data\winshow\winshow.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WinFast_2K] C:\WINNT\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\EasyTune4\et4Tray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WinampAgent] "E:\Winamp\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [DirectX64] C:\WINNT\System32\DirectXset.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [PwrUpTweakMe] C:\WINNT\System32\pwrupst.exe /TWEAK
O4 - HKLM\..\Run: [StartTaskMan] C:\WINNT\System32\cmd.exe /c "start" /min C:\WINNT\System32\taskmgr.exe
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINNT\sys.reg
O4 - HKLM\..\Run: [SpybotSnD] "E:\SpyBot Ad Remover\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
O4 - HKLM\..\Run: [Online Service] C:\WINNT\svchost.exe
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Microsoft Office.lnk = E:\MS Office Premium\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = E:\ZoneAlarm\zonealarm.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F300D3-F84A-4E97-80A4-DC20C1BD57FB}: NameServer = 203.12.160.35,203.12.160.36

O1 - Hosts: 66.98.142.163 yahoo.com
O1 - Hosts: 66.98.142.163 www.yahoo.com
O1 - Hosts: 66.98.142.163 google.com
O1 - Hosts: 66.98.142.163 www.google.com
O1 - Hosts: 66.98.142.163 thenun.com

Definitely fix these. Can be done manually by opening the 'hosts' file from C:\WINDOWS\system32\drivers\etc in notepad. Once youve changed these (either manually or with HijackThis) set the properties of the file to read-only to help prevent future mods to that file.

The experts will be needed to identify the rest.

Also these,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

Not connected to your problem,
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot (it 's a unneccessary drain on your bandwidth, if you don't use it)


If the domain is not from your ISP or company network, fix it.
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F300D3-F84A-4E97-80A4-DC20C1BD57FB}: NameServer = 203.12.160.35,203.12.160.36

Beno, please wait for another opinion before you delete anything :(

You've certainly got one of the CWS variants (http://www.webroot.com/wb/news/spywarethreat/index.php).

eg: http://www.spywareinfo.com/articles/cws/ so I would use the CWS Shredder link to the zip download on that page and then run H-This again.

Paul is quite right. download CWShredder,from the posted link and run it. Then reboot, rescan with Hijack thisand post a fresh log please. I think I saw a couple of other nasties in there!

Hey Guys,

Thanks for all the responses - it definently sounds like I do have one of those aweful CWS variants.

I downloaded CWS to my Win2K box and tried to execute it but I got the error message: "CWShredder - Unexpected Error".......whether this is the Trojan Horse program that is doing this is anyone'e guess but I don't know why its not working becuase it seems to be the solution to fix the problem here.

I'll try removing some of the above mentioned lines that the "HijackThis" program produced but I have a feeling that this won't be good enough.

So if anyone knows why CWShredder would not be working or where to go from here, then please help!!


Thanks in advance



Beno

Oh, well . Just have to do it the hard way!
Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

O1 - Hosts: 66.98.142.163 yahoo.com
O1 - Hosts: 66.98.142.163 www.yahoo.com
O1 - Hosts: 66.98.142.163 google.com
O1 - Hosts: 66.98.142.163 www.google.com
O1 - Hosts: 66.98.142.163 thenun.com

O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Administrator.AIRBUS.000\Application Data\winshow\winshow.dll


O4 - HKLM\..\Run: [DirectX64] C:\WINNT\System32\DirectXset.exe (http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.affee.html)

O4 - HKLM\..\Run: [sys] regedit /s C:\WINNT\sys.reg

O4 - HKLM\..\Run: [Msoffice] C:\WINNT\Fonts\msoffice.hta
O4 - HKLM\..\Run: [Online Service] C:\WINNT\svchost.exe

Reboot, preferably into safemode, and delete
C:\WINNT\System32\DirectXset.exe
C:\WINNT\sys.reg
C:\WINNT\Fonts\msoffice.hta
C:\WINNT\svchost.exe
C:\Documents and Settings\Administrator.AIRBUS.000\Application Data\winshow folder

And can you send me a copy of this one...

winshow.dll

Send it to here (submissions@mjc1.com)

Hey Guys,

I finally got CWShredder to work and it looks like its down a fantastic job becuase I can now type in google.com without being re-directed so I feel good that I am not the defeated one now!

My machine is just going through a restart so I will get back to you all if it doesn't go to plan but I think it will so thanks to you all that helped me on this......some really good advice and tips given.