I am having some problem with royalsearch.net. I have scanned with HijackThis and removed the values which contained 'royalsearch.net'. Here is the logfile as it stands now:

Logfile of HijackThis v1.97.5
Scan saved at 1:12:04 AM, on 11/23/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\OfficeScan NT\RAUAgent.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\winnt\winlogon.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\dussma00\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens Medical Solutions, Inc.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
O1 - Hosts: 66.98.142.163 auto.search.msn.com
O1 - Hosts: 66.98.142.163 search.msn.com
O1 - Hosts: 66.98.142.163 msn.com
O1 - Hosts: 66.98.142.163 www.msn.com
O1 - Hosts: 66.98.142.163 yahoo.com
O1 - Hosts: 66.98.142.163 www.yahoo.com
O1 - Hosts: 66.98.142.163 google.com
O1 - Hosts: 66.98.142.163 www.google.com
O1 - Hosts: 66.98.142.163 thenun.com
O1 - Hosts: 66.98.142.163 www.thehun.com
O1 - Hosts: 66.98.142.163 thehun.net
O1 - Hosts: 66.98.142.163 www.thehun.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\dussma00\Application Data\winshow\winshow.dll
O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\dussma00\Application Data\winlink\winlink.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cryptoex] C:\Program Files\CryptoEx Security Suite\cex_t.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Online Service] C:\WINNT\svchost.exe
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [winlogon] c:\winnt\winlogon.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ww005.siemens.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ww005.siemens.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ww005.siemens.net
O19 - User stylesheet: C:\WINNT\Web\win.def (file missing)
O19 - User stylesheet: C:\WINNT\default.css (file missing) (HKLM)

Thanks

Hi marcel,
Download and run CWShredder:
CWShredder

After running CWShredder, run Hijack again and post a new log.

Hi Tom41, thanks for the reply. I've run CWShredder and HT. Here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 10:36:21 AM, on 11/23/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\OfficeScan NT\RAUAgent.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\winnt\winlogon.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\dussma00\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens Medical Solutions, Inc.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cryptoex] C:\Program Files\CryptoEx Security Suite\cex_t.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [winlogon] c:\winnt\winlogon.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ww005.siemens.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ww005.siemens.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ww005.siemens.net

Open the task manager and end process on O4 -c:\winnt\winlogon.exe **Note..Notice the location, don't end process on C:\WINNT\system32\winlogon.exe

Then run Hijack and fix the following entry:
O4 - HKCU\..\Run: [winlogon] c:\winnt\winlogon.exe

Reboot and delete c:\winnt\winlogon.exe

Hi Tom41,

Task manager would not let me kill the process for O4 -c:\winnt\winlogon.exe, citing that it is a critical system process. Is there another way around this? Is simply deleting this not an option?

Thanks for your help.

Try this,
Fix this entry with Hijack:

O4 - HKCU\..\Run: [winlogon] c:\winnt\winlogon.exe

Reboot and delete c:\winnt\winlogon.exe.

DO NOT delete C:\WINNT\system32\winlogon.exe

thanks for your help, much appreciated. i deleted c:\winnt\winlogon.exe after running hijack and my pc seems to be running fine.

this is my first time posting in a forum like this, what a great concept.