New member has anoying problem

[benHur]

Okay, First problem is when i get on the internet my homepage goes to a spyware add. I can not change this to my normal homepage. I have downloaded Hijackthis, spybot, ad-aware, cwshredder, spyware blaster and cleanup. None seem to have fixed the problem.

Here is my latest Hijackthis profile:

Logfile of HijackThis v1.99.0
Scan saved at 4:05:19 PM, on 1/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\essspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ntnut.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ben.SELL\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103040786562
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


After using all these programs now when i restart my computer a box pops up titled "ntut.exe-unable to locate component" then says, "this application has failed to start because rtl70.bpl was not found. Re-installing the application may fix this problem"  And to add on to that, my homepage still is the spyware add. Thanks for they help. I am not too computer savvy so please use layman's terms. Thanks again in advanced!!!!

[guestolo]

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Restart your computer into SAFE MODE

Find and delete these files if they exist
C:\WINDOWS\system32\ntnut.exe <--file
C:\WINDOWS\system32\scagent.exe

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm

O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home

O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART back into Normal Mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Go to START>>RUN>>Type in cmd and hit Enter
at the command prompt window type in

sc delete Security Agent
then hit Enter

Then type exit and hit Enter

Then go to Start>>Run>>type in services.msc
In the new window on the right hand side look for Security Agent
Let me know if you find it

Post back a fresh hijackthis log afterwards

[guestolo]

Could you also Download and save to desktop ServiceFilter.zip
A script by rand1038 that reveals potential unauthorised running services in your system.
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

[Guest]

Okay... I did everything so far. The only thing i noticed was when i typed in "sc delete Security Agent" it said "[SC] open Service Failed 1060...The specified service does not exist as and installed service"

Everything else went well. I did find Security Agent under service.msc.

Here is my new Hijackthis log adn also the servicefilter contents:

Logfile of HijackThis v1.99.0
Scan saved at 5:09:58 PM, on 1/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\essspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ben.SELL\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bresnan.net/durango
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103040786562
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Service filter contents:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Jan 3, 2005 5:15:53 PM


===> Begin Service Listing <===

Unknown Service #1
Service Name: DefWatch
Display Name: DefWatch
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\defwatch.exe
State: Running
Process ID: 1408
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: Norton AntiVirus Server
Display Name: Symantec AntiVirus Client
Start Mode: Auto
Start Name: LocalSystem
Description: Provides real-time virus scanning, reporting, and management functionality for Symantec Client ...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\rtvscan.exe
State: Running
Process ID: 1448
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: scagent
Display Name: Security Agent
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "c:\windows\system32\scagent.exe" start
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #4
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{8c82f6df-ce90-4238-b5ac-1a22760e0791}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 82 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 0.5 seconds.


It is now not opening to the spyware page...Thanks a lot for your help on that!!!! What do i need to do now? This is kind of cool. I wish I really knew what i was doing.

[guestolo]

I can't see Security agent in your Hijackthis log but I can see it in Service Filter

Let's try this

Download and UNZIP to desktop delete_scagent
A little script by Mosaic1 that removes the Security Agent service from your system.
Don't run this yet

Download and UNZIP to desktop 018 Clean-up.zip

You may want to print the rest of this out. Or save this too a notepad file on the desktop
Important
Close out ALL browser windows and Disconnect from the Internet, stay disconnected until we are done

Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Security Agent  <--exact service name

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
OK out of it

Double click on delete_scagent.vbs on the desktop (Allow this to run if prompted from your AV). You should get a message box saying Stopped Already and then another one saying Done.

==Double click on 018 Clean-up.reg and Allow it to merge to the registry

RESTART your computer

Again look for these files and delete them if they exist
C:\WINDOWS\system32\scagent.exe <--file
C:\WINDOWS\httpfilter.dll <--file

Delete your copy of Post_This.txt and then allow Service Filter to create another one
Ensure you don't post back the last one you sent

Post a fresh hijackthis log and a new Post_This.txt file, thanks