Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Trojan_Agent.NH - Removal

4K views 7 replies 3 participants last post by  MFDnNC 
#1 ·
Hi. When I'm shutting down my laptop WIN2000, the message "tnmylcn.exe - DLL Initialization failed - The application failed to initialize because the window station is shutting down." In using Housecall, the detection was Trojan_agent.nh and I did click delete (tho it's supposedly undeletable). However, I still get the message. My Internet Explorer is very unstable (shutting down unexpectedly) and my mouse shakes on occasion. I'm wondering if the trojan is contributing to the problems. Is the only way to get rid of this message is to reformat? Any ideas? Thanks!
 
#3 ·
Hi Blues_Harp28,

Thanks for the advice! I tried the www.thespykiller.co.uk/files/HJTsetup.exe and did a "fix" on only C:\winnt\system32\tnmylcn.exe. When I re-scanned, it seemed to be fixed and the error message did not show up when I did a restart.

But, if I rebooted again, the error message came back, I reran www.thespykiller.co.uk/files/HJTsetup.exe -- and the file C:\winnt\system32\tnmylcn.exe is back.

Should I try to do an entire fix?

I appreciate your kind help!

Here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:37:59 AM, on 6/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
d:\PROGRA~2\Navnt\navapsvc.exe
d:\PROGRA~2\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
d:\PROGRA~2\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINNT\System32\WScript.exe
C:\Program Files\Apoint\Apntex.exe
D:\Program Files\CanoScan80\ScanSoft\OmniPageSE\opware32.exe
C:\winnt\system32\tnmylcn.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
D:\Program Files\Navnt\NAVAPW32.EXE
D:\Program Files\AdobeDistiller5\Distillr\AcroTray.exe
C:\winnt\system32\packager.exe
C:\progra~1\Support.com\client\bin\tgcmd.exe
d:\program files\winfax\wfxctl32.exe
D:\Program Files\MSOffice_2000\Office\WINWORD.EXE
C:\Program Files\Virus_spykiller\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NPS Event Checker] d:\PROGRA~2\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] d:\PROGRA~2\Navnt\defalert.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [Omnipage] D:\Program Files\CanoScan80\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [tnmylcn] c:\winnt\system32\tnmylcn.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - Startup: checkDMI.lnk.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\MSOffice_2000\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\AdobeDistiller5\Distillr\AcroTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {ddffa75a-e81d-4454-89fc-b9fd0631e726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - d:\PROGRA~2\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - d:\PROGRA~2\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - d:\PROGRA~2\Navnt\npssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE

blues_harp28 said:
Hi..and welcome...D/load ..Spybot...Ad-aware..links below...check for up- dates..scan..remove what they find.....
Run HJT log...www.thespykiller.co.uk/files/HJTsetup.exe
Install in C:\ program file.....let it scan..save logfile to notepad>edit>select all>edit>copy.paste on your thread....
 
#4 ·
Get these tools, check for updates, run and fix all

AdAware SE 1.06 http://www.majorgeeks.com/download506.html - * NEW *
MS AntiSpy - http://download.microsoft.com/downl...-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe (XP and W2K only)

Print this and boot to safe mode (Start tapping F8 at the first black screen after power up)
Fix these with HJT

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll (file missing)

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe

O4 - HKLM\..\Run: [tnmylcn] c:\winnt\system32\tnmylcn.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.6.cab

O16 - DPF: {ddffa75a-e81d-4454-89fc-b9fd0631e726} - http://www.bundleware.com/activeX/DS3/DS3.cab

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Uncheck hide extensions
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files

C:\WINNT\ceres.dll
C:\WINNT\farmmext.exe
c:\winnt\system32\tnmylcn.exe

Delete these folders

C:\WINNT\isrvs

START – RUN – type in %temp% OK - Edit – Select all – File – Delete
Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
Empty the recycle bin
Boot

Run ActiveScan online virus scan

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

Please give feedback on what worked/didn’t work and the current status of your system
 
#5 ·
Hi MFDnSC,

Sorry for this delayed response - here is the result after the deletion:

Logfile of HijackThis v1.99.1
Scan saved at 4:17:27 PM, on 7/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
d:\PROGRA~2\Navnt\navapsvc.exe
d:\PROGRA~2\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
d:\PROGRA~2\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
D:\Program Files\CanoScan80\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\JUSearch\juspc.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
D:\Program Extra Files\Virus\MicrosoftAntiSpyware\gcasDtServ.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
D:\Program Files\Navnt\NAVAPW32.EXE
D:\Program Files\AdobeDistiller5\Distillr\AcroTray.exe
D:\Program Files\MSOffice_2000\Office\WINWORD.EXE
E:\Setup.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe
D:\Program Extra Files\Virus\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [NPS Event Checker] d:\PROGRA~2\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Omnipage] D:\Program Files\CanoScan80\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Extra Files\Virus\MicrosoftAntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - Startup: checkDMI.lnk.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\MSOffice_2000\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\AdobeDistiller5\Distillr\AcroTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - d:\PROGRA~2\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - d:\PROGRA~2\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - d:\PROGRA~2\Navnt\npssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE

Reason for delay: My Sony laptop (PCG-FX240K) Win2000 is under an extended warranty (ending tomorrow) and I submitted it for a check since there were some problems (keyboard left and right shift keys (which I think is a common prob for old laptops), trembling mouse, occasional difficulties booting up, fax modem dropping out, CD read prob on occasion). The tech response was that the probs may be caused by too much in C drive (only 369 MB free) and corrupt OS and COM files. So, they rec that I run the recovery disks and then to check if the probs are still recurring.

Would what I just did above (and what happened previously) have caused "corrupt" OS and COM files?

I'd appreciate your kind help!

Lela
 
#6 ·
No,, what you did had no impact on system files

Fix these – mark them, close IE click fix checked

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" –w

Boot and delete this folder

C:\Program Files\JUSearch

Get and run

http://www.ccleaner.com/ccdownload.asp
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top