Trojan_Agent.NH - Removal

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Lela_SF

Thread Starter
Joined
Jun 25, 2005
Messages
13
Hi. When I'm shutting down my laptop WIN2000, the message "tnmylcn.exe - DLL Initialization failed - The application failed to initialize because the window station is shutting down." In using Housecall, the detection was Trojan_agent.nh and I did click delete (tho it's supposedly undeletable). However, I still get the message. My Internet Explorer is very unstable (shutting down unexpectedly) and my mouse shakes on occasion. I'm wondering if the trojan is contributing to the problems. Is the only way to get rid of this message is to reformat? Any ideas? Thanks!
 

blues_harp28

Moderator
Joined
Jan 9, 2005
Messages
19,622
Hi..and welcome...D/load ..Spybot...Ad-aware..links below...check for up- dates..scan..remove what they find.....
Run HJT log...www.thespykiller.co.uk/files/HJTsetup.exe
Install in C:\ program file.....let it scan..save logfile to notepad>edit>select all>edit>copy.paste on your thread....
 

Lela_SF

Thread Starter
Joined
Jun 25, 2005
Messages
13
Hi Blues_Harp28,

Thanks for the advice! I tried the www.thespykiller.co.uk/files/HJTsetup.exe and did a "fix" on only C:\winnt\system32\tnmylcn.exe. When I re-scanned, it seemed to be fixed and the error message did not show up when I did a restart.

But, if I rebooted again, the error message came back, I reran www.thespykiller.co.uk/files/HJTsetup.exe -- and the file C:\winnt\system32\tnmylcn.exe is back.

Should I try to do an entire fix?

I appreciate your kind help!

Here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:37:59 AM, on 6/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
d:\PROGRA~2\Navnt\navapsvc.exe
d:\PROGRA~2\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
d:\PROGRA~2\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINNT\System32\WScript.exe
C:\Program Files\Apoint\Apntex.exe
D:\Program Files\CanoScan80\ScanSoft\OmniPageSE\opware32.exe
C:\winnt\system32\tnmylcn.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
D:\Program Files\Navnt\NAVAPW32.EXE
D:\Program Files\AdobeDistiller5\Distillr\AcroTray.exe
C:\winnt\system32\packager.exe
C:\progra~1\Support.com\client\bin\tgcmd.exe
d:\program files\winfax\wfxctl32.exe
D:\Program Files\MSOffice_2000\Office\WINWORD.EXE
C:\Program Files\Virus_spykiller\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NPS Event Checker] d:\PROGRA~2\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] d:\PROGRA~2\Navnt\defalert.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\Run: [Omnipage] D:\Program Files\CanoScan80\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [tnmylcn] c:\winnt\system32\tnmylcn.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - Startup: checkDMI.lnk.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\MSOffice_2000\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\AdobeDistiller5\Distillr\AcroTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {ddffa75a-e81d-4454-89fc-b9fd0631e726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - d:\PROGRA~2\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - d:\PROGRA~2\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - d:\PROGRA~2\Navnt\npssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE



blues_harp28 said:
Hi..and welcome...D/load ..Spybot...Ad-aware..links below...check for up- dates..scan..remove what they find.....
Run HJT log...www.thespykiller.co.uk/files/HJTsetup.exe
Install in C:\ program file.....let it scan..save logfile to notepad>edit>select all>edit>copy.paste on your thread....
 
Joined
Sep 7, 2004
Messages
49,014
Get these tools, check for updates, run and fix all

AdAware SE 1.06 http://www.majorgeeks.com/download506.html - * NEW *
MS AntiSpy - http://download.microsoft.com/downl...-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe (XP and W2K only)


Print this and boot to safe mode (Start tapping F8 at the first black screen after power up)
Fix these with HJT

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll (file missing)

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll

O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe

O4 - HKLM\..\Run: [tnmylcn] c:\winnt\system32\tnmylcn.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.6.cab

O16 - DPF: {ddffa75a-e81d-4454-89fc-b9fd0631e726} - http://www.bundleware.com/activeX/DS3/DS3.cab

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Uncheck hide extensions
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files

C:\WINNT\ceres.dll
C:\WINNT\farmmext.exe
c:\winnt\system32\tnmylcn.exe

Delete these folders

C:\WINNT\isrvs

START – RUN – type in %temp% OK - Edit – Select all – File – Delete
Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
Empty the recycle bin
Boot

Run ActiveScan online virus scan

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan


Please give feedback on what worked/didn’t work and the current status of your system
 

Lela_SF

Thread Starter
Joined
Jun 25, 2005
Messages
13
Hi MFDnSC,

Sorry for this delayed response - here is the result after the deletion:

Logfile of HijackThis v1.99.1
Scan saved at 4:17:27 PM, on 7/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
d:\PROGRA~2\Navnt\navapsvc.exe
d:\PROGRA~2\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
d:\PROGRA~2\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
D:\Program Files\CanoScan80\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\JUSearch\juspc.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
D:\Program Extra Files\Virus\MicrosoftAntiSpyware\gcasDtServ.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
D:\Program Files\Navnt\NAVAPW32.EXE
D:\Program Files\AdobeDistiller5\Distillr\AcroTray.exe
D:\Program Files\MSOffice_2000\Office\WINWORD.EXE
E:\Setup.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe
D:\Program Extra Files\Virus\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [NPS Event Checker] d:\PROGRA~2\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Omnipage] D:\Program Files\CanoScan80\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Extra Files\Virus\MicrosoftAntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - Startup: checkDMI.lnk.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\MSOffice_2000\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\AdobeDistiller5\Distillr\AcroTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - d:\PROGRA~2\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - d:\PROGRA~2\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - d:\PROGRA~2\Navnt\npssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE


Reason for delay: My Sony laptop (PCG-FX240K) Win2000 is under an extended warranty (ending tomorrow) and I submitted it for a check since there were some problems (keyboard left and right shift keys (which I think is a common prob for old laptops), trembling mouse, occasional difficulties booting up, fax modem dropping out, CD read prob on occasion). The tech response was that the probs may be caused by too much in C drive (only 369 MB free) and corrupt OS and COM files. So, they rec that I run the recovery disks and then to check if the probs are still recurring.

Would what I just did above (and what happened previously) have caused "corrupt" OS and COM files?

I'd appreciate your kind help!

Lela
 
Joined
Sep 7, 2004
Messages
49,014
No,, what you did had no impact on system files

Fix these – mark them, close IE click fix checked

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" –w

Boot and delete this folder

C:\Program Files\JUSearch

Get and run

http://www.ccleaner.com/ccdownload.asp
 

Lela_SF

Thread Starter
Joined
Jun 25, 2005
Messages
13
Hi MFDnSC,

Just to make sure -- to fix them, I am to go into Safe Mode and use HijackThis to fix them... right?

Thanks,

Lela
 
Joined
Sep 7, 2004
Messages
49,014
No you can, with HJT, fix them in normal mode, just make sure to close IE prior to clicking fix checked
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top