Trojan horse Agent.AUOY

This trogan is fricken pesky. It tries to block every application that tries to open on my poor pewter. It comes up with this error:

***This application has failed to start because msntkjyhr.dll was not found. Re-installing the application may fix this problem.

If you click thru the 4-10 errors that pop up the app will eventually open. But it will not allow any malware/trojan remover programs to open so I can't get rid of this thing. It also won't let me do a system restore.

I can't find anything on the web regarding this particular trojan. Can anybody help?

I'm running Windows XP Media Edition

AVG caught it as:

C:\WINDOWS\system32\msntkjyhr.dll
C:\WINDOWS\system32\winlogon.exe (1024)

I have no clue how I got this thing, I'm a pretty safe surfer and have AVG Internet Security version 8.0.233 with firewall and all the safety things enabled.

I have attached all the files you require. It took me all day to do them due to havong to click thru the above mentioned error 9zillion times.

 

...here is the last file. I hope I got it all correctly done for you. It was painstaking to say the least.

TY so much in advance.

 

This trojan first showed it's face yesterday morning when I came out to check facebook. Then I checked my virus log because I scan daily and that is when I found it.rolleyes

 

http://www.majorgeeks.com/images/grenade.gifWelcome! to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif


Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:

Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.​

Step 3:

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Step 4:

Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 5:

Please download ATF-Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF-Cleaner menu to close the program.​

Step 6:

Next I would like you to install the current version of Sun Java: Sun Java Runtime Environment​

Step 7:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I have followed your instructions to the "T". I still have the same error popping up that I listed in my previous post. Also while following the instructions and scans this error popped up many hundreds of times...my finger is sore:-D. I have attached the files you asked for. Thank you again....you will never know how much. I look forward to getting rid of this pesky trojan.

 

Your logs are clean! Which error are you referring to?

 

error:

***This application has failed to start because msntkjyhr.dll was not found. Re-installing the application may fix this problem.

No matter what application I try to open or when I've re-booted this error comes up like crazy. It won't let me open things like Ad-aware. I can't disable my anti-virus AVG anymore so I just had to uninstall it so I could do the diagnostics you asked me to do. I had to click out of this error hundreds of times just to get thru the diagnostics.

I'm at a loss...but then where this stuff is concerned I'll always be at a loss sadly.

 

I'm not bumping and if it takes longer to answer me so be it but I found something strange in my comp. In C:\WINDOWS\ it is full on files I've never noticed before they all have different names but in each one of the files I found spuninst.exe and the file names are in blue instead of the normal black lettering on the other files. I do not ever remember seeing this many files in the section. I'd delete them all but I thought i'd better wait on an answer from you guys. Not sure if this info help but I thought I'd throw it out at you guys.

 

Download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter msntkjyhr.dll in the top area of the form and then click "OK".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next post.

 

These are legit files! They are blue because they are compressed files.

 

RegSearch.txt attached......more thank you's to you bjgarrick

 

Click Stat > Run > type regedit and press ENTER. Once the Registry Editor opens navigate to the following registry keys.

When you get to each one, right click on Environment on the left side and select "Export" and export to your desktop. Once exported, ZIP this file and attach it to your next post.

 

I zipped both .reg files together I hope that was OK? Thanks again dude!:wave

 

Do you have your WinXP disc?

If so, enter the disc and then Click Start > Run > type the following command:

sfc /scannow

Once it's complete, reboot and see if problem remains.

 

No discs came with the computer. I asked why when I bought it and they said there is no need anymore because all that you need is built into the computer for reformatting (which I have never done). OK. I took the salesman's word for it. Duh! It was the same thing when my brother bought his Sony Vaio laptop from the Sony Store. So I just assumed things have advanced that the windows discs were no longer needed.

My computer is a couple years old. It's an HP Pavilion m7557c with AMD64 Dual Core processor. I run Windows XP Media Center. I have my media center hooked up to my local cable provider for watching TV.

Strange things I've noticed over the last little while are my monitor (HP f2105) was displaying anything in black as bright green I thought it was toast but as long as I do not shut it off it seems to work OK. Another thing is that it was running slower but it seems better now after doing your READ & RUN ME FIRST processes. Even though it took all day because I for every file that was scanned that crappy ERROR kept coming up in and would stall the scan until I clicked out of it.

So basically it is the ERROR that is causing me angst now. Do you think it could be a Windows Update or Hotfix that has caused this error to come up? I do remember I could not stay online/hooked up to the net and it turned out it was because one of the Windows updates caused the problem.

I don't know I'm grasping at straws here. I just hope my computer is not F$@#ED! I do so appreciate the time you have taken for me and my pewter so far bjgarrick. confusedconfused

 

Let’s use ComboFix once more.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Once you have completed the above instructions, please run the below once more and attach the new log to your next post.

• Doubleclick regsearch.exe to start the program.
• Enter msntkjyhr.dll in the top area of the form and then click "OK".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next post.

 

I have done what you asked on the last post and attached the 2 files. I'm still getting the error. While doing the ComboFIX I quit counting at around 300 times I had to click out of that msntkjyhr error (which I lovingly refer to as the "MFing Error) just to get thru the scan.

What program is this particular DLL file connected to? Apparently this msntkjyhr.dll file is missing. Is there someplace I can get it so it would no longer be missing?

Are you laughing yet? I'm now trying to deduce my own computer problem. That is laughable.:-D.....OK at this point it's a little cryable:cry:cry:cry

....anymore suggestions bjgarrick :confused

 

.....one other thing I've noticed. In an earlier post you wanted me to attempt to do a sfc /scannow but without an XP disc there would not be much point. So HP says there is a way to do it without a dics so I clicked on my HP Help & Support icon to search it out but that error msntkjyhr.dll comes up so rapidly I can't get into it. Usually I can click thru the error and eventually the app opens but it just won't allow anything that might help me get rid of it seem to open. Seems a little suspect to me.

Do you have any thoughts on what this problem is. Or where it may have come from?

 

Click Start > Run > type the following:

regsvr32 /u msntkjyhr.dll

Once complete, reboot and let me know if problem remains.

 

...Oh bjgarrick....this is what happened when I followed yer instructions.

After I clicked the RUN button two of those same old error came up that I had to click thru:

***This application has failed to start because msntkjyhr.dll was not found. Re-installing the application may fix this problem.

Then I got this error:

! LoadLibrary ("msntkjyhr.dll") failed - The specified module could not be found.

....then as I did the reboot I still got the MFing error as I usually do. Nothing has changed. :-o

 

I did it...still getting error:confused

I appreciate the help guys...I really do. I'm just sorry it's turning out to be such a puzzle.

 

......more importantly are you having fun yet. Where would a vast majority of us be without you guys. Your doing GODS work!!!!!!:-D

OK I did what yoos told me and have attached the file. I'm still getting this error. This thing is a dirty little bastardo.
......thanks again

BTW...I am currently only using my windows firewall. This MFing error messes with my AVG Internet Security 8.0.198. It just does not work properly so I uninstalled it. I used to be able to disable the anti spyware and anti virus whenever I wanted but since I got this dll error I could no longer disable it. Those options were no longer there. So it made it impossible to follow you guys instructions of disabling before doing the scans you required.

 

Try this once more, Click Start > Run > type cmd and press ENTER.

When the command window comes up, type the following command just as it is and press enter, what happens?

regsvr32 /u msntkjyhr.dll

 

I have to click thru this error 2X

***This application has failed to start because msntkjyhr.dll was not found. Re-installing the application may fix this problem.

Then I got this error:

! LoadLibrary ("msntkjyhr.dll") failed - The specified module could not be found.

 

Let's do this, download Autoruns and save it to your desktop. Extract the contents and run autoruns.exe.

When it comes up, click on the little set of binoculars and enter msntkjyhr.dll and press Find Next.

Does it find anything? If so, please attach a screenshot so I can see the exact location before we remove it.

 

...it found nothing...grrrrr!

 

The only thing I have uninstalled is what you guys have asked me to:

J2SE Runtime Environment 5.0 Update 5
Java(TM) 6 Update 2
Java(TM) 6 Update 3

So I looked in my "Add or Remove Programs" and I did not see anything called "Search Assistant" and I also did a file search and did not find anything either.

:confused

 

Download CCleaner if not already installed, if installed make sure you have the latest version released today.

CCleaner 2.16.830

Once you get it installed/updated, run CCleaner and once open click on "Registry". Next, click on Scan for Issues and let it scan, once complete, reboot and let me know if problem remains.

 

I did what you said. Once the scan was complete you never said if I should fix selected issues.....I made an executive decision and fixed them and the next prompt was asking if I wanted to back up changes to the registry....another executive decision....I clicked on "no". I then rebooted and sadly the error is still there.

I'm very confident the next thing you instruct me to do will in fact obliterate the the MFing msntkjyhr.dll error...forever. I hope this does not put you under any undue pressure to perform...he he. :wave

 

...am I a lost cause......:cry

 

I really need some kind of help I can't get into my "Set Access and Default"...it seems to have complete control over all my important stuff. Even if you can't fix it can you tell me how to reformat (uuuggg). I was not given a OS disc when I bought the computer because they said I did not need it to reformat.

It's an HP Pavillion m7557c.

If you can no longer help just tell me don't leave me hangin'....thanks.

 

I'm not leaving you hanging, I have been very busy the past week and have fallen behind.

 

Thank you for getting back to me.....I bet you are busy but you just never know when you may have been abandoned...especially when you are getting complimentary help. I really appreciate your help.....very very much. I will be patient....though it was 13 days.

I am busy burning all my pertinent files to data disc just in case I have to do a system recovery (I wish you had a smiley that threw up)

I will await your reply......if I know have to wait longer due to this message (bump) I will understand.

 

Please download Silent Runner's

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and attach it to your next message.

NOTE: If you receive any warning messages from your antivirus or antispyware programs about a script trying to be run , please choose to allow the script to run.

 

.....thanks for all your help....but I did a full system recovery. So this pesky pain in my butt is now history. Now you have one less task on you undoubtedly LOooooooong list of posts to get to.

...again thank you BJ for you time and expertise.........Kim

 

Well...we could have gotten to the bottom of this, I apologize for the delay in my replies. I work three jobs and volunteer here so needless to say I stay pretty busy.

You should see this article on How to Protect yourself from malware!

Surf Safely!