Dropper Agent LNI Dropper

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by GMSD, Oct 26, 2009.

  1. GMSD

    GMSD Private E-2

    Hello

    My AVG Anti Virus has picked up 3 trojan horses, Dropper Agent LNI Dropper, can anybody please help me get rid of these, AVG can get rid of them.

    Many Thanks

    Dave
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.

    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
  3. GMSD

    GMSD Private E-2

    Hello Tim

    Please find 4 logs, will send fifth on seperate post.

    Dave
     

    Attached Files:

  4. GMSD

    GMSD Private E-2

    Hello Tim

    Please find fifth log

    Dave
     

    Attached Files:

  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I have to assume that you saved the log from MBAM before you fixed what it found. If not, fix it.

    Do you have any idea what these are:
    C:\annis tate
    C:\BARNETT
    C:\CHAMPNEY
    C:\Elizabeth Orwell
    C:\gallacher
    C:\GILSON
    C:\higton
    C:\KINLEY
    C:\smythe
    C:\thistlethwaite

    I am going to include them in a fix for Combo and remove them. If you know what they are and you are sure they are safe, you can remove them from the fix.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    Folder::
    C:\annis tate
    C:\BARNETT      
    C:\CHAMPNEY     
    C:\Elizabeth Orwell
    C:\gallacher
    C:\GILSON        
    C:\higton
    C:\KINLEY        
    C:\smythe
    C:\thistlethwaite
    C:\WINDOWS\temp\pdk-SYSTEM-2688
    C:\WINDOWS\temp\pdk-SYSTEM-2540
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  6. GMSD

    GMSD Private E-2

    Hi Tim

    I have done what you said and sent along the requested logs, im not sure if everything is ok, the computer is very slow, it takes ages to start up, when I leave internet explorer I get a message saying that internet explorer has encountered difficulties and need to debug.
    plus as well I have noticed that on all documents and publications etc their is three letters after the document name, ie I have a microsoft publisher document called invoice, it is now called invoice.pub where before hand it was just called invoice.

    Can you help me.

    Would you like me to send a log of my AVG antivirus scan.

    Many Thanks

    Dave
     

    Attached Files:

  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If AVG is showing some malware, please do attach the log.

    You did not answer my question as to those folders. Many are still showing in your latest Combo log.

    You now have hidden files allowed and it is probably why you are seeing these file extensions.

    Please also run MBAM after you do the fix and attach that.

    Also please try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

    Your speed issue will be dealt with in my next fix. Or as I stated, you could use one of those start up managers to stop a lot of things that are running at start up.
     
  8. GMSD

    GMSD Private E-2

    Hello Tim

    Those folders are staff, these are what i created as i am self employed, all they hold is just text of letters that I have sent to customers (names of folders).

    I will do the scan and get back to you.

    Many Thanks

    Dave
     
  9. GMSD

    GMSD Private E-2

    Hi Tim

    I have sent along the logs for the following

    Superantispyware

    MBAM

    plus as well I have sent along a log from AVG which shows that I still have 3 files infected.

    Hope you can help me.

    Many Thanks

    Dave
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your AVG log is just showing items in your system restore folder. Those will not go away until you toggle system restore.

    I need to see an new MGLogs.zip.
     
  11. GMSD

    GMSD Private E-2

    Hi Tim

    I have 2 MG logs, one which i done before I toggled system restore (MGlogs3) and one which I done after I toggled system restore (MGlogs4).

    I ma still getting an error message after I have been on internet in which it says that internet explorer has encountered a problem and needs to debug, can you tell me why this is happeneing.

    Thanks

    Dave
     

    Attached Files:

  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You may have to pursue that issue in the software forum. However, your temp folders are needing to be cleaned out!!

    Run both CCleaner and then run ATF Cleaner by Atribune

    Then go back and make sure that everything that can be removed is gone from both of these folders:
    C:\WINDOWS\temp\
    C:\Documents and Settings\David\Local Settings\temp\

    There are three items we can remove in your HJT log:
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  13. GMSD

    GMSD Private E-2

    Hi Tim

    I have cleaned out the temp files as you said, their are 4 that I cant remove they are

    C:/WINDOWS/TEMP

    pdk.system.2536
    perflib.perfdata_5c0.dat

    C:/DOCUMENT AND SETTINGS/DAVID/LOCAL SETTINGS/TEMP

    dfd9a9.tmp
    jet7a34.tmp

    Is their any way that I can deleate these, when I try to deleate them it wont let me.

    I am also still getting a message to say that Inetrnet Explorer has encountered a problem and I have to either click the debug or close button, this happenes everyt time I use internet explorer, I have no problems surfing the web.

    Many Thanks

    Dave
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You will not be able to remove items that were created that day. Just make sure that you run CCleaner on a fairly regular basis and check that your temp folders are fairly clean.

    Your issue with IE needs to be addressed in the software forum. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds