Trojan Horse Generic2: LNI

[chriscool9]

Ok, hi there again guys. Well basically ive googled this 'Trojan Horse Generic2: LNI' but to no avail, but ive found many others that have different endings, for example 'Trojan Horse Generic2: CBF'. However i want information on the trojan that is on my sisters P.C. Im not computer savey at all but i do know how to get around on them and i am the most knolageable in my faimly. There is one other issue that confuses me. Last night i started a scan on her P.C and it didint pick up anything, it got about 30 mins into it then we decided to turn off the P.C. Then this morning my sister booted up the P.C to try and get her coursework out of the way, and as most of you will know AVG has that option to scheduale scans. The schedualing scan on this P.C is 8:00 in the morning and she had started it at 7:45 (early i know but she has a ton of coursework), so the scan went on and found this Trojan with under 5 minuites into the scan. So why didint the scanner pick this up lastnight before i had to terminate it? She hasnt downlaoded anything so i dont think its fresh this morning. Anyway advice and information would be appreciated.
Thanks guys

Chris

P.S I think its worth mentioning that the AV is AVG (which i dont like) and for spyware shes got Lavasoft Ad-aware. Oh and ive turned system restore off

[unlovedwarrior]

chris

dl AVg Anti-spyware

spybot

and do the scans in scan mode

then post a hijackthis log



unlovedwarrior

why dont u like avg

[chriscool9]

Ok well ive done the scans in safe mode now as well, alll clear.
Done spyware
So heres my HJT log attached, ill just post it up so you dont have to sepnd time unzipping it.
Oh and when i say i dont like AVG i think i phrased it wrong. AVG is great considering its free, but the thing is when i got my laptop i got the free home edition of Avast! on it and i just Avast! does alot more then AVG. For example you get the P2P filters and the Webscanner that automatically scans all the incomming data, and if it detects a virus it terminates the connection before the virus/worm/ trojan can infect you. And the scanner doesnt make a signle difference in the time it takes websites to laod up, its great!

Chris

[chriscool9]

Logfile of HijackThis v1.99.1
Scan saved at 09:54:08, on 09/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v8\System\VC8SecS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RaConfig2500.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\OEM\My Documents\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/weather/5day.shtml?id=3981
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.systemaxpc.co.uk/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo RX420 Series (Copy 1) on ACERASPIRE3000] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P63 "Auto EPSON Stylus Photo RX420 Series (Copy 1) on ACERASPIRE3000" /O22 "\\ACERASPIRE3000\RX425" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINDOWS\system32\RaConfig2500.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.systemaxpc.co.uk/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.4.69/cab/aolpPlugins.10.4.0.4.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://r1bena.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145636885156
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

[chriscool9]

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virtual CD v8 Management Service (VC8SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v8\System\VC8SecS.exe

[chriscool9]

http://img295.imageshack.us/img295/2452/virusgs7.png
Should i be worried about the image where it says 'Backup Copy' next to 'Source'?!
Does that mean there IS another one lurking about?!
Thanks

Chris

[patio]

Chris,

DLoad update and run Ewido on that machine. See what it finds. (it's now known as AVG Anti-spyware )

Then do the same with Stinger.

Let us know.

[chriscool9]

Ok, well give me about a day ot two becuase the wireless on this P.C doesnt work very well at all. Ill have to download it off my laptop and use use my iRiver to transfer it on to this P.C

Chris

[patio]

Gotcha.

OT but is the PC close enough to just hook it up to the wireless router ? ?

Just a thought.

patio.  8-)

[chriscool9]

No, the router is on a different floor in the house. Oh and we dont have a network card for it, well not one where you can plug a network cable in. Just the wireless card. Its funny though how the computer has problems with the wireless but my laptop works flawlesly with it. Oh and can i just repeat some of the questions incase they got missed. Well the first one is about it saying 'Back-up' copy, and about it not being detected last night but being detected this morning. Oh and lastly does anyone have ANY idea waht this trojan does?!
Thanks Patio and Unloved

Chris

[patio]

As to the last nite today question the only thing i can think of would be that AVG runs the scan differently in scheduled mode because it has access to all the system resources as opposed to running it in an active session.
As far as the PC a network card for that should only cost you 7 to 10 Euro.
And they're relatively easy to install.

I'm researching the Trojan variant you mentioned.

[chriscool9]

As to the last nite today question the only thing i can think of would be that AVG runs the scan differently in scheduled mode because it has access to all the system resources as opposed to running it in an active session.
As far as the PC a network card for that should only cost you 7 to 10 Euro.
And they're relatively easy to install.

I'm researching the Trojan variant you mentioned.

Ok cool, thanks! Like I said ive looked for it all over but cant find that varient. Also it's not a big issue with the P.C having the dodgey wireless for us anymore. Weve just bought another laptop for my sister for christmas, so we wont be having to put up with it for  much longer.
Anyway if you find anything then it would be gratefully apprecaited, if not dont worry because like I said it'll be gone soon.
Thanks

Chris