saltypossum

hello,
I have the trojan called; Trojan.win32.Generic.pak!cobra.Engine on my computer. I am using Windows XP on a small Asus EEEPC. I have run an up to date Adaware spyware removal program and come up with this trojan. The adaware removed the trojan, but when I ran the next full scan it came up again with the trojan. The first time this happened the trojan came up in 3 sites. Since the first removal, adaware keeps coming up with the trojan in only one place now, which is in C:\system volume information\restore{70f .....................etc.exe I turned off system restore, and removed all the system restore points. I then ran adaware full scan again, and the trojan was not detected. I turned on the system restore again, and ran adaware full scan, and it has come up with the trojan again.

I do not know where this trojan came from. I have recently downloaded the program, Calibre,7.017, ( about 3 weeks ago) to manage the ebook library on my computer and new ereader, and I updated it to 7.018 directly from the Calibre site just the other day. I have also had my new Kogan ereader plugged in and downloaded a backup copy of the 1700 books on the reader to my computer .I have also been on the internet looking for sites to download ebooks from. Some were a bit dodgy and this is probably where I became infected.

I would like help if anyone has a good suggestion, please, on how to remove this permanently. I would also like to know how and where this trojan came from, and what it does.

Thanks

johnb35

Please perform the following procedure and post the logs.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log

__________________
MB - Gigabyte 970A-UD3 || CPU - FX8350|| PSU - Corsair CMPSU-650TX 650W || Memory - Corsair Vengeance 8GB (2 x 4GB) DDR3 1600 || GPU - Sapphire HD6870 1GB || HDD's - 500GB SATA III WD Caviar Black, 64gb SATA III Crucial SSD, 120GB Corsair Force 3 SSD|| Monitor - ASUS VE278Q Black 27" 1920x1080 2ms Full HD HDMI LED Backlight || OS - Dual boot XP and 7 || Case - Cooler Master HAF 912 || Cpu cooler - CM Hyper 212 Plus

saltypossum

thanks for the info, I'll get onto it, and post the log soon

Salty possum

kingreilly

I am having this same problem.

I run MalWareBytes, and it comes up with nothing though.

johnb35

Please post the malwarebytes log along with a hijackthis log. Follow the instructions on how to post the logs in my previous post.

__________________
MB - Gigabyte 970A-UD3 || CPU - FX8350|| PSU - Corsair CMPSU-650TX 650W || Memory - Corsair Vengeance 8GB (2 x 4GB) DDR3 1600 || GPU - Sapphire HD6870 1GB || HDD's - 500GB SATA III WD Caviar Black, 64gb SATA III Crucial SSD, 120GB Corsair Force 3 SSD|| Monitor - ASUS VE278Q Black 27" 1920x1080 2ms Full HD HDMI LED Backlight || OS - Dual boot XP and 7 || Case - Cooler Master HAF 912 || Cpu cooler - CM Hyper 212 Plus

datsme53

MalwareBytes log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6933

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19088

6/23/2011 7:35:08 PM
mbam-log-2011-06-23 (19-35-08).txt

Scan type: Quick scan
Objects scanned: 192738
Time elapsed: 14 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\$Recycle.Bin\s-1-5-21-2713273461-2501166293-1954594888-1000\$RQ9VOCB.exe (PUP.Casino) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-2713273461-2501166293-1954594888-1000\$RY4FZAM.exe (PUP.Casino) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Roaming\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Roaming\Adobe\plugs\mmc5529 549.txt (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:51:55 PM, on 6/23/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.19088)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mediacomtoday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~2\INBOXT~1\Inbox.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~2\INBOXT~1\Inbox.dll
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItS khGTkg"&"inst=NzctNTA2Nzk5NzgyLUJBKzEtS1YzKzctWEwr MS1UMS1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktUUlYMSszLV gyMDEwKzItRjEwTSs1"&"prod=90"&"ver=10.0.1170
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [CPN Notifier] C:\Program Files (x86)\All In Poker\PokerNotifier.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files (x86)\Bodog Poker\BPGame.exe
O9 - Extra button: PokerTime - {00000000-0000-0000-0000-000000000000} - (no file) (HKCU)
O9 - Extra button: RPM Poker - {00710644-edb6-40fb-b3e2-51b615e97d5a} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\RPM Poker\RPM Poker.lnk (HKCU)
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra button: Poker Host - {2c1ff667-5bc1-4c67-9cd3-92e30f58f9f1} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Poker Host\Poker Host.lnk (HKCU)
O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra button: PDC Poker - {4f34c291-5837-4f45-ade1-da5502c69fef} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\PDC Poker\PDC Poker.lnk (HKCU)
O9 - Extra button: Hero Poker - {64811787-6eb5-4248-9f1d-45c6bfc8302e} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Hero Poker\Hero Poker.lnk (HKCU)
O9 - Extra button: GR88 - {7ecccf90-ae7b-44ea-884e-201d1d84736e} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\GR88\GR88.lnk (HKCU)
O9 - Extra button: OverBet - {8bb89379-d506-40d4-a886-51d78a8a2f4d} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\OverBet\OverBet.lnk (HKCU)
O9 - Extra button: Sportsbook.com - {a0cadf8e-1c3d-4463-89f9-b6db8e1fe580} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Sportsbook.com\Sportsbook.com.lnk (HKCU)
O9 - Extra button: Black Chip Poker - {a6090802-f053-454f-85af-43d606dbe92a} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Black Chip Poker\Black Chip Poker.lnk (HKCU)
O9 - Extra button: Players Only - {c1bb3821-d7bc-4d12-90cc-eca4c2a3be99} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Players Only\Players Only.lnk (HKCU)
O9 - Extra button: PokerNordica - {caf8603b-35e9-4f0f-819d-a509543a1e09} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\PokerNordica\PokerNordica.lnk (HKCU)
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O9 - Extra button: FeltStars - {fbd780d2-c26b-46dd-9002-fdf30465c9d2} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\FeltStars\FeltStars.lnk (HKCU)
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~2\INBOXT~1\Inbox.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ABBYY.Licensing.FineReader.ScreenshotReader.9.0 - ABBYY - C:\Program Files (x86)\ABBYY Screenshot Reader\NetworkLicenseServer.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo64 Service(CRVS) (RichVideo64) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo64.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: VIPRE Antivirus (SBAMSvc) - Sunbelt Software - C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files (x86)\Sunbelt Software\VIPRE\SBPIMSvc.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9931 bytes

johnb35

datsme53,

Please let me know if you are still having any issues. I do see that you play a lot of poker. Fully explain your issues if you are having any.

__________________
MB - Gigabyte 970A-UD3 || CPU - FX8350|| PSU - Corsair CMPSU-650TX 650W || Memory - Corsair Vengeance 8GB (2 x 4GB) DDR3 1600 || GPU - Sapphire HD6870 1GB || HDD's - 500GB SATA III WD Caviar Black, 64gb SATA III Crucial SSD, 120GB Corsair Force 3 SSD|| Monitor - ASUS VE278Q Black 27" 1920x1080 2ms Full HD HDMI LED Backlight || OS - Dual boot XP and 7 || Case - Cooler Master HAF 912 || Cpu cooler - CM Hyper 212 Plus

okapixel

have you ran spybot?

__________________
"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."
- Albert Einstein
my free spyware removal blog