trojan.win32..Generic.pak!cobra.Engine removal

Discussion in 'Computer Security' started by saltypossum, Sep 19, 2010.

  1. saltypossum

    saltypossum New Member

    Messages:
    2
    hello,
    I have the trojan called; Trojan.win32.Generic.pak!cobra.Engine on my computer. I am using Windows XP on a small Asus EEEPC. I have run an up to date Adaware spyware removal program and come up with this trojan. The adaware removed the trojan, but when I ran the next full scan it came up again with the trojan. The first time this happened the trojan came up in 3 sites. Since the first removal, adaware keeps coming up with the trojan in only one place now, which is in C:\system volume information\restore{70f .....................etc.exe I turned off system restore, and removed all the system restore points. I then ran adaware full scan again, and the trojan was not detected. I turned on the system restore again, and ran adaware full scan, and it has come up with the trojan again.

    I do not know where this trojan came from. I have recently downloaded the program, Calibre,7.017, ( about 3 weeks ago) to manage the ebook library on my computer and new ereader, and I updated it to 7.018 directly from the Calibre site just the other day. I have also had my new Kogan ereader plugged in and downloaded a backup copy of the 1700 books on the reader to my computer .I have also been on the internet looking for sites to download ebooks from. Some were a bit dodgy and this is probably where I became infected.

    I would like help if anyone has a good suggestion, please, on how to remove this permanently. I would also like to know how and where this trojan came from, and what it does.

    Thanks
     
  2. johnb35

    johnb35 Administrator Staff Member

    Messages:
    32,942
    Please perform the following procedure and post the logs.

    Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware


    Download the HijackThis installer from here.
    Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

    Click Do a system scan and save a logfile

    Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

    Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log
     
  3. saltypossum

    saltypossum New Member

    Messages:
    2
    thanks for the info, I'll get onto it, and post the log soon

    Salty possum
     
  4. kingreilly

    kingreilly New Member

    Messages:
    4
    I am having this same problem.

    I run MalWareBytes, and it comes up with nothing though.
     
  5. johnb35

    johnb35 Administrator Staff Member

    Messages:
    32,942
    Please post the malwarebytes log along with a hijackthis log. Follow the instructions on how to post the logs in my previous post.
     
  6. datsme53

    datsme53 New Member

    Messages:
    1
    MalwareBytes log:

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6933

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.19088

    6/23/2011 7:35:08 PM
    mbam-log-2011-06-23 (19-35-08).txt

    Scan type: Quick scan
    Objects scanned: 192738
    Time elapsed: 14 minute(s), 30 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\$Recycle.Bin\s-1-5-21-2713273461-2501166293-1954594888-1000\$RQ9VOCB.exe (PUP.Casino) -> Quarantined and deleted successfully.
    c:\$Recycle.Bin\s-1-5-21-2713273461-2501166293-1954594888-1000\$RY4FZAM.exe (PUP.Casino) -> Quarantined and deleted successfully.
    c:\Users\Owner\AppData\Roaming\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
    c:\Users\Owner\AppData\Roaming\Adobe\plugs\mmc5529549.txt (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

    Hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:51:55 PM, on 6/23/2011
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.19088)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMTray.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mediacomtoday.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    F2 - REG:system.ini: UserInit=userinit.exe,
    O1 - Hosts: ::1 localhost
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~2\INBOXT~1\Inbox.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~2\INBOXT~1\Inbox.dll
    O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMTray.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNTA2Nzk5NzgyLUJBKzEtS1YzKzctWEwrMS1UMS1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktUUlYMSszLVgyMDEwKzItRjEwTSs1"&"prod=90"&"ver=10.0.1170
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
    O4 - HKCU\..\Run: [CPN Notifier] C:\Program Files (x86)\All In Poker\PokerNotifier.exe
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files (x86)\Bodog Poker\BPGame.exe
    O9 - Extra button: PokerTime - {00000000-0000-0000-0000-000000000000} - (no file) (HKCU)
    O9 - Extra button: RPM Poker - {00710644-edb6-40fb-b3e2-51b615e97d5a} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RPM Poker\RPM Poker.lnk (HKCU)
    O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
    O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
    O9 - Extra button: Poker Host - {2c1ff667-5bc1-4c67-9cd3-92e30f58f9f1} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Poker Host\Poker Host.lnk (HKCU)
    O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
    O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
    O9 - Extra button: PDC Poker - {4f34c291-5837-4f45-ade1-da5502c69fef} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PDC Poker\PDC Poker.lnk (HKCU)
    O9 - Extra button: Hero Poker - {64811787-6eb5-4248-9f1d-45c6bfc8302e} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Hero Poker\Hero Poker.lnk (HKCU)
    O9 - Extra button: GR88 - {7ecccf90-ae7b-44ea-884e-201d1d84736e} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GR88\GR88.lnk (HKCU)
    O9 - Extra button: OverBet - {8bb89379-d506-40d4-a886-51d78a8a2f4d} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OverBet\OverBet.lnk (HKCU)
    O9 - Extra button: Sportsbook.com - {a0cadf8e-1c3d-4463-89f9-b6db8e1fe580} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sportsbook.com\Sportsbook.com.lnk (HKCU)
    O9 - Extra button: Black Chip Poker - {a6090802-f053-454f-85af-43d606dbe92a} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Black Chip Poker\Black Chip Poker.lnk (HKCU)
    O9 - Extra button: Players Only - {c1bb3821-d7bc-4d12-90cc-eca4c2a3be99} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Players Only\Players Only.lnk (HKCU)
    O9 - Extra button: PokerNordica - {caf8603b-35e9-4f0f-819d-a509543a1e09} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PokerNordica\PokerNordica.lnk (HKCU)
    O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
    O9 - Extra button: FeltStars - {fbd780d2-c26b-46dd-9002-fdf30465c9d2} - C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FeltStars\FeltStars.lnk (HKCU)
    O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~2\INBOXT~1\Inbox.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: ABBYY.Licensing.FineReader.ScreenshotReader.9.0 - ABBYY - C:\Program Files (x86)\ABBYY Screenshot Reader\NetworkLicenseServer.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Cyberlink RichVideo64 Service(CRVS) (RichVideo64) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo64.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: VIPRE Antivirus (SBAMSvc) - Sunbelt Software - C:\Program Files (x86)\Sunbelt Software\VIPRE\SBAMSvc.exe
    O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files (x86)\Sunbelt Software\VIPRE\SBPIMSvc.exe
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 9931 bytes
     
  7. johnb35

    johnb35 Administrator Staff Member

    Messages:
    32,942
    datsme53,

    Please let me know if you are still having any issues. I do see that you play a lot of poker. Fully explain your issues if you are having any.
     
  8. okapixel

    okapixel New Member

    Messages:
    51
    have you ran spybot?
     

Share This Page