Yet another Collected.5.L infection

[zrichard]

Please help. I just finished a complete format and reinstall of everything I own because of the stupid collected.5.l, and now a few days after I have again caught it. It turned off zone alarm for exactly one minute while I tried to upgrade to a new version, and now I'm infected again. I had to run hijackthis from safe mode, it wouldn't even run otherwise. Here's the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:58:50 PM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Compd Service Drivrs] codq.exe
O4 - HKLM\..\RunServices: [Compd Service Drivrs] codq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Compd Service Drivrs] codq.exe
O4 - HKCU\..\RunServices: [Compd Service Drivrs] codq.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Rainlendar.lnk = D:\Utilities\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Communications\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Communications\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116870705609
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgupsvc.exe


Your help is GREATLY appreciated. Thank God for Linux and an alternate way to email. Your expertise is invaluable.

Richard

[zrichard]

Bump

[zrichard]

Bump

[Dusty]

My computer is also infected with the collect 5.1 trojan.
Its being detected by AVG and healed and a sec later AVG warns again of this same trojan from what is called a infected back up copy that cannot be healed.

I seem to have got this after trying to upgrade my directx9.
The infected file is named msdirectx.sys
and AVG displays this as containing the Collect5.1. Trojan.
What does this Trojan do?
And please can you explain what I must do to get rid of this Trojan?
Thanks Dusty

[Dusty]

Hi with other information found on this web site I was able to remove Collect5.1 and msdirect.sys also removed was mscofig.exe

What I did is first visit the Virus site panda for on line Virus and trojan scanning.
This site seems to be what repaired my computer and removed the trojan.

I also installed the other software for trojan scanning Ewito I installed Windows Cleaner and it removed 189mb of temp files I did not even know where not removed by my other delete programs :-)
Thanks to all the techs who post information in reguard to the removal of Trojans and virus and other computer related problems.
Next time I need help I will read the topics and I will only request help if info needed is not already provided.
After useing Panda my computer was then free of this msdirctx.sys trojan.
I was surprized just running this on line test at panda was able to fix such a tough trojan.
Dusty http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

[Guest]

http://www.pandasoftware.com/activescan/

zrichard try this link for panda active scan.
It worked for me.
The actvie scan also removed the correct data needed to be removed from the registry automatic After a full system scan with several differant scanners my system is free of collect5.1 msdirect.sys and msconfig.exe after reboot I am pleased to see these problems have not come back.
Hope this helps :-) Dusty

[zrichard]

Dusty, glad that helped you, but I can't make that work for me. After about 30 seconds all internet activity stops for me, although it certainly seems to be doing something in the background. I can only make these posts by booting from my Linux partition, and Linux won't run any online scanning software, because it's either windows files or requires internet explorer.

Moderators, would really appreciate your help on this one!

[Dusty]

Hi,
 You have the same Trojan on your computer that I had on mine.
I used Zonealarm to help block it.
I will get the link I found in this forum.
There is a entire thread of information and you then can also see the member name of the in house member that can help you.
This is no easy Trojan to remove.
And a Trojan like this for sure you need to get rid of it.
I will go search for the link you need and post it under this post
Dusty

[Dusty]

This is the link I found helpfull to me in this forum.

http://www.thetechguide.com/forum/index.php?showtopic=17450

You will also see the member name that was helping this guy out.
I was surprized with a visit to Panda I was rid of 3 trojans.
If your not using Zone Alarm fire you should install it.
Sad to say but with some trojans your best way of getting rid of it may be a restore and format of your hard drive.
I know its a lot of work to do.
Once complete install a good virus software free at
http://www.avast.com

install zone alarm at
http://zonelabs.com
On the forum link above you will also find other software you can install that just may help you rid this trojan without a system restore.
Good luck.
Dusty