How do I fix a trojan called Collected.5.L

Hi there

I am am having problems getting rid of a trojan called Collected.5.L, in the system 32/msdirectx.sys file

I'm runnning xp pro, SP1

I've run AVG, trendmicro's systemclean tool, spybot, and trojanhunter and although i can delete it, it reappears in a moment.

So, having looked a round everywhere on the net, the only solutions i can see seem to be very personalised based on the hijackthis files.

However, I cant make any sense out of the www.sysinfo.org stuff - i cant seem to figure out how to look for the processes that i can see in the hijackthis log without looking at all ten billion pages, as the search option with the CLID doesnt seem to find anything??.

So, here's my logfile, if anyone can help, I'd be very grateful

thanks in advance
x


Edit by chaslang: Unrequested inline log removed

 

ok, have done most of what was asked (not all the online scans - only actually did the panda one - i'm on a modem in Mozambique, so we havent really got much bandwidth to do online stuff)


then i did the following (advice from someone else)

* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe

O4 - HKLM\..\Run: [AIM Instant Message Cookies] kgmlc.exe

O4 - HKLM\..\Run: [ibin] C:\wdns.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunServices: [AIM Instant Message Cookies] kgmlc.exe

O4 - HKCU\..\Run: [AIM Instant Message Cookies] kgmlc.exe

O4 - HKCU\..\RunServices: [AIM Instant Message Cookies] kgmlc.exe


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\wdns.exe

C:\WINDOWS\System32\sysmon32.exe

C:\WINDOWS\System32\kgmlc.exe

C:\WINDOWS\kgmlc.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Restart back into Windows normally now.


the panda scan came up with
Incident Status Location Adware:Adware/WUpd No disinfected C:\Program Files\Media Access
Virus:W32/Sdbot.EAR.worm Disinfected C:\!Submit\sysmon32.exe
Virus:Bck/Agent.XS Disinfected C:\!Submit\wdns.exe
Adware:Adware/WinAD No disinfected C:\Documents and Settings\USER\Local Settings\Temp\ICD1.tmp\MediaAccX.dll
Adware:Adware/WinAD No disinfected C:\Program Files\HJT\backups\backup-20050621-144019-840.dll
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\ii
Virus:W32/Sdbot.DZV.worm Disinfected C:\WINDOWS\system32\TFTP2728
Virus:W32/Gaobot.DJK.worm Disinfected C:\WINDOWS\system32\TFTP3956


results of the hijackthis is in the attachment

When i ran hijackthis the first time after all the above,
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
actually showed up again, so i fixed it again

after rebooting into normal mode, ran hijack this again and that is what you see here

but, interestingly, adaware popped up in the middle of the process saying it had found collected.5.L once again in the system 32/msdirectx.sys file

so i ran avg on system32 and sure enough, there she is....still

so, any thoughts??