Please Help - trojan collected.5.L

Hi,

I have paid for AVG pro, and it finds a trojan horse called collected.5.L

I can't get rid of it.

I have followed the instructions on this site -

...online scan (when my computer is not frozen by the virus)
...CCleaner
...Adaware+VX2 plugin
...SpyBot
...CWShredder
...Kill2Me
...HSRemove

I have also tried using Hijack this with the start-up and HBO lists provided on this site.

But to no avail! AVG still finds the virus, and adaware consistently finds and removes the same 20 bad files. As soon as I restart, everything returns.

Does anyone know how to get rid of this horrid T-H??

Thanks,

Richard

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Hi,

I have followed all of the instructions, apart from the online scan - impossible for me - the trojan causes my system to hang after a few minutes online.

I can't run task manager in normal mode, and I can't run HJT in normal mode either - both flash up, and disappear.

Everytime I log on, AVG shouts "trojan horse Backdoor Collected.5.L"

So, I ran HJT from c:\program files\HJT in safe mode. I tried to remove things as in the tutorial, but what I did has not worked (some of the O23 objects appear as virus in the start-up list, but won't go away!)

I hope you can help. I have been without a PC for several days now. From what I read online, a lot of people have trouble with this trojan.

Thanks,

Richard

 

The firs thing I notice is that your Operating System is WAY out dated. This is a major security risk and should be updated ASAP. After we get your system clean, I would recommend your surfing into Windows Updates and getting updated.

Click Start > Run > type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Delete the value, Nail.exe and exit Registry Editor

NEXT:
Click Start > Run > type in cmd

Type in the following:
Nail.exe /FullRemove


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O23 - Service: Windows TM (draeco.sytes.net) - Unknown owner - C:\WINDOWS\System32\rundlI32.exe" -netsvcs (file missing)
O23 - Service: Windows Update Service (muamgrd) - Unknown owner - C:\WINDOWS\System32\muamgrd.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Click Start > Run > type services.msc and Click OK

Locate Windows Update Service (muamgrd) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Hi,

I followed your instructions, but everytime I removed the nail.exe part of the Shell registry value, it reappeared upon re-opening the registry.

I have attached my log file, again taken in safe mode because I am unable to run HJT, regedit or taskmanager in normal mode. I assume this is due to the virus.

Thanks,

Richard

 

Hi,

An update....

I was browsing the posts (when my stalling PC allowed ) and I downloaded the Auraura (sp!) removal tool.

It has removed nail.exe!!

But apart from nail, I still have the same problems as below, and I have posted an updated HJT log, again done in safe mode, because nothing seems to work in normal mode.

Some of the entries on the log are different because I have been removing some programs and moving files around - in anticipation of reinstalling XP.

Thanks again for the help,

Richard

 

And one more thing to add -

AVG is still finding "collected.5.L", the bad file being "msdirectx.sys". It doesn't get rid of it though

 

Run all of the below online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you run the below online scans, reboot and attach a fresh HJT log.

 

I have tried, but none of them work - as I said below, a minute or two after I connect online and open IE, the computer freezes. It works a bit better with Firefox, but none of the online scans work with firefox.

I've been trying for hours now - the RavAntiVirus managed to get to the end, having found some infected files, but then IE "encountered an error" as the scan finished. I tried again, and the same happened.

I have tried opening MS Word and saving a print screen to show you - but I can't even save a Word file. The system just hangs, and no response. Same for all .exe files. I have had to use safe mode to install the programs in your guides.

I can't connect online in safe mode, because my modem uses a USB connection.

Sounds useless - not helping you at all. The problem is that I can't do anything online with IE (I'm using firefox for this message), or run any install programs.

Thanks again for your time

Richard

PS I'll reboot in safe mode now, and do another HJT scan, and post the log

 

HJT log.

 

Since you can run the online scans, lets try TrendMicro's System Cleaner.

First, create a new folder on your Desktop, name is TSC.

Now, download the Virus Pattern File!

Now, download the Sysclean Package

Save both of these files in the folder you just created. Now extract the .zip file into this folder, you will have a file called lpt$vpn.631 and a txt file. Now double click on the sysclean.com file to start the clean.

Now, click START to begin the scan, it will then go thru a system scan removing any found infections, let it run as long as it needs. When its complete it will say click here to view log.

After you run this, reboot and post a fresh HJT log.

 

The scan found viruses, but failed to remove them.

So, I re-installed and updated windows, downloaded MS-Spyware beta and ran all scans again and everything seems OK..

Thank you for your help.

Log attached

 

Your HJT log is now clean!

Are you having any furhter problems?

 

No further problems.

Thank you.

Richard

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

 

Thanks, I followed the guide, with the exception of one thing..

Is the XP firewall inferior to the ones you recommend in the list?

Thanks,

Richard

 

I would disable the windows firewall and install ZoneAlarm Free or Sygate Free Edition.