Trojan horse Collected.5.L [HijackThis log]

Trojan horse Collected.5.L

Hello,

I have this nasty virus that I can't seem to get rid of. It comes up when I boot in the AVG scan. I just ran hijack this and here is the log. I have done a few scans online and everytime I boot this virus is found again. I can't get rid of it.

Logfile of HijackThis v1.97.7
Scan saved at 4:38:51 PM, on 7/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\INVISION\MIRC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\PROGRAMS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://webcamnow.com/voice/voice.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c361.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Can anyone here help me get rid of this?

Thanks
1Mt

 

Would you post a new log using the latest version of HijackThis?

 

Since you will have to download, run and create a new "hijackthis.log ", you might also wish to post the new log in the correct forum and save admin or moderators from having to redirect your post. Hijackthis logs get posted....

Into this forum:
http://windowsbbs.com/forumdisplay.php?s=&daysprune=&f=41

After reading this stickie, pinned to the top of the forum:
http://windowsbbs.com/showthread.php?t=37074

It may also help to know what the name of the virus is (proper name) that keeps getting detected as found.

=================
Update to my post....
Well I guess you didn't return to this soon enough and mods have gone ahead and redirected your post in the win98 forum to our security subforum. So.... I guess any new versioned highjackthis.log can be appeneded or added to this current post.

Any delay in a response to this is due to the fact that members are awaiting your new (using the latest versioned) "highjackthis.log" cutNpaste.

 

Hijack this

Well, I downloaded the new hijack this and as soon as I click the .exe, I get "unexpected error" and it closes. So I can't give you a log. I've tried downloading it from several places so far.

 

I would try opening the .exe in Safe Mode.
See if anyone "poo-poos" this idea.

Matt

 

Hello 1mt!

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in msdirectx, wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.

If the script gives you an error pertaining to Windows Script Host, go back to the above link and click 'What is VBScript', then click the link to upgrade to 5.6

 

no luck

I downloaded that script thing for registry editor and ran it. It found no instances of msdirectx. Everytime I pass post and AVG runs it finds the trojan in this file. MSDIRE~1.sys.

Also, I tried running hijack this in safe mode and I got the same error message "unexpected error ".

Am I doomed now?

 

MSDIRE~1.sys and and msdirectx.sys are one and the same, and it must be deleted before HJT can be used. To explain this, old dos could only have a filename 8 charactors long, with a 3 charactor extension. Msdirectx.Sys has 9 charactors with a 3 charactor extension, so it is shortened to MSDIRE~1.sys. AVG for 98 has a bootup scanner that runs in dos mode, before windows starts up.
Do a Find for it, then use Killbox to delete it.
How to delete with Killbox:
Open Killbox, either use the folder icon to Browse to the locations of the file, or enter in the path and filename into it, then click on 'Delete on reboot', then click on the red circle with the X in it. You will get a confirmation of success, and then prompted to reboot.