Hi
One of my kids (honest itwasn't me;) ) opened an attachment sent via msn messenger, since then we've had endless adds for loans, poker games, virus removal tools.. you get the idea. AVG identifies the trojan horse Collected 11.b but when I attempt to remove it after a full system scan it pops back again under a different user's name - we have 5 users registered on the pc.
any help would be really appreciated.
Thanks

I generally disable system restore
Load and update Avast
Schedule a boot-time scan
then tell avg to scan everything

Thanks Tim
Just one question (dit dumb when it comes to pc's:rolleyes: )
How do I disable system restore?
cheers
Steve

right click on my computer
Choose properties
then the system restore tab
then click on the Turn off System restore

Thanks Tim
Looks like this is cleared now.
Avast picked up a couple of things that AVG did not.
I do have one remaining problem - whenever I start the pc up I get the following message: Rundll c:\windows\system32\lpxqbaaa.dll Access is denied.
When I run AVG it returns the following changes:
user32.dll
shell32.dll
ntoskml.exe
hosts
all are in the folder c:\windows\system32\ with the 'hosts' being in c:\windows\system32\drivers etc\hosts
I have no idea what these files are or why they have been changed. Can uou help me on this one?
cheers
Steve

delete lpxqbaaa.dll
check hosts to make sure that hosts is contains
127.0.0.1 localhost
and pretty much nothing else,post the contents if you have a question

Hi,

This is my first post here. I've got the annoying Collected 11.B trojan. Found this thread and thought - sounds good. Followed the advice but no joy.

System32 files that keep returning, even after using MoveOnBoot are:
gebxvtu.dll
jkkjh.dll
hjkkj.ini

The last two are hidden. The last one can be deleted manually but is back within seconds.

There seems to be nothing much about these files on the net, other than ads for removal products from the guys who probably put it out there in the first place (sigh). Damn frustrating.

Any advice would be welcome.

And how do I get a name other than my email address!

Thanks

Les

Hi Again Tim
Still not shifted the problem
Hosts file contains the following:
hosts.backup
hosts icalender file
hosts.msn
lmhosts
networks
protocol
services

any more help greatly appreciated

If you got the updates for avast and ran a boot time scan, after the latest updates.

I'd look at getting a program called killbox http://www.majorgeeks.com/Pocket_KillBox_d4709.html

tell it the name of all 3 files, and have it try to delete them on boot.

let me know

Hi,

Found avenger.zip from swandog46. It was the only program that would delete the primary dll in \windows\system32 once winlogon had its foot on it. Could not remove it with killbox or several other tools I tried, or via cmd line with safe boot.

There is more to it than just deleting the two main dlls. And you have to purge some registry entries, and I cleared out all Temporary Internet Files, including the illusive content.ie5 directories for all users on my machine. The trojan also installs browser helper add-in in IE and Mozilla.

I really really hate the guys who put these things out. And from the unwanted ads that pop up, it looks like it is the developers of some of the malware removal products. This has cost me over 30 hours to figure out and find the way to remove the thing. There must be a way of stopping these guys legally.

Unfortunately, this forum did not help with the detective or removal work.

Good luck.