I need your help please.

Hi. I'm new to the forum and need your help. I have Spybot S & D, Hijack this, AVG, Kerio Firewall and AntiVirus XP loaded on to my PC. I run scans everday and always update so thought I was relatively safe! Wrong! Recently the pc got a Trojan Horse called Collected.4.AO which AVG picked up but none of the others did. Scans run normally but my homepage on the internet keeps screwing up. I can't find any info on this trojan at all hence I need your help. PC will also not let me restore to an earlier point. Hijack this removes it but it keeps coming back everytime I hook up to the net.
I'm just a novice but I'm sure learning fast! however can anyone help me get rid of this annoying pest.
Also has anyone heard of babe the killer.bz? There's some strange entries in Kerio relating to incoming and outgoing activity on ports and I don't know what to do about it.
Cheers
McWomble

 

AVG is a great antivirus scanner, but lacks in the removal department. are you running 2 antivirus programs? (AVG and AntiVirusXP?) multiple AntiVirus programs are not recomended, as they can confuse permissions and result in weakening eachother.

try running a TrendMicro online scan http://housecall.trendmicro.com/

if that still doesnt do it, consider changing to another antivirus altogether, like Avast free home edition (Available in MG download section). Like AVG, Avast has a great scanner, but it also has a great removal ability, and an integrated Boot-Time scan that catches lots of buggers.

 

Thanks for your post. Been running the scan that's why i didn't reply sooner.
I've actually got MS Giant Anti spyware, AVG and Anti virus XP on my pc. Didn't occur to me that they might confuse one another! It was more of a "belts and braces" approach on my part. Like I said I'm new to this.
Tried the Trend Micro scan but it didn't pick anything up so I think I'll remove my existing anti virus and install your suggestion. Will keep you informed.
Incidentally have you heard of the babethekiller.bz thing?
Thanks for your help.

 

Glad to help.

I cant say that I have heard of 'babethekiller.bz' but if you found it in your Kerio Firewall log, its likely just some scandalous website /person that is being blocked by Kerio. This is a good thing, and I wouldnt worry too much about it unless you're finding it elsewhere.

 

mcwomble,

Just to confirm you are clean, lets get a current HJT log.

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Hi. Followed all steps in Major attitude's post but think something's still there. As soon as I hook up to the net an 017 item appears in the log but as I'm a novice I don't know if this is right. However here is my log file (hopefully!) Thanks for your help.

 

If this your entire log?

Have HJT fix this entry:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

There is one problem, your running Avast & AVG. You need to pick ONE and uninstall the other as running 2 antivirus programs will cause conflicts on our ymachine

 

I've uninstalled AVG and ran Hijack This again. Apologies my head's blown with all this. Been at it now for nearly 3 nights on the trot so I'm getting sloppy! Here's another log file for you to look at. Many thanks again.

 

Is this the WHOLE HJT log or are you removing some entries?

 

Scan with HJT again and have it fix this enry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

Your log is clean, what problems are you having?

 

When I'm online it sometimes comes up with "Page cannot be displayed" etc when I know the URL is correct. Then it just locks up. I've attached another log file and as you can see there's an 017 entry in it. Admittedly I had made an internet connection but I hadn't opened internet explorer so I'm confused. What does this mean?
Earlier, i.e. before I followed Major Attitude's directions, when I checked out my Internet connection the password field showed way too many characters for my legitimate password. So after I ran just about everything I uninstalled the ISP software and re-installed.
There are also some weird entries showing in Kerio. Such as 5 incoming connections to this "babethekiller.bz" thing and also some outgoing and listening from it but again I'm not sure what this means.
Anyway here is yet another log.
I really appreciate your help. Thanks again.

 

Your HJT log is clean!

Are you on dialup, cable, DSL ?

 

Thank God for that!!
I'm on DSL.

 

Are you on a network?

 

No. This is my home pc used only by me and my partner.

 

Okay!

If you dont know the O17 entry I would have HJT fix it.

 

Any idea why it keeps re-ocurring? It's every time I make a network connection.

 

This will be a question for the Software or Networking forum.

 

Ok. Thanks for all your help. I really appreciate it. I'd like to say it's been fun but after lots of sleepless nights worrying about it, endless, endless scans and hair pulling I can't really say it's my idea of fun! It's quite nerve wracking when you're new to this kind of thing and also to forums so thanks for the friendly advice.
I bow before you.
Cheers!

 

To Chaslang.
Hi. Yes some of it. My Service Provider is Demon.

 

Perhaps it is when you do this all the time and maybe I panicked when "info" on Hijack This for 017 said "domain hijack" but as my pc was misbehaving I really thought I had a problem.
However the advice and subsequent downloads, etc. have cleaned up some other stuff that was on my pc so I'm very grateful for all the help I received.

 

Its only a domain hijack when its a value your not familiar with or isnt part of your ISP.