Looking for a good Antivirus Program

Jase · 13 Dec 2006 at 19:12

I presently have McAfee Antivirus installed. I've used it for a fair bit now but I still pick up a virus trojan here and there and it seems to do a poor job of removing the things (especially the one I picked up today from just clicking on something on ebay).

What is considered the best Anti-virus software atm, heard that Norton isnt as good as it used to be.. this is for a home sytem but I really like peace of mind when it comes to stuff like this.

Thanks

Jase

Jase · 13 Dec 2006 at 20:04

lay-z-boy said:
I swear these 'recommended me an av app' crop up at least once a day.

Would it kill people to use the search function?

Would have thought you'd have done a search to back up your idea that a post is made everyday and found out it's not... Yes there are other posts, most of which are about "free" programs.. others of interest were from October but a lot changes in that time

I really don't want to take risks when it comes to this software so need to be sure what I get is the best for the job.

Jase · 13 Dec 2006 at 20:19

Thanks just reading the NOD32 site now, looks like there's a 30 day trial too..

Jase · 13 Dec 2006 at 23:33

Well I went for NOD32, and from what I've seen it looks OK and my system seems faster now compared to McAfee. On running a scan it found a few things that worry me..

I keep getting a Threat message about a trojan file on at h ttp://www.m369m.com then quickly followed by a message that a file of threat had been created on my sysyem (trojan a variant of Win32/PSW.Agent.NBJ).

Now I've run the system scan again and deleted the files it says are risk but still get the above messages on a periodic scale.

Any idea how to proceed with this ?

Thanks

Jase

Jase · 14 Dec 2006 at 17:24

Richdog said:
Post a hijackthis log and i'll take a look for you.

Not sure how to do that, here's a log of what I get if it makes sence to you (I've put a space in the URL to stop anyone accidently clicking) :

Time Module Object Name Threat Action User Information
14/12/2006 17:05:23 AMON file C:\DOCUME~1\Jason\LOCALS~1\Temp\2.exe a variant of Win32/PSW.Agent.NBJ trojan quarantined - deleted THUNDERBIRDV\Jason Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
14/12/2006 17:05:17 IMON file h ttp://www.m369m.com/hjm/2.exe a variant of Win32/PSW.Agent.NBJ trojan THUNDERBIRDV\Jason
14/12/2006 17:05:04 AMON file C:\DOCUME~1\Jason\LOCALS~1\Temp\1.exe a variant of Win32/PSW.Agent.NBJ trojan quarantined - deleted THUNDERBIRDV\Jason Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
14/12/2006 17:05:00 IMON file h ttp://www.m369m.com/hjm/1.exe a variant of Win32/PSW.Agent.NBJ trojan THUNDERBIRDV\Jason
14/12/2006 17:02:12 AMON file C:\DOCUME~1\Jason\LOCALS~1\Temp\2.exe a variant of Win32/PSW.Agent.NBJ trojan quarantined - deleted THUNDERBIRDV\Jason Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
14/12/2006 17:02:07 IMON file h ttp://www.m369m.com/hjm/2.exe a variant of Win32/PSW.Agent.NBJ trojan THUNDERBIRDV\Jason
14/12/2006 17:01:48 AMON file C:\DOCUME~1\Jason\LOCALS~1\Temp\1.exe a variant of Win32/PSW.Agent.NBJ trojan quarantined - deleted THUNDERBIRDV\Jason Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
14/12/2006 17:01:44 IMON file h ttp://www.m369m.com/hjm/1.exe a variant of Win32/PSW.Agent.NBJ trojan THUNDERBIRDV\Jason

I tried a scan in safe mode but then no files found, guess that was because I didn't have net access or something...

I dont *** to do a fresh install but if that's what I takes

Jase · 14 Dec 2006 at 18:40

Thanks for replies.

I had logged in as Jason not administrator when I ran the scan.

I've done some more research and I've found the problem, it is related to a virus called WANGDLL (sometimes seen a 1.exe, 2.exe, 3,exe).. problem is as yet I haven't found a way to get rid of it..

Jase

Jase · 14 Dec 2006 at 19:03

Here's the Log I just saved, hope it makes some sence to you..

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Jason\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - AppInit_DLLs: KB455373M.LOG
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartGenie (LxrSGe10s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSge10s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Jase · 14 Dec 2006 at 20:32

Many thanks for that, but unfortunatly I still have the problem.

On the web I've managed to find the exact same thing as I have however the HJT log is different as I don't have the 1.exe, 2.exe etc in my log file however those are the files NOD32 warn me about.. maybe it's because NOD32 are removing them as soon as they are written ?? if this is the case why are they written and what's doing it, and more important how do I stop it !!

Well thanks again..

Jase

Jase · 14 Dec 2006 at 22:04

I ran the Online scan but nothing was detected..

Jase · 14 Dec 2006 at 23:45

Looks like I may have missed something when I did that scan (may have run out of disk space or something and it didn't complete).. Anyway did the online scan again and this time it found a few things. A load of Suspicious files that were locked (but guess that may have been system files) but also found files that contained the following :

Infected: Trojan-Downloader.Win32.Delf.auc
Infected: Backdoor.Win32.Hupigon.aqw
Infected: Trojan-Downloader.Win32.Delf.auc
Infected: Trojan-Downloader.VBS.Small.bv
Infected: Trojan-PSW.Win32.QQPass.rw

Unfortunatly in the Action taken by the checker was reported as "skipped". I manually deleted the files from a DOS prompt but the problem is still there.

May have to do a format/fresh install over the weekend and then put Kaspersky or NOD32 from the start

Thanks again for the help

Jase