Hi!
I was trying to install an NOD version that a friend gave me, but I couldn't complete it. That's why I uninstalled it with the tool Add/Remove on Win98SE, but my comuter is still reporting at reboot that a file, which SYSTEM.ini is using: C:\PROGRA~1\ESET\AMON.VXD is missing and that the program can't run. Microsoft Outlook 2000 is also reporting a missing file C:\PROGRA~1\ESET\EMON.DLL. I would like to fix this problem, because I would not like to read this messages every time I try to run my PC. What should I do?
Thanks for your help.

for this case only please post a HJT log so we can remove the start up entries

go to here (http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5) and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

Or reinstall NOD again and then uninstall it.
Hopefully it will then remove the errant information as it should have done the first time around.

-{ Quote: "I was trying to install an NOD version that a friend gave me," }-Being that Nod32 can not be given to anyone, other than someone purchasing a license on your behalf, I gather you would probably be talking about a "cracked version" of Nod32?

Please elaborate further on how exactly your friend "gave you" Nod32.

Blackspear.

Yes, I also think that it was a cracked version. This experience definitely taught me not to use cracked programs ever again.

-{ Quote: "Yes, I also think that it was a cracked version. This experience definitely taught me not to use cracked programs ever again." }-If you would like to register here at Wilders and then send me a Private Message, I will forward a evaluation license that will allow you to trial the full version of Nod32 for 30 days.

Cheers

Blackspear.

Here are the results.



Logfile of HijackThis v1.99.1
Scan saved at 12:10:30, on 27. 01. 06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\CHERRY\KEYMAN\KEYMAN.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\EMULE\EMULE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.fastwebfinder.com/iesearch.html/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mp3hi-fi.com/cgi-bin/l/lnk.cgi?l=searchdef
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.rub.to
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.rub.to
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Povezave
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [CherryKeyMan] C:\Program Files\Cherry\KeyMan\KeyMan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fwv] C:\WINDOWS\fwv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

I can see why NOD wouldn't install

you have some malware there and that MIGHT have caused it BUT you also have Trend Micro installed and running and the 2 aV's won't work together

did you try reinstalling NOD & uninstalling it again

Not yet. I have to call my friend to give me the CD again, I don't have it anymore:(
I'll try and if it doesn't work, I'll ask you for help - again:)
Thanks for everything.
I have another question - can I fix the malware?
Yes, I know that 2 AV don't work together, but my Pc-cilin is expiring and I need another program. Which one do yuo recommend; NOD or Pc-cilin? I have a chance to buy them. What do you think about BITDEFENDER? Which is better?

Yes we can help with the malware but I would suggest following Blackspear's advice first. Register as a member here & send him the PM he is asking for and he will arrange for a legal trial licence for you

once NOD is installed and running it hopefully will recognize and deal with the malware

I do feel it probably is Trend Micro preventing NOD being installed as what you have showing as malware doesn't usually damage AV's and looks like adware only

Thank you Blackspear. Nod works. It didn't find any threat or virus. Was the warning on e-mule a false alarm?

Oh, btw: dvk01, what about the malware????? ???

I'd suggest removing Trend Micro, then trying Ewido's online scanner and following up with Asquared's free tool. Run them both, and you should have taken care of most of your malware issues. I'd even suggest following it up with Bitdefender's online virus scan as well before putting NOD32 back on there just to minimize the chance of nasties lurking in the shadows.

Quick summation...

1. Remove Trend Micro to prevent installation/usage issues for the following steps.
2. Run Ewido online scanner (must use IE)
3. Run ASquared free client
4. Run Bitdefender or other online virus scanner
5. Install a legitimate copy of NOD32 using the key you've been given.

You can also substitute ASquared for Spybot S&D if you wish.

Good luck, let us know how it goes.

This is a very suspicious entry as I can't find anything about it

C:\WINDOWS\fwv.exe

please do this

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

C:\WINDOWS\fwv.exe

once we have examined it we can see if it is malicious or not

AshG,
did what you said. although I can't use Ewido online scanner 'cause I have win98. Bitdefender online scanner didn't show anything, according to their report everything was OK.

http://www.thespykiller.co.uk/forum/index.php?topic=1120.0

you never uploaded the file

lets try it this way

download suspicious file packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it &
paste in this list of files and when it has created the archive on your desktop please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so we can examine the files

C:\WINDOWS\fwv.exe

My PC reports there are no such files:
C:\WINDOWS\fwv.exe

in that case just do this
Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.fastwebfinder.com/iesearch.html/%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.rub.to
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.rub.to
O4 - HKLM\..\Run: [fwv] C:\WINDOWS\fwv.exe

one of your protections has removed it but left the start u[ps & traces behind