My PC reporting NOD files after uninstalling it

Discussion in 'NOD32 version 2 Forum' started by PROBLEM NO.1, Jan 26, 2006.

Thread Status:
Not open for further replies.
  1. PROBLEM NO.1

    PROBLEM NO.1 Guest

    Hi!
    I was trying to install an NOD version that a friend gave me, but I couldn't complete it. That's why I uninstalled it with the tool Add/Remove on Win98SE, but my comuter is still reporting at reboot that a file, which SYSTEM.ini is using: C:\PROGRA~1\ESET\AMON.VXD is missing and that the program can't run. Microsoft Outlook 2000 is also reporting a missing file C:\PROGRA~1\ESET\EMON.DLL. I would like to fix this problem, because I would not like to read this messages every time I try to run my PC. What should I do?
    Thanks for your help.
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    for this case only please post a HJT log so we can remove the start up entries

    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
    Click on the entry in start menu or on the desktop to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Or reinstall NOD again and then uninstall it.
    Hopefully it will then remove the errant information as it should have done the first time around.
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Being that Nod32 can not be given to anyone, other than someone purchasing a license on your behalf, I gather you would probably be talking about a "cracked version" of Nod32?

    Please elaborate further on how exactly your friend "gave you" Nod32.

    Blackspear.
     
  5. PROBLEM NO.1

    PROBLEM NO.1 Guest

    Yes, I also think that it was a cracked version. This experience definitely taught me not to use cracked programs ever again.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    If you would like to register here at Wilders and then send me a Private Message, I will forward a evaluation license that will allow you to trial the full version of Nod32 for 30 days.

    Cheers

    Blackspear.
     
  7. PROBLEM NO.1

    PROBLEM NO.1 Guest

    Here are the results.



    Logfile of HijackThis v1.99.1
    Scan saved at 12:10:30, on 27. 01. 06
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPZTSB03.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\CHERRY\KEYMAN\KEYMAN.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\EMULE\EMULE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.fastwebfinder.com/iesearch.html/%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mp3hi-fi.com/cgi-bin/l/lnk.cgi?l=searchdef
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.rub.to
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.rub.to
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Povezave
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
    O4 - HKLM\..\Run: [CherryKeyMan] C:\Program Files\Cherry\KeyMan\KeyMan.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [fwv] C:\WINDOWS\fwv.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
    O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I can see why NOD wouldn't install

    you have some malware there and that MIGHT have caused it BUT you also have Trend Micro installed and running and the 2 aV's won't work together

    did you try reinstalling NOD & uninstalling it again
     
  9. PROBLEM NO.1

    PROBLEM NO.1 Guest

    Not yet. I have to call my friend to give me the CD again, I don't have it anymore:(
    I'll try and if it doesn't work, I'll ask you for help - again:)
    Thanks for everything.
    I have another question - can I fix the malware?
    Yes, I know that 2 AV don't work together, but my Pc-cilin is expiring and I need another program. Which one do yuo recommend; NOD or Pc-cilin? I have a chance to buy them. What do you think about BITDEFENDER? Which is better?
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Yes we can help with the malware but I would suggest following Blackspear's advice first. Register as a member here & send him the PM he is asking for and he will arrange for a legal trial licence for you

    once NOD is installed and running it hopefully will recognize and deal with the malware

    I do feel it probably is Trend Micro preventing NOD being installed as what you have showing as malware doesn't usually damage AV's and looks like adware only
     
  11. PROBLEM NO.1

    PROBLEM NO.1 Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    5
    Thank you Blackspear. Nod works. It didn't find any threat or virus. Was the warning on e-mule a false alarm?
     
  12. PROBLEM NO.1

    PROBLEM NO.1 Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    5
    Oh, btw: dvk01, what about the malwareo_O?? o_O
     
  13. AshG

    AshG Registered Member

    Joined:
    May 7, 2005
    Posts:
    206
    Location:
    East TN
    I'd suggest removing Trend Micro, then trying Ewido's online scanner and following up with Asquared's free tool. Run them both, and you should have taken care of most of your malware issues. I'd even suggest following it up with Bitdefender's online virus scan as well before putting NOD32 back on there just to minimize the chance of nasties lurking in the shadows.

    Quick summation...

    1. Remove Trend Micro to prevent installation/usage issues for the following steps.
    2. Run Ewido online scanner (must use IE)
    3. Run ASquared free client
    4. Run Bitdefender or other online virus scanner
    5. Install a legitimate copy of NOD32 using the key you've been given.

    You can also substitute ASquared for Spybot S&D if you wish.

    Good luck, let us know how it goes.
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    This is a very suspicious entry as I can't find anything about it

    C:\WINDOWS\fwv.exe

    please do this

    please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:

    C:\WINDOWS\fwv.exe

    once we have examined it we can see if it is malicious or not
     
  15. PROBLEM NO.1

    PROBLEM NO.1 Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    5
    AshG,
    did what you said. although I can't use Ewido online scanner 'cause I have win98. Bitdefender online scanner didn't show anything, according to their report everything was OK.
     
  16. PROBLEM NO.1

    PROBLEM NO.1 Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    5
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  18. PROBLEM NO.1

    PROBLEM NO.1 Registered Member

    Joined:
    Jan 27, 2006
    Posts:
    5
    My PC reports there are no such files:
    C:\WINDOWS\fwv.exe
     
  19. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    in that case just do this
    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.fastwebfinder.com/iesearch.html/%s

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.rub.to
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.rub.to
    O4 - HKLM\..\Run: [fwv] C:\WINDOWS\fwv.exe

    one of your protections has removed it but left the start u[ps & traces behind
     
Thread Status:
Not open for further replies.