Can´t install firewall... 1/2

Please attach the other logs requested in the READ ME:

- GetRunKey
- ShowNew
- HijackThis


Notes:

1. Cookies are not problems! Ignore them
2. Ccleaner is not a malware removal tool. It is a junk/garbage removal tool and your PC will always have junk that can be removed.
3. You cannot block iexplore.exe from having internet access. That is why ZoneAlarm blocked you.

 

Try putting all of them into a ZIP file and attaching the ZIP file.

By default, ZoneAlarm does not block IE because it knows what it is. Did you install ZoneAlarm with Antivirus or just ZoneAlarm the firewall? You should be able to bring up ZoneAlarm via your Start, All Programs buttons.

 

Why? How large is it? Did you notice an error message in the upload window?

 

You skipped step 3 of the READ ME (you have AVG & NOD and I see signs of Symantec too) and you also did not do step 2 properly (you only did part of what step 2 asked you to do).

 

No! Just get me the log from ShowNew or explain in greater detail what the problem is.

Not completely accoring to your logs! Are you still using any Symantec/Norton software??? I see a proxy item from them too.

We can take care of this but I need the ShowNew log.

 

Sorry...I just noticed you got newfiles.txt uploaded.

You still have three antivirus applications installed according to newfiles.txt:

"DisplayName"="AVG Free Edition"
"DisplayName"="NOD32 antivirus system"
"DisplayName"="NOD32 FiX"
"DisplayName"="Norton AntiSpam"
"DisplayName"="Norton Internet Security"
"DisplayName"="Symantec Network Drivers Update"

And what is the below? Is it also considered an antivirus or firewall? Could it be part of your problem?
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dlle
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Archivos de programa\GbPlugin\GbpSv.exe

 

You are missing my point. Is this considered an antivirus and or firewall? It seems to be some kind of protection. If it is an antivirus then you have 4 installed. If it is a firewall, you must not install another firewall.

Again you are missing the point. You must not install (or even reinstall) another antivirus while the others are still present. This can result in improper/incomplete configuration and can mess up Windows Security Center. If you want to keep AVG that's fine, but you must uninstall all of NOD and all of Symantec/Norton. Also if this banking software is an antivirus, that presents another item that must be uninstalled.

 

Yes I know it is for Internet Banking. I just wonder whether it is an antivirus and/or firewall and whether it is related to why you cannot install a firewall. I see no uninstall procedure for it in your logs. Does it appear in Add/Remove programs? We may need to remove it manually if necessary.

Follow the steps below in the EXACT order written:

• download the current version of AVG Free Edition but DO NOT install yet
• download the latest updates for AVG from AVG Anti-Virus Updates
• now disconnect your PC from the internet (unplug the cable)
• now goto Add/Remove programs and uninstall all of the below in the order written (if some items do not appear, just move on to the next but tell me later what you do not find)
  • AVG Free Edition
  • NOD32 antivirus system
  • NOD32 FiX
  • Norton Internet Security
  • Norton AntiSpam
  • Symantec Network Drivers Update
• now reboot
• after reboot install AVG Free Edition
• install the AVG Updates
• run a full system scan with AVG and save a log (if possible) if any problems are reported.
• now reconnect your cable to the internet
• save new logs from ShowNew and HJT
• attach the logs from ShowNew and HJT (also attach the AVG log if it found anything).

 

You did not say whether you uninstall the NOD items!

Please follow the steps here Getting Uninstall Programs List From The Registry and attach the requested log.

Then continue onto the below! Note that based upon whether any components were already uninstalled, you may not find some of the below items. If you don't find certain items, just skip it and continue.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to AVG7 Alert Manager Server
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • AVG7 Update Service
  • AVG E-mail Scanner
  • Symantec Network Proxy
  • Gbp Service
  • NOD32 Kernel Service
  • Symantec Network Drivers Service
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste Avg7Alrt into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • Avg7UpdSvc
  • AVGEMS
  • ccProxy
  • GbpSv
  • NOD32krn
  • SNDSrvc
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

After clicking Fix, exit HJT.


Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. C:\GetUnKey.txt - from at the top of this message
2. GetRunKey
3. ShowNew
4. HJT

 

You MUST follow the directions exactly as written and in the order written. You must first Stop the services and then disable them. And then you must Delete them with HijackThis. You are not doing the steps as written.

Also you are not running HijackThis from here:

C:\Documents and Settings\Eduardo\Mis documentos\Herramientas para limpiar la maquina\hijackthis_sfx\HijackThis.exe

Delete this file and do not run it from here any more. Only run it like you did in message # 5.

What error message do you receive (if any) when trying to upload newfiles.txt? Note that you are not running it properly based on your log. From what I see in your log it appears that you did not follow the directions for extracting it from the ZIP file. Or you are getting one of the error messages mentioned on the download page. You must make sure you extract all files from the ZIP file and run the .bat from outside of the ZIP file. You are also running GetRunKey incorrectly (the same problem as with ShowNew. You ran them peoperly earlier! Why are you running the incorrectly now?

You also now are using MSconfig to control startups which we specifically requested in at least two places in the READ & RUN ME not to use. Please stop using MSconfig now. If you have MSconfig controlling startup process or services while trying to uninstall related programs the uninstalls will either completely fail or will be incomplete.


If you do not follow directions, we cannot help you.

You also say that AVG and Norton are not installed but based on your logs they are installed and they should appear in Add/Remove programs and that is how you should be uninstalling them. You need to use Add/Remove programs to uninstall this before trying to use the instructions in message # 19. Do you have a problem understanding what Add/Remove Programs is? If you do know what Add/Remove programs is, are you sure that AVG and Norton do not appear in the list?

Below I have attached a text file that shows all of the AVG and Norton items that appear in your uninstall programs list which means they are installed.

 

Don't be embaressed! I understand that what is easy for us may be difficult for others, especially with the language differences between us and within the Windows OS.

Yes! It was the first one in the list! Look again! After stopping, disabling and deleting it, attach a new HJT log. Also attach a new GetRunKey (not GetUnKey) log. Make sure it runs properly with no errors!!!

 

This is one reason why my instructions said to ignore any error messages and continue. It was deleted and it was not system critical.

Okay now run the steps below in the order given!

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now download and run this Norton Removal Tool (SymNRT)

Now look in Add/Remove programs for the below and uninstall if found (you may not find these):
CC_ccProxyMSI
CC_ccStart
Symantec Network Drivers Update


Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below folder which may be left behind by the uninstall:
C:\Archivos de programa\Sunbelt Software

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Archivos de programa\GbPlugin\GbpSv.exe
C:\WINDOWS\Downloaded Program Files\Bb.gpc
C:\WINDOWS\Downloaded Program Files\desktop.ini
C:\WINDOWS\Downloaded Program Files\gbieh.gmd
C:\WINDOWS\Downloaded Program Files\gbieh.dll
C:\WINDOWS\Downloaded Program Files\logoint.bmp
C:\WINDOWS\system32\drivers\avg7core.sys
C:\WINDOWS\system32\drivers\avg7rsw.sys
C:\WINDOWS\system32\drivers\avg7rsxp.sys
C:\WINDOWS\system32\drivers\avgclean.sys
C:\WINDOWS\system32\drivers\avgmfx86.sys
C:\WINDOWS\system32\drivers\avgtdi.sys

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folder and delete if found:
C:\Archivos de programa\Grisoft

Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now! At this point if things are looking better, we need to get an antivirus (I suggest AVG Free Edition) and a firewall (I suggest ZoneAlarmFree - Note: Do not install the Security Suite which is an option you will see while installing!!!!!! ) installed without further delay but first let's make sure all the old info from above was cleaned up.

 

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now Download The Avenger (http://swandog46.geekstogo.com/avenger.zip ) by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy the quoted bold print below and paste it in the box that opens from Avenger:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it.
• A log file from Avenger will be produced at C:\avenger.txt, please post that log here in yournext reply.

Now attach the below new logs and tell me how the above steps went.

1. avenger.txt log
2. GetRunKey
3. ShowNew
4. HJT

 

Let me know if this keeps happening. That file name is associated with a trojan. See http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Small&threatid=39699

Thus it is good that it seems to be missing. I just don't see what applicaton is trying to load it.

Normal! The first is the backup folder for Pocket Killbox and the second is you antivirus vault (quarantine) from AVG which we uninstalled. You could try deleting the $Vault$.AVG folder, but we will be reinstalling AVG soon.

You can do that if you want since we are finished with it now.

Well your main problem was not malware. You had a few minor malware items but your big problem was having no less than 3 antivirus applications installed. You may still need to do some registry cleaning with a good registry cleaning tool that also backs up your registry before cleaning. This is not topic for the malware forum though. In reality, most of your issues were not either.

I still also don't like the looks of the G-Buster stuff which you say is for banking. It is behaving just like malware. It has no uninstall and will not go away (at least not completely as of yet). You need to talk with this bank and find out what the heck they are installing on your PC and why there is no uninstall program included with it. This is unacceptable. However since we have also been working at trying to remove it, we may have broken whatever it is and you may need to reinstall it if this is really necessary.

So let's continue with the removal of this G-Buster software.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Gbp Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteGbpSv into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll (file missing)

After clicking Fix, exit HJT.

Now reboot into safe mode and delete the below folder if it exists!
C:\Archivos de programa\GbPlugin

Let me know what you find!!

Now run Ccleaner

Now reboot in normal mode

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download this AVG Free Edition and then install it and get any updates. Then run a full system scan. Did it install, update and run okay?

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Yes! As I said before this folder is the backup folder for Pocket Killbox. When it deletes files, it saves a backup here so that you can recover from a mistake of deleting the wrong file.

Given the problems you are still having with installing AVG, yes. But make sure you create the backup when it asks, and also I would start by focusing on only things related to AVG/Grisoft and Norton/Symantec and NOD32/eSET. Things left around from these previous installs could be making it impossible to install AVG now. This is another reason why we have step 3 of the READ ME. Installing multiple antivirus programs at the same time can cause a variety of problems.

After using CCleaner to cleanup things left around from the above, try installing AVG Free again. If it does not work, try the below instead:

Avast! Home Edition

 

Yes! Try one of the ones listed in step 3 of this: How to Protect yourself from malware! In fact you should work thru all steps in the How to protect thread now.

Not true! It is 90 days but all you have to do is register via email to get a key. I quote from the download page:

 

You're welcome. Now complete any of the below which you have not already done.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!