1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BFE and Windows Firewall not starting

Discussion in 'Malware Removal' started by EStrother, Dec 10, 2011.

  1. EStrother

    EStrother Private E-2

    I got zapped by the stupid FAKE Windows Antivirus. I have to use voice recognition software to operate my computer, so by the time I closed it it did a little bit of damage. I immediately disabled my router, and ran all my virus and malware scanners, got rid of whatever they found, (Ccleaner, Malwarebytes, superantispyware, and AVG 2012 free edition) and rebooted when they told me to. Thought everything was OK, except I noticed that my BFE, Windows Firewall, and the others were not running and I can't start them. Anything that depends on BFE will not start because I can't get BFE to start. As per your request I uninstalled AVG so it wouldn't interfere with combofix, I ran all of the run me first software that y'all suggested with AVG uninstalled, so now I have no firewall and no antivirus on my computer. I don't like that. So hopefully we can fix it quick so I can at least get a antivirus back on my machine.
    Thanks
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Yes this is a new type problem happening on Win 7 and Vista systems. New malware is deleting the BFE service from the registry to block any firewall and IPsec services from running. The malware may even delete the necessary bfe.dll file which it appears to have done on your PC.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1

    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      bfe.dll
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.
    Also download and save the below two newer version files to your C:\MGtools folder overwriting the older files. You must save them to the C:\MGtools folder.

    GetNetInf.bat

    NwkTst.bat

    Now one at a time, right click on each of the below files and select Run As Administrator. Let the first finish running before running the second one.

    C:\MGtools\NwkTst.bat

    C:\MGtools\GetNetInf.bat

    Then attach the updated C:\MGlogs.zip file.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oh and two more questions, does System Restore work on your PC? And if yes, do you have restore points from before this problem began?
     
  4. EStrother

    EStrother Private E-2

    Yes I do, but already tried that but didn't fix the problem, and even tried last known good configuration and still didn't fix it.
    Thanks
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes but there may be other issues to address first before doing that. I did not say to do it now. I just asked if there are restore points. ;) Also have far back do you have restore points for?

    You still need to do what I asked in message # 2.
     
  6. EStrother

    EStrother Private E-2

    I hope I replied right to this, if not let me know. Here are the requested log files
    Thanks
     

    Attached Files:

  7. EStrother

    EStrother Private E-2

    I tried those last week. So I wasn't jumping ahead of your instructions, I was just letting you know.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also I have another question about your hard disk partitioning. Your logs show the below
    Code:
    Get Partition Info From WMI in K-bytes                          
    ==============================================================  
    Bootable  Name                   Size          Type                     
    FALSE     Disk #0, Partition #0  16106127360   Unknown                  
    TRUE      Disk #0, Partition #1  104857600     Installable File System  
    FALSE     Disk #0, Partition #2  733942382592  Installable File System  
    Is this some kind of special boot partitioning you setup. There are new TDL infections around that create their own partition and make it active. Normally it would add he new partition to the end of the chain. I'm questioning why you have a small 100 MB partition ( # 1) and it is set to active. It is possible that this was done by your PC vendor to make some special boot procedure. Possible to allow for reimaging from partition #0 which looks like it may be a factory recovery image.
     
  9. EStrother

    EStrother Private E-2

    Only have restore points to the beginning of this week. I did reply to that other message first, hope you got it.
    Thanks
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not really. I wanted the real C:\MGlogs.zip file. Not a log that you made. But you did put the new files into it so this time it is okay. But in the future when we ask for the log from MGtools or ask for MGlogs.zip, we are asking for the one that is ALWAYS located at C:\MGlogs.zip. ;)

    And yes I understood you did try system restore before coming here. My point was simply that unless malware is removed first, it may not work as desired because the malware would just mess up the registry again. I still want to know how far back your restore points go.

    Also right click Start and in the Run or search box enter services.msc and hit enter. This should bring up the Services form. Scroll down to the BAse Filtering Engine service and double click on it. What is the Startup type set to and what is the Service Status currently showing? These should be Automatic and Started but based on your logs I expect that the Status is definitely stopped.
     
  11. EStrother

    EStrother Private E-2

    Man your fast. Trying to keep up with voice recognition. First off those are the zip logs from the C:\MGTools folder, I just moved it to a folder on my desktop where I have all my log files together.
    Second. I checked on the different drives and a 100 MB is a system reserve file that was on my machine when I got it, and the other is like fall a image drive from the factory. Should I keep the generated logs in their default location?
     
  12. EStrother

    EStrother Private E-2

    Oh sorry. The BFE is set to automatic the shows nothing for the state, which means it stopped
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I know but that is not what I asked for. I asked for the C:\MGlogs.zip file.

    Always.
     
  14. EStrother

    EStrother Private E-2

    No problem, will do
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download the below file and save it to your Desktop

    fixme.reg

    Then double click on it and allow it to be added to your registry. Then reboot your PC.


    After reboot, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Did anything change
     
  16. EStrother

    EStrother Private E-2

    No change, yet.
     

    Attached Files:

  17. EStrother

    EStrother Private E-2

    Did I do that last one right? I still see the edit button underneath it.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Had to run to get something to eat. Now I'm back. Please run MSconfig and put your PC into normal startup mode as was requested in step 4 of the READ & RUN ME. Do this now while I work thru your neweset logs.
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After completing the instructions in my previous two messages, continue with the below.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (file missing)
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
    O3 - Toolbar: (no name) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
    O15 - Trusted Zone: http://www.bestmmatorrents.com
    O15 - Trusted Zone: http://www.pinupsforvets.com
    O15 - Trusted Zone: http://*.stagevu.com
    O15 - Trusted Zone: http://puzzles.usatoday.com

    After clicking Fix, exit HJT.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds