BFE and Windows Firewall not starting

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by EStrother, Dec 10, 2011.

  1. EStrother

    EStrother Private E-2

    I got zapped by the stupid FAKE Windows Antivirus. I have to use voice recognition software to operate my computer, so by the time I closed it it did a little bit of damage. I immediately disabled my router, and ran all my virus and malware scanners, got rid of whatever they found, (Ccleaner, Malwarebytes, superantispyware, and AVG 2012 free edition) and rebooted when they told me to. Thought everything was OK, except I noticed that my BFE, Windows Firewall, and the others were not running and I can't start them. Anything that depends on BFE will not start because I can't get BFE to start. As per your request I uninstalled AVG so it wouldn't interfere with combofix, I ran all of the run me first software that y'all suggested with AVG uninstalled, so now I have no firewall and no antivirus on my computer. I don't like that. So hopefully we can fix it quick so I can at least get a antivirus back on my machine.
    Thanks
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Yes this is a new type problem happening on Win 7 and Vista systems. New malware is deleting the BFE service from the registry to block any firewall and IPsec services from running. The malware may even delete the necessary bfe.dll file which it appears to have done on your PC.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1

    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      bfe.dll
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
    • Please attach the SystemLook.txt log found on your Desktop to next reply.
    Also download and save the below two newer version files to your C:\MGtools folder overwriting the older files. You must save them to the C:\MGtools folder.

    GetNetInf.bat

    NwkTst.bat

    Now one at a time, right click on each of the below files and select Run As Administrator. Let the first finish running before running the second one.

    C:\MGtools\NwkTst.bat

    C:\MGtools\GetNetInf.bat

    Then attach the updated C:\MGlogs.zip file.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oh and two more questions, does System Restore work on your PC? And if yes, do you have restore points from before this problem began?
     
  4. EStrother

    EStrother Private E-2

    Yes I do, but already tried that but didn't fix the problem, and even tried last known good configuration and still didn't fix it.
    Thanks
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes but there may be other issues to address first before doing that. I did not say to do it now. I just asked if there are restore points. ;) Also have far back do you have restore points for?

    You still need to do what I asked in message # 2.
     
  6. EStrother

    EStrother Private E-2

    I hope I replied right to this, if not let me know. Here are the requested log files
    Thanks
     

    Attached Files:

  7. EStrother

    EStrother Private E-2

    I tried those last week. So I wasn't jumping ahead of your instructions, I was just letting you know.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also I have another question about your hard disk partitioning. Your logs show the below
    Code:
    Get Partition Info From WMI in K-bytes                          
    ==============================================================  
    Bootable  Name                   Size          Type                     
    FALSE     Disk #0, Partition #0  16106127360   Unknown                  
    TRUE      Disk #0, Partition #1  104857600     Installable File System  
    FALSE     Disk #0, Partition #2  733942382592  Installable File System  
    Is this some kind of special boot partitioning you setup. There are new TDL infections around that create their own partition and make it active. Normally it would add he new partition to the end of the chain. I'm questioning why you have a small 100 MB partition ( # 1) and it is set to active. It is possible that this was done by your PC vendor to make some special boot procedure. Possible to allow for reimaging from partition #0 which looks like it may be a factory recovery image.
     
  9. EStrother

    EStrother Private E-2

    Only have restore points to the beginning of this week. I did reply to that other message first, hope you got it.
    Thanks
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not really. I wanted the real C:\MGlogs.zip file. Not a log that you made. But you did put the new files into it so this time it is okay. But in the future when we ask for the log from MGtools or ask for MGlogs.zip, we are asking for the one that is ALWAYS located at C:\MGlogs.zip. ;)

    And yes I understood you did try system restore before coming here. My point was simply that unless malware is removed first, it may not work as desired because the malware would just mess up the registry again. I still want to know how far back your restore points go.

    Also right click Start and in the Run or search box enter services.msc and hit enter. This should bring up the Services form. Scroll down to the BAse Filtering Engine service and double click on it. What is the Startup type set to and what is the Service Status currently showing? These should be Automatic and Started but based on your logs I expect that the Status is definitely stopped.
     
  11. EStrother

    EStrother Private E-2

    Man your fast. Trying to keep up with voice recognition. First off those are the zip logs from the C:\MGTools folder, I just moved it to a folder on my desktop where I have all my log files together.
    Second. I checked on the different drives and a 100 MB is a system reserve file that was on my machine when I got it, and the other is like fall a image drive from the factory. Should I keep the generated logs in their default location?
     
  12. EStrother

    EStrother Private E-2

    Oh sorry. The BFE is set to automatic the shows nothing for the state, which means it stopped
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I know but that is not what I asked for. I asked for the C:\MGlogs.zip file.

    Always.
     
  14. EStrother

    EStrother Private E-2

    No problem, will do
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download the below file and save it to your Desktop

    fixme.reg

    Then double click on it and allow it to be added to your registry. Then reboot your PC.


    After reboot, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Did anything change
     
  16. EStrother

    EStrother Private E-2

    No change, yet.
     

    Attached Files:

  17. EStrother

    EStrother Private E-2

    Did I do that last one right? I still see the edit button underneath it.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Had to run to get something to eat. Now I'm back. Please run MSconfig and put your PC into normal startup mode as was requested in step 4 of the READ & RUN ME. Do this now while I work thru your neweset logs.
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After completing the instructions in my previous two messages, continue with the below.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (file missing)
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
    O3 - Toolbar: (no name) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
    O15 - Trusted Zone: http://www.bestmmatorrents.com
    O15 - Trusted Zone: http://www.pinupsforvets.com
    O15 - Trusted Zone: http://*.stagevu.com
    O15 - Trusted Zone: http://puzzles.usatoday.com

    After clicking Fix, exit HJT.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
     
  21. EStrother

    EStrother Private E-2

    Here you go
     

    Attached Files:

  22. EStrother

    EStrother Private E-2

    OK, ran the analysis.exe from MGtools, fixed the ones you pointed out. But I have to wait until tomorrow to run combofix, because after combofix reboots my PC it doesn't allow my voice recognition software to automatically load, so I'll have to get somebody to reboot it since I'm paralyzed. And they just went to bed.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Wow! I'm so sorry to hear this, but I'm happy to see that you on the internet doing things.

    We will continue tomorrow. I have something new that I want to try in an attempt to get the BFE service running again. This is a new type of infection that just started appearing a couple days ago. And now it is spreading throught the internet like wild fire. There is no known easy fix yet. In fact, there is no know fix short of a total reinstall yet. But we are working on it. ;)
     
  24. EStrother

    EStrother Private E-2

    There is already a MGtools.zip folder on my hard drive from the last scan we did, should I leave it there?
     
  25. EStrother

    EStrother Private E-2

    Thanks. We were trained to adapt and overcome. A hell of a thing to overcome though. But a lot of my fellow brothers in arms were not quite as lucky. It's weird though kinda like being imprisoned in your own body.
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I assume you meant the MGlogs.zip file not folder. Yes just leave it alone. It automatically gets updated everytime we have you run GetLogs.bat or any other individual scan from the MGtools folder. However since I have just updated MGtools a few minutes ago, I really want you to use the new program. So if you have completed the steps with ComboFix, just run the below now.


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I cannot even image what it is like.
     
  28. EStrother

    EStrother Private E-2

    No change. BFE still won't start
     

    Attached Files:

  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now run the C:\MGtools\FixWFW.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). This will run very fast. Let me know if you see any error messages though.

    I found a bug in one of the MGtools programs.

    Please download and save the below new version file to your C:\MGtools folder overwriting the older file. You must save them to the C:\MGtools folder.

    NwkTst.bat


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
     
  30. EStrother

    EStrother Private E-2

    You ain't kiddin that runs fast. Couldn't tell if there was a error message or not, ran too fast.
     

    Attached Files:

  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download SubInACL.msi from Microsoft.
    • Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
    • Now download the below file and save it to your Desktop:
    • Then double click on resetperm.cmd to run this script. Be patient as this may take awhile to run.
    Once it finishes, reboot your PC.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
     
  32. EStrother

    EStrother Private E-2

    The only flashed the command prompt, so I hope it ran
     

    Attached Files:

  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmmm! We still have not been able to get the BFE service started. It still looks like there are some items missing/incorrect in the registry. Let's see if we can get the below fix with ComboFix to address this.




    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  34. EStrother

    EStrother Private E-2

    I already have one combofix.txt file on my C drive, should I delete it, move it, or leave it there?
     
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It get's overwritten each time you run ComboFix. ;)
     
  36. EStrother

    EStrother Private E-2

    For the BFE Instead of Error 5 access denied I now get Error 1073, the dependency service does not exist or has been marked for deletion.
    And the path to executable is blank
     

    Attached Files:

  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    If the above worked without any errors, run the C:\MGtools\GetNetInf.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below log which should get updated:
    • C:\MGlogs.zip
     
  38. EStrother

    EStrother Private E-2

    The merge was successful. No change in status though.
     

    Attached Files:

  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In preparation for next steps, I want you to download and save the below to your Desktop
    Then double click on it to install the RegistrarLite program.

    Now run the RegistrarLite Program and copy and paste the below into the address bar line and hit enter:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

    It will look like the below

    RL_CCS_EnumRoot.jpg

    • Then click on Security on the top menu and select Take Ownership
    • Then click on Security on the top menu and select Edit Permissions
    • On the next form, in the Group or user names: section, make sure Everyone is selected. Then in the bottom pane where it says Permissions for Everyone, put a check in the Full Control box and make sure it changes. It should look like the below when done correctly
    RL-Perm_Everyone.jpg

    Now repeat the same to Take Ownership and Edit Permissions after pasting the below into the address bar and hit enter

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE

    RL_CCS_Serv_BFE.jpg

    Let me know if you are able to get the above completed.
     
    Last edited: Dec 12, 2011
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's my fault. I forgot to change the REGEDIT4 to Windows Registry Editor Version 5.00

    We will address this after you get Registrar Lite installed and complete the instructions I just gave.
     
  41. EStrother

    EStrother Private E-2

    I was wondering about that being regedit 4 instead of 5, I was going to change it myself if it didn't work, except later on
     
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    REGEDIT4 will work, but the info has to be formatted differently for REGEDIT4 import. Also you cannot just change it to REGEDIT4, it has to be like a showed.


    Note: For clarity, I added some snapshots to the instructions for using Registrar Lite
     
  43. EStrother

    EStrother Private E-2

    Wouldn't let me change permissions to full control
     
  44. EStrother

    EStrother Private E-2

    Do you want me to go ahead and try taking ownership with full control with the following since the first one button change permissions?
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
     
  45. EStrother

    EStrother Private E-2

    Sorry about the wrong word in the previous post. Do you want me to go ahead and try taking ownership with full control with the following since the first one wouldn't change permissions?
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
     
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you Take Ownership first? And did it give you acknowledgement?
     
  47. EStrother

    EStrother Private E-2

    Yes, I took ownership, but wouldn't let me change to full control of the root. Do you want me to try taking ownership and full control of the BFE
     
  48. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes go ahead. This should definitely work. The ROOT keys are different but that should have work.

    So when you took ownership of the Root was the root folder actually selected in the left window pane? And did it say it worked?
     
  49. EStrother

    EStrother Private E-2

    Yes ROOT was highlighted, and the take ownership worked, just not the change of permissions to full control.
    For the BFE took ownership and I have 5 listed in the group or user name list.

    CREATOR OWNER (read permissions only)
    SYSTEM (full control)
    the best I could make out for the one right below
    S 1 5 21 2127671820 2500860637 3471101304 (full control)
    Administrator (ERIC\Administration) (full control)
    Users (ERIC\Users) (full control)

    should I try changing permissions for Creator Owner, and do you know what the third one in the list is?
     
  50. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you can do this.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds