BFE and Windows Firewall not starting

[EStrother]

Here you go

[EStrother]

OK, ran the analysis.exe from MGtools, fixed the ones you pointed out. But I have to wait until tomorrow to run combofix, because after combofix reboots my PC it doesn't allow my voice recognition software to automatically load, so I'll have to get somebody to reboot it since I'm paralyzed. And they just went to bed.

[chaslang]

Quote:

Originally Posted by EStrother

so I'll have to get somebody to reboot it since I'm paralyzed.

Wow! I'm so sorry to hear this, but I'm happy to see that you on the internet doing things.

We will continue tomorrow. I have something new that I want to try in an attempt to get the BFE service running again. This is a new type of infection that just started appearing a couple days ago. And now it is spreading throught the internet like wild fire. There is no known easy fix yet. In fact, there is no know fix short of a total reinstall yet. But we are working on it.

[EStrother]

There is already a MGtools.zip folder on my hard drive from the last scan we did, should I leave it there?

[EStrother]

Thanks. We were trained to adapt and overcome. A hell of a thing to overcome though. But a lot of my fellow brothers in arms were not quite as lucky. It's weird though kinda like being imprisoned in your own body.

[chaslang]

Quote:

Originally Posted by EStrother

There is already a MGtools.zip folder on my hard drive from the last scan we did, should I leave it there?

I assume you meant the MGlogs.zip file not folder. Yes just leave it alone. It automatically gets updated everytime we have you run GetLogs.bat or any other individual scan from the MGtools folder. However since I have just updated MGtools a few minutes ago, I really want you to use the new program. So if you have completed the steps with ComboFix, just run the below now.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[chaslang]

Quote:

Originally Posted by EStrother

Thanks. We were trained to adapt and overcome. A hell of a thing to overcome though. But a lot of my fellow brothers in arms were not quite as lucky. It's weird though kinda like being imprisoned in your own body.

I cannot even image what it is like.

[EStrother]

No change. BFE still won't start

[chaslang]

Now run the C:\MGtools\FixWFW.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). This will run very fast. Let me know if you see any error messages though.

I found a bug in one of the MGtools programs.

Please download and save the below new version file to your C:\MGtools folder overwriting the older file. You must save them to the C:\MGtools folder.

NwkTst.bat


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

[EStrother]

You ain't kiddin that runs fast. Couldn't tell if there was a error message or not, ran too fast.

[chaslang]

Download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm.cmd
• Then double click on resetperm.cmd to run this script. Be patient as this may take awhile to run.

Once it finishes, reboot your PC.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

[EStrother]

Quote:

Originally Posted by chaslang;Then double click on resetperm.cmd to run this script. Be patient as this may take awhile to run
[B

[/B]

The only flashed the command prompt, so I hope it ran

[chaslang]

Hmmmm! We still have not been able to get the BFE service started. It still looks like there are some items missing/incorrect in the registry. Let's see if we can get the below fix with ComboFix to address this.




Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE]
"DisplayName"="@%SystemRoot%\\system32\\bfe.dll,-1001"
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
00,65,00,4e,00,6f,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,00,00
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"RequiredPrivileges"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,\
70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,\
00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
00,65,00,4e,00,6f,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,00,00
"DependOnService"=hex(7):6d,00,70,00,73,00,64,00,72,00,76,00,00,00,62,00,66,00,\
65,00,00,00,00,00
"RequiredPrivileges"=hex(7):53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,\
00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,\
72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,75,\
00,64,00,69,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,\
00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,\
00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,\
65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50,\
00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,\
6e,00,63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,\
00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Enum]
"0"="Root\\LEGACY_BFE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE\0000]
"Service"="BFE"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="@%SystemRoot%\\system32\\bfe.dll,-1001"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Enum]
"0"="Root\\LEGACY_MPSSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC\0000]
"Service"="MpsSvc"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="@%SystemRoot%\\system32\\FirewallAPI.dll,-23090"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV\0000]
"ConfigFlags"=dword:00000020
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV\0000\Control]
"ActiveService"="mpsdrv"

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[EStrother]

I already have one combofix.txt file on my C drive, should I delete it, move it, or leave it there?

[chaslang]

Quote:

Originally Posted by EStrother

I already have one combofix.txt file on my C drive, should I delete it, move it, or leave it there?

It get's overwritten each time you run ComboFix.

[EStrother]

For the BFE Instead of Error 5 access denied I now get Error 1073, the dependency service does not exist or has been marked for deletion.
And the path to executable is blank

[chaslang]

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE]
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]
"DependOnService"=hex(7):6d,00,70,00,73,00,64,00,72,00,76,00,00,00,62,00,66,00,\
65,00,00,00,00,0

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


If the above worked without any errors, run the C:\MGtools\GetNetInf.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below log which should get updated:

• C:\MGlogs.zip

[EStrother]

The merge was successful. No change in status though.

[chaslang]

In preparation for next steps, I want you to download and save the below to your Desktop

• reglite.exe

Then double click on it to install the RegistrarLite program.

Now run the RegistrarLite Program and copy and paste the below into the address bar line and hit enter:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

It will look like the below

RL_CCS_EnumRoot.jpg

• Then click on Security on the top menu and select Take Ownership
• Then click on Security on the top menu and select Edit Permissions
• On the next form, in the Group or user names: section, make sure Everyone is selected. Then in the bottom pane where it says Permissions for Everyone, put a check in the Full Control box and make sure it changes. It should look like the below when done correctly

RL-Perm_Everyone.jpg

Now repeat the same to Take Ownership and Edit Permissions after pasting the below into the address bar and hit enter

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE

RL_CCS_Serv_BFE.jpg

Let me know if you are able to get the above completed.

[chaslang]

Quote:

Originally Posted by EStrother

The merge was successful. No change in status though.

That's my fault. I forgot to change the REGEDIT4 to Windows Registry Editor Version 5.00

We will address this after you get Registrar Lite installed and complete the instructions I just gave.