BleepingComputer.com: Need a registry fix please

Hello everyone.

I have been waiting for over 3 days for help over in the removal forum here. I haven't gotten any responses yet, so I thought I would post here. I hope that is ok. I believe at this point, all I need is a customized registry fix to get this computer up and running perfectly again. I am fairly certain there is no longer any infection on the system, but some registry damage was done so that my Base Filtering Engine (bfe.dll) is no longer functioning. Because of that, all dependency services also fail to start. What can I do? Thanks in advance for the advice.

Please save the following contents as reg file. Then execute this file to import to registry.


<content removed for security reasons>


Save it as .reg file,launch it and add to registry

See if you can start the base filtering engine service

This post has been edited by elise025: 17 December 2011 - 08:03 AM
Reason for edit: content removed.

Thanks for your quick response!
I added the data you provided to the registry, and after a reboot, the Base Filtering Engine now shows up in the Services console. It is not able to start, however, giving error code 5: access is denied.

Now what do I do?

P.S. Did you review my logs from the other forum?

Do you have windows firewall service?

Probably vista rogue deleted both bfe and windows firewall keys.

If you do not have windows firewall,copy this


<content removed for security reasons>

Save it as .reg file and import

Now,open RUN and type

regedit and click ok

go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on it-permissions

Click on ADD and type

Everyone and click ok

Click on Everyone

Below you have permission for users

Select full control and click ok

Now start bfe service and windows firewall service

This post has been edited by elise025: 17 December 2011 - 08:05 AM
Reason for edit: content removed

A suggestion has been made that involves modifying the registry. Modifying the registry can be dangerous (and can render your system unbootable) so it's advisable that you make a backup of the registry before proceeding.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry

• Go Here and download ERUNT
  (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  
• Install ERUNT by following the prompts
  (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  
• Start ERUNT
  (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  
• Choose a location for the backup
  (the default location is C:\WINDOWS\ERDNT which is acceptable).
  
• Make sure that at least the first two check boxes are ticked
  
• Press OK
  
• Press YES to create the folder.

Registry Modifications

For more information about modifying the registry, see this Microsoft article: http://support.microsoft.com/default.aspx/kb/256986

narenxp, thank you for your patience. I was able to receive some help in the malware removal thread I posted in the original post. Here.

Unfortunately, we were not able to resolve every issue caused by the rogue program. My helper there suggested I post a new thread in the Windows 7 forum, but I was hoping you could give me some additional help?

Your "permissions fix" worked to allow me to start the Base Filtering Engine service. The Windows Firewall service also appears to be functioning normally now too.

The only thing I can see is wrong now, is the Action Center is not monitoring my security properly. Only the UAC and Network Access protection is showing there. There is no virus protection on the computer right now and I am not receiving warnings. When I try to turn on warning messages, the options are greyed-out. I think the malware has done some more damage in this area. I posted 2 screenshots in the other thread that show exactly what I'm talking about. Please help!

Anybody?

Screenshot

My helper in the Malware Removal thread told me to post my question here about the Action Center.

I think the virus destroyed some of the registry entries for the Action Center or something. I have no anti-virus installed, but the Action Center isn't warning me. I don't think it is monitoring properly. I took some screenshots posted in the other thread. I would post them here, but my quota is only 512K here.

Please help. This virus has caused a lot of damage. I haven't been able to use this computer for 2 weeks now.

Mod Edit: Merged with AII topic ~ Hamluis.

This post has been edited by hamluis: 19 December 2011 - 11:02 AM

Sorry for not replying you for a while

Go to RUN and type

regedit and click ok

Do you have this key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

Thanks

This post has been edited by narenxp: 18 December 2011 - 03:55 PM

Hello cart0181,


I came across this site: FIX: Action Center and Windows Security Center no longer recognizes AntiVirus and Firewall

Don't know if it will help you.

Yes, I do have that key. I exported its contents and posted below:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
  00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,\
  72,00,69,00,63,00,74,00,65,00,64,00,00,00
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,69,00,6e,00,\
  6d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="NT AUTHORITY\\LocalService"
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,00,00
"DelayedAutoStart"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\
  00,54,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

Can you start the security center service?

Do you receive any dependency errors?

If yes

Please create a registry backup as suggested by boopme

Now ,i think your OS is Windows 7 ,64 bit

Copy this script

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
"DisplayName"="@%SystemRoot%\\System32\\wscsvc.dll,-200"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
  00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,\
  72,00,69,00,63,00,74,00,65,00,64,00,00,00
"Start"=dword:00000002
"Type"=dword:00000020
"Description"="@%SystemRoot%\\System32\\wscsvc.dll,-201"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,57,00,69,00,6e,00,\
  4d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="NT AUTHORITY\\LocalService"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,00,00
"DelayedAutoStart"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Security]
"Security"=hex:01,00,14,80,c8,00,00,00,d4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,98,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
  00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
  00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,28,00,15,00,00,00,01,06,00,\
  00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,0e,a7,8b,eb,ca,\
  7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,\
  00,00,00

Save it as a .reg extension,launch it,restart your PC and see if you can start the security center service


Good luck

The service is already started, but it shows up as "wscsvc" in the Services snap-in, and the Description column is blank. Does that mean the DisplayName is not set?

This post has been edited by cart0181: 18 December 2011 - 07:19 PM

Is that a windows 7 ,64 bit OS? Can you do the steps as suggested then?

Launch the reg file and restart and check

good luck

This post has been edited by narenxp: 18 December 2011 - 07:22 PM

Yes, it is Win7 64-bit. We are online at the same time. Thanks for all your help!