BleepingComputer.com: failed to clean my laptop of win 7 antivirus 2012 virus

Hi all and thank you for all your help here. I have been trolling the forum looking for advice on getting rid of the Win 7 antivirus 2012 virus.
I have an HP pavillion g7, OS: Windows 7 x64. I typically run McAfee and Superantispyware with daily scans by both.

the laptop began running slow a couple weeks ago and I could see weird pop ups coming and going before I could read then for the last 4 days Today, the Virus started posting the typical warning signs directing me to purchase etc... and would not let me access anything on the internet (firefox browser), redirected google and prevented me from accessing programs on my computer.


This morning I followed these clean up instructions:

http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012.

I ran fixNCR, RKill, TDSSKiller and malwarebytes just as described.

Afterward I downloaded Secunia PSI and updated the files it found problematic, except one java file that would not work.

Everything seemed to be ok, the Win7Antivirus2012 warning pop ups were gone, my browser (firefox) ran faster, the whole laptop ran faster. Several hours later McAfee began showing up, as a pop up telling me my computer needed fixes, and the firewall was turned off.

Nothing I do will turn the windows firewall on: I have tried doing it with the McAfee pop up screen, through McAfee's program screen, and through the control panel.

if i try to turn the firewall on through windows (control panel) I get an error "windows Firewall can't change some of your settings. Error code 0x80070424

It seems like the virus is still on my computer. Can you help?

I downloaded the security check "exe" and have pasted my checkup.txt below

Results of screen317's Security Check version 0.99.30
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
McAfee Total Protection
McAfee Online Backup
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Secunia PSI (2.0.0.4003)
Java™ 6 Update 29
Java version out of date!
Adobe Reader X (10.1.2)
Mozilla Firefox (9.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee Online Backup MOBKbackup.exe
``````````End of Log````````````


thank you!
EDIT- it seems my computer no longer even has the windows firewall. I went to the microsoft website (http://support.microsoft.com/kb/2530126) trying to get the windows fire wall back up I tried all three methods of restoring the firewall offered here. None of the methods even found the firewall, and execution of a repair.bat failed (I have the txt document of the report if anyone wants to see it.)

This post has been edited by LA Juice: 18 January 2012 - 10:45 PM

Download

FSS

Checkmark

Internet Services
Windows Firewall
System Restore
Security Center
Windows Update

Click on "Scan".
Please copy and paste the log to your reply.

ok, here it is. Whats next? and thank you!

Farbar Service Scanner Version: 18-01-2012 01
Ran by Tom (administrator) on 18-01-2012 at 20:13:53
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
===========

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Download

http://public.avast.com/~gmerek/aswMBR.exe

Launch it, allow it to download latest Avast! virus definitions(in your case ignore it)

Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Good luck

Ok thanks, am trying. if I am having trouble getting the executable to run, do I need to rename it? EDIT- ok got it to run

This post has been edited by LA Juice: 18 January 2012 - 11:39 PM

well- running the avast crashed my OS. I launched the scan, it began to run and then I got blue screen, and had to reboot in safe mode (networking).

any idea what I should do now? I AM going to briefly log out and then log in from another computer, so that I can better read replies. will be back in less than 10 minutes

This post has been edited by LA Juice: 18 January 2012 - 11:46 PM

Launch Farbar service scanner again and type

consrv.dll in search box,click on search files

Post the generated log

run FSS while in safe mode?

Go ahead

This post has been edited by narenxp: 19 January 2012 - 12:08 AM

ok, done. here is the result

Farbar Service Scanner Version: 18-01-2012 01
Ran by Tom (administrator) on 18-01-2012 at 21:07:48
Windows 7 Home Premium Service Pack 1 (X64)

************************************************
================== Search: "consrv.dll" ===================

====== End Of Search ======

your move chief!

To be on safer side before running registry fixes i would suggest you to


Can you boot into normal mode? If you can boot into normal mode ,try this

Download

http://www.snapfiles.com/get/erunt.html

Install it and backup your registry to C:/Windows/erdnt

Now Download the registry files

http://www.mediafire.com/?317ea53a883288d

http://www.mediafire.com/?z6aw8j7997qa7j9

http://www.mediafire.com/?3g2d9ijwwe5aa75

Download three files

Launch them one by one,click YES when you get a prompt


Launch and import them to registry

If it opens as a notepad,right click on them

Click on OPEN WITH

Click on BROWSE

navigate to C:/WINDOWS and select REGEDIT and click ok

Now you should get a UAC prompt,click YES

Restart your PC

Now,open RUN and type

regedit and click ok

go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on it-permissions

Click on ADD and type

Everyone and click ok

Now Click on Everyone

Below you have permission for users

Select full control and click ok

Now,open RUN and type

services.msc and click ok

start base filtering engine service and then windows firewall service

Good luck

This post has been edited by narenxp: 19 January 2012 - 03:20 AM

Ok- Im back and will follow your instructions and see what happens. Thanks!

Ok, I am stalled at this point: "navigate to C:/WINDOWS and select REGEDIT and click ok"

I cannot find the REGEDIT file folder in C:/Windows. What am I missing/ failing to understand? I did a google search "find registry in windows 7, but everyone send me to the start button, run method.

Lets try this

Rename the registry files from

bfe.reg.txt to bfe.reg
firewall.reg.txt to firewall.reg
wscsvc64.reg.txt to wscsvc64.reg

Try to launch it now,click YES when you get the UAC prompt

OR

click on start button and type

REGEDIT and press ENTER

Click on FILE-IMPORT

import all the three files and proceed with other instructions

Good luck

OK your process worked-THANK YOU! I got through the whole process, the control panel and mcAfee show the firewall is on. I really hope that virus is gone for good.Of course after all the other threads I have read with this problem, I fear I will still have to remain vigilant.

Last questions: I have run Malwarebytes, TDSS, SuperAntiSpyware in both safe and normal modes in the last 24 hours, but do you think I should do it again? What about changing my systems clock to 6 days ahead and then running the virus scans- do you think there is any merit to taking these extra steps?