Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need a registry fix please


  • Please log in to reply
22 replies to this topic

#1 cart0181

cart0181

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 09 December 2011 - 10:31 PM

Hello everyone. :hello:

I have been waiting for over 3 days for help over in the removal forum here. I haven't gotten any responses yet, so I thought I would post here. I hope that is ok. I believe at this point, all I need is a customized registry fix to get this computer up and running perfectly again. I am fairly certain there is no longer any infection on the system, but some registry damage was done so that my Base Filtering Engine (bfe.dll) is no longer functioning. Because of that, all dependency services also fail to start. What can I do? Thanks in advance for the advice.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:48 AM

Posted 09 December 2011 - 11:00 PM

Please save the following contents as reg file. Then execute this file to import to registry.


<content removed for security reasons>


Save it as .reg file,launch it and add to registry

See if you can start the base filtering engine service

Edited by elise025, 17 December 2011 - 08:03 AM.
content removed.


#3 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 10 December 2011 - 12:23 AM

Thanks for your quick response! :thumbup2:
I added the data you provided to the registry, and after a reboot, the Base Filtering Engine now shows up in the Services console. It is not able to start, however, giving error code 5: access is denied.

Now what do I do?

P.S. Did you review my logs from the other forum?

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:48 AM

Posted 10 December 2011 - 07:59 PM

Do you have windows firewall service?

Probably vista rogue deleted both bfe and windows firewall keys.

If you do not have windows firewall,copy this


<content removed for security reasons>

Save it as .reg file and import

Now,open RUN and type

regedit and click ok

go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on it-permissions

Click on ADD and type

Everyone and click ok

Click on Everyone

Below you have permission for users

Select full control and click ok

Now start bfe service and windows firewall service

Edited by elise025, 17 December 2011 - 08:05 AM.
content removed


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:48 AM

Posted 11 December 2011 - 05:12 PM

A suggestion has been made that involves modifying the registry. Modifying the registry can be dangerous (and can render your system unbootable) so it's advisable that you make a backup of the registry before proceeding.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Registry Modifications

For more information about modifying the registry, see this Microsoft article: http://support.microsoft.com/default.aspx/kb/256986
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 17 December 2011 - 12:00 AM

narenxp, thank you for your patience. I was able to receive some help in the malware removal thread I posted in the original post. Here.

Unfortunately, we were not able to resolve every issue caused by the rogue program. My helper there suggested I post a new thread in the Windows 7 forum, but I was hoping you could give me some additional help?

Your "permissions fix" worked to allow me to start the Base Filtering Engine service. The Windows Firewall service also appears to be functioning normally now too.

The only thing I can see is wrong now, is the Action Center is not monitoring my security properly. Only the UAC and Network Access protection is showing there. There is no virus protection on the computer right now and I am not receiving warnings. When I try to turn on warning messages, the options are greyed-out. I think the malware has done some more damage in this area. I posted 2 screenshots in the other thread that show exactly what I'm talking about. Please help! :wacko:

#7 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 18 December 2011 - 01:33 PM

Anybody?

Screenshot

#8 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 18 December 2011 - 02:02 PM

My helper in the Malware Removal thread told me to post my question here about the Action Center.

I think the virus destroyed some of the registry entries for the Action Center or something. I have no anti-virus installed, but the Action Center isn't warning me. I don't think it is monitoring properly. I took some screenshots posted in the other thread. I would post them here, but my quota is only 512K here.

Please help. This virus has caused a lot of damage. I haven't been able to use this computer for 2 weeks now. :(

Mod Edit: Merged with AII topic ~ Hamluis.

Edited by hamluis, 19 December 2011 - 11:02 AM.


#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:48 AM

Posted 18 December 2011 - 03:54 PM

Sorry for not replying you for a while

Go to RUN and type

regedit and click ok

Do you have this key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

Thanks

Edited by narenxp, 18 December 2011 - 03:55 PM.


#10 Artrooks

Artrooks

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:48 AM

Posted 18 December 2011 - 05:18 PM

Hello cart0181,


I came across this site: FIX: Action Center and Windows Security Center no longer recognizes AntiVirus and Firewall

Don't know if it will help you.

Regards,
Brooks



 


#11 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 18 December 2011 - 05:48 PM

Yes, I do have that key. I exported its contents and posted below:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
  00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,\
  72,00,69,00,63,00,74,00,65,00,64,00,00,00
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,69,00,6e,00,\
  6d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="NT AUTHORITY\\LocalService"
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,00,00
"DelayedAutoStart"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\
  00,54,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00



#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:48 AM

Posted 18 December 2011 - 07:12 PM

Can you start the security center service?

Do you receive any dependency errors?

If yes

Please create a registry backup as suggested by boopme

Now ,i think your OS is Windows 7 ,64 bit

Copy this script




Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc]
"DisplayName"="@%SystemRoot%\\System32\\wscsvc.dll,-200"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
  00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,52,00,65,00,73,00,74,00,\
  72,00,69,00,63,00,74,00,65,00,64,00,00,00
"Start"=dword:00000002
"Type"=dword:00000020
"Description"="@%SystemRoot%\\System32\\wscsvc.dll,-201"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,57,00,69,00,6e,00,\
  4d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="NT AUTHORITY\\LocalService"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,00,00
"DelayedAutoStart"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Security]
"Security"=hex:01,00,14,80,c8,00,00,00,d4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,98,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
  00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
  00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,28,00,15,00,00,00,01,06,00,\
  00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2,0e,a7,8b,eb,ca,\
  7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,\
  00,00,00




Save it as a .reg extension,launch it,restart your PC and see if you can start the security center service


Good luck

#13 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 18 December 2011 - 07:16 PM

The service is already started, but it shows up as "wscsvc" in the Services snap-in, and the Description column is blank. Does that mean the DisplayName is not set?

Edited by cart0181, 18 December 2011 - 07:19 PM.


#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:48 AM

Posted 18 December 2011 - 07:21 PM

Is that a windows 7 ,64 bit OS? Can you do the steps as suggested then?

Launch the reg file and restart and check

good luck

Edited by narenxp, 18 December 2011 - 07:22 PM.


#15 cart0181

cart0181
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 18 December 2011 - 07:22 PM

Yes, it is Win7 64-bit. We are online at the same time. Thanks for all your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users