It will give a log that will give essexboy the picture of what is running and will make the cleanup task easier as when essex gives u a fix to run it via FRST the fix will be made outside windows…hence it will be wacking the malware wen it is inactive…
Alright, here’s the log:
As this is working before windows has loaded all services are inert
Download the attached fixlist.txt to the USB that has FRST on it
Go to system recovery options as before
Run FRST
http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif
Then press the Fix button
A fix log will be generated on the USB please post that
On completion return to normal windows and run Combofix
This should now produce a log
I’m assuming fixlist works automatically with the program, since I didn’t do anything otherwise?
It ran fine, produced a log, Combofix ran fine, but still no log. However, there is a Combofix file on my C Drive, that acts just like the previous “log” I’ve been getting (sending me to My Computer). But also, the old 32788R22FWJFW thing has turned into a folder, with sub-folder EN-US, and inside that cmd.3Xe.mui, which is 128 kb.
Fixlog:
EDIT: After rebooting and using my computer some, things are looking a lot better! I am no longer getting redirected to abnow, my internet speed is back at full, and even Pidgin is working perfectly too! 
However, I still do not have access to Windows Firewall and Defender.
OK lets use another farbar tool to check out the firewall and defender - clever fellow is this one ;D I love his tools
Once I have the log from this I will probably need to run OTL and look for specific files/registry entries. As this programme will just tell me what is wrong
http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg
Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
Successful:
Farbar Service Scanner Version: 01-03-2012
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
Internet Services:
Connection Status:
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Firewall Disabled Policy:
System Restore:
System Restore Disabled Policy:
Action Center:
Windows Update:
Windows Defender:
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend: “%ProgramFiles(x86)%\Windows Defender\mpsvc.dll”.
File Check:
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log ****
MpsSvc Service bfe ServiceOK these two are the problem
From my site download the zip file with your name
https://skydrive.live.com/?cid=32D8666F4048075B&id=32D8666F4048075B!117
Extract the three reg files to the desktop
Right click each file and select merge
Reboot the computer
Retry firewall and Defender
Would you mind editing out my name please.
Edit: I merged all 3 files and Windows Defender appears to be working, but not Windows Firewall.
I will delete the file once you have downloaded it - i.e. now ;D
Could you re-run Farbar please
Then run a fresh OTL log
I mean the log you posted.
Fixed
Farbar and OTL ran fine. For OTL I assumed Scan All Users and Quick Scan:
Ok whilst I look at the OTL log could you go to
Control Panel > Adminstrative tools > Services
And ensure that both BFE (base filtering engine) and windows firewall are set to automatic and started
Both are set to Automatic and neither are Started.
Start both services and let me know the result
OK another task
Go to control panel > Folder options
Select the View tab
Ensure that the following are deselected :
Hide protected System operating files
Hide hidden files and drives
Accept the warnings
Then go to this MS page and run the fixit there http://support.microsoft.com/kb/972034
Once run then reverse the steps that you previously did
Final task for now
Open an elevated command prompt :
Go Start > All programs > Accessories
Right click command prompt and select run as administrator
Then Type/copy/paste the following commands pressing enter after each :
netsh winsock reset catalog
netsh int ip reset reset.log hit
I went to those two services and I’m unable to start either:
BFE: Error 5: Access Denied
Firewall: Error 1068: The dependency service or group failed to start.
I also noticed Windows Defender is Automatic (Delayed Start), and does start after a small delay.
I ran the Fixit, it ran fine, then ran those commands in command prompt, which worked fine too.
After restarting, I still am unable to start Firewall or BFE, but Defender seems to be fine now.
It is a permissions problem on bfe
I will give you a full export of my 64 bit key and see if that solves it
It is now at the same place as before with your name on it
Extract the bfe reg file, merge and reboot
Let me know if that works
Otherwise I will have to work out a way to change permissions for you
Downloaded, merged, rebooted, but nothing changed.
OK 'tis a while since I changed permissions in the registry so bear with me whilst I ensure I get it right
OK lets get at it
First create a restore point
Download SWReg and save to the desktop [b]
Create and Run a Batch File
1.
Please copy everything in the code box below into notepad. To do this highlight all text, then right click and click Copy.
@Echo Off
CLS
SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE /P /GE:F
exit
[*] Next, open Notepad, or click Start->Run and in the Open: box type notepad.exe and click OK.
[*] Right click in the notepad window and click Paste, or put the cursor inside the notepad window and press the Ctrl-V keys to paste the text into notepad.
[*] On the File menu, click Save
[*] On the Save AS window that comes up, do the following:
[*] On the left side, click the Desktop Icon. This will put “Desktop” in the Save In: box at the top.
[*] At the bottom in the File Name: box type Fix.bat
[*] In the Save as type: box, click the down arrow and click All Files(.)
[*] Click Save
This will put a new file on the Desktop named Fix.bat
The file icon will look like this
http://img524.imageshack.us/img524/9383/batmp6.jpg
2. Close all open windows and any open Browsers.
3. Right click Fix.bat file on the desktop and select run as administrator. A command window will open briefly, then close. This is quite normal.
When the command window has closed, Reboot the computer to make the changes effective.