More Firewall Issues

kiwipoppy · 02 Mar 2012

Hi,all.had posted at end of a long running thread with similar issue,but have now started it here,hope that's OK.
Am unable to start windows firewall,error code 13.
Have stand alone win 7. 64bit home premium machine,am sole user
BFE appears to be started
I would like to confirm that related drivers are normal.firewall depends on authorization driver mpsdrv.sys
In driver list this has no enble,disable,reinstall panel
There is also firewall liteweight filter wfplwf.sys
Are both these OK?cannot install any other firewall on that machine,so using tablet to post
Many thanks
Poppy

sreedhav · 08 Mar 2012

Dear kiwipoppy,
This may have to do with "permissions" Verify Log On permissions
Verify registry permissions

Verify privilege permissions

Verify Service DependenciesReset the default security permissions

Verify that the TxR folder exists : %systemroot%\system32\config\

TxRVerify the following registry keys by comparing them to a default Windows installation:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShareAccess

If the above does not help. your current user account "may" be corrupted. Create a NEW User Account. Lof off and log in!

If this too does not resolve the prob., then disable the 3rd party AV(not MSE) and try to enable the Win.Firewall.

Regards and best wishes,
sreedhav

PS: how did you make sure that BFS is enabled?

kiwipoppy · 09 Mar 2012

Thanks for replying.am not completely new to computers but not certain how to verify permissions like that.
Am used to setting permission on files and folders,but am blank on what you mean by verifying,and can see no way to reset default dependencies,sorry
The Txr file does exist, it contains 2 .blf files,and four. Regtrans-Ms files with long numerical file names which include TMcontainer000000000000002 or similar.
The registry files do exist but I have no way of comparing them to a default win 7 setting.
Shared access(not share) is full of firewall rules,even when it was working,I could not get into set back to default,new rules seemed to be added all the time,but it never advised me of any
Activity,even though notifications enabled.
Trying to change any rule manually resulted in shutdown of whole thing.
Last time think was my fault,tried to stop AxInstSvchost having free access,can't figure how to reverse this
Checked BFE in services.msc,shows as started,trying to start firewall the gives message'windows could not start the firewall on local computer' and mentions 'service specific error code 13"
Although I am the only person with physical access to this machine,am fairly sure thatit has been hijacked,and so I am trying to get firewall started,so I can at least get back online
So what was your opinion of those drivers?Normal for win 7 setup
Thanks again

Jacee · 09 Mar 2012

Have you gone through these steps? Cannot start the Window Firewall error code 13 - Microsoft Answers

sreedhav · 09 Mar 2012

kiwipoppy said:

Thanks for replying.am not completely new to computers but not certain how to verify permissions like that.
Am used to setting permission on files and folders,but am blank on what you mean by verifying,and can see no way to reset default dependencies,sorry
The Txr file does exist, it contains 2 .blf files,and four. Regtrans-Ms files with long numerical file names which include TMcontainer000000000000002 or similar.
The registry files do exist but I have no way of comparing them to a default win 7 setting.
Shared access(not share) is full of firewall rules,even when it was working,I could not get into set back to default,new rules seemed to be added all the time,but it never advised me of any
Activity,even though notifications enabled.
Trying to change any rule manually resulted in shutdown of whole thing.
Last time think was my fault,tried to stop AxInstSvchost having free access,can't figure how to reverse this
Checked BFE in services.msc,shows as started,trying to start firewall the gives message'windows could not start the firewall on local computer' and mentions 'service specific error code 13"
Although I am the only person with physical access to this machine,am fairly sure thatit has been hijacked,and so I am trying to get firewall started,so I can at least get back online
So what was your opinion of those drivers?Normal for win 7 setup
Thanks again

Kindly reply to @jacee!
I will give you an example of checking for permissions in ,for EX. "Registry". Here's what to do: Go to Start>Run>Regedit, then in the Registry Editor select "HK_Local_Machine". Then go to Edit>Permissions, and make sure that the Administrators group has "Full control" selected. If you are permitted, then that has checked out right.
You have mentioned the probability of a "Hijack". That may/can be the root cause of all your troubles. Download MalwareBytesAntiMalware (MBAM),update and run. It will definitely catch any "Trojan Hijackers" and clean them for you. In that case the Win.Drivers are Kapoot!

Best wishes,
sreedhav

kiwipoppy · 09 Mar 2012

Thanks jacee,followed those instructions,repository was consistent
No 3rd party firewall
Event viewer will not create custom view for firewall but services manager shows"firewall terminated with service specific error.data is invali
Details show "param2. %%13
All relevant service dependencies appear to be started

kiwipoppy · 09 Mar 2012

Have been spending a lot of time making sure administrators have full access,one of the inital symptoms was "access denied" messages
Also think the windows installer is corrupted,no security program shows any infection,they run,but cannot update,and as MBAM runs get "system DLL is being modified"messages
Visits to security forums are blocked or really slow
Random strange websites have been accessed
Credit card details have been stolen
Entries in registry,and other places in foreign text
Windows updateswill not install
Repair or reinstall results in same situation,as soon as supposedly clean backup file is installed
Can put up with these issues,which no one seems able to believe,yet alone solve!
But I would like my firewall back,I am fond of it,hehe
Many thanks to sreedhav

Jacee · 10 Mar 2012

Your computer looks like it's been severly compromised!

runs get "system DLL is being modified"messages
Visits to security forums are blocked or really slow
Random strange websites have been accessed
Credit card details have been stolen
Entries in registry,and other places in foreign text
Windows updateswill not install
Repair or reinstall results in same situation,as soon as supposedly clean backup file is installed

I believe you have a stealth MBR 'Rootkit' and need to wipe the computer and do a "clean install". Don't use the "supposedly clean back up"!! It's obviously not as "clean" as you think.

sreedhav · 10 Mar 2012

Dear kiwipoppy,
I agree with @jacee! Follow this tutorial and select the CLEAN ALL DISKPART COMMAND(8 IN THE LIST) option in it, which makes a thorough job of it(scrubbing the Hard disk). It will take hours,but it's worth the wait as MBR Rootkits stick like glue to the HDD! That's why jacee said a "clean reinstall" just won't be enough!

Disk - Clean and Clean All with Diskpart Command

regards and best wishes,
sreedhav

kiwipoppy · 10 Mar 2012

Thanks to both of you,backup contains all my photos and graphics files,so not using it is not an option,no point having computer without them!
Am definitely not confident doing disk clean,can barely understand difference between,drives,volumes,disks etc,hehe
I know I have a hidden "X" partition or drive that only appears when I attempt a system repair
Cmd prompt is headed X:\windows,is that normal?
"X" has its own users and owners e.g LSASetupDomain,and cannot be altered
Diskpart(run on normal c drive) shows my setup as follows
Disk 0 online 465gb 0 B
Then disks 1 2 3 4 all no media 0B and under free 0B
Have some more questions,can I continue here,or should I start a new thread
All to do with security,and access,and using commands
Help so far much appreciated,all knowledge good,even if problems can't be fixed,never thought it would be easy!