More Firewall Issues

[kiwipoppy]

Hi,all.had posted at end of a long running thread with similar issue,but have now started it here,hope that's OK.
Am unable to start windows firewall,error code 13.
Have stand alone win 7. 64bit home premium machine,am sole user
BFE appears to be started
I would like to confirm that related drivers are normal.firewall depends on authorization driver mpsdrv.sys
In driver list this has no enble,disable,reinstall panel
There is also firewall liteweight filter wfplwf.sys
Are both these OK?cannot install any other firewall on that machine,so using tablet to post
Many thanks
Poppy

 

[sreedhav]

Dear kiwipoppy,
This may have to do with "permissions" Verify Log On permissions
Verify registry permissions

Verify privilege permissions

Verify Service DependenciesReset the default security permissions

Verify that the TxR folder exists : %systemroot%\system32\config\

TxRVerify the following registry keys by comparing them to a default Windows installation:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE

• • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShareAccess

If the above does not help. your current user account "may" be corrupted. Create a NEW User Account. Lof off and log in!


If this too does not resolve the prob., then disable the 3rd party AV(not MSE) and try to enable the Win.Firewall.


Regards and best wishes,
sreedhav


PS: how did you make sure that BFS is enabled?

 

[kiwipoppy]

Thanks for replying.am not completely new to computers but not certain how to verify permissions like that.
Am used to setting permission on files and folders,but am blank on what you mean by verifying,and can see no way to reset default dependencies,sorry
The Txr file does exist, it contains 2 .blf files,and four. Regtrans-Ms files with long numerical file names which include TMcontainer000000000000002 or similar.
The registry files do exist but I have no way of comparing them to a default win 7 setting.
Shared access(not share) is full of firewall rules,even when it was working,I could not get into set back to default,new rules seemed to be added all the time,but it never advised me of any
Activity,even though notifications enabled.
Trying to change any rule manually resulted in shutdown of whole thing.
Last time think was my fault,tried to stop AxInstSvchost having free access,can't figure how to reverse this
Checked BFE in services.msc,shows as started,trying to start firewall the gives message'windows could not start the firewall on local computer' and mentions 'service specific error code 13"
Although I am the only person with physical access to this machine,am fairly sure thatit has been hijacked,and so I am trying to get firewall started,so I can at least get back online
So what was your opinion of those drivers?Normal for win 7 setup
Thanks again

 

[Jacee]

Have you gone through these steps? Cannot start the Window Firewall error code 13 - Microsoft Answers

 

[sreedhav]

Thanks for replying.am not completely new to computers but not certain how to verify permissions like that.
Am used to setting permission on files and folders,but am blank on what you mean by verifying,and can see no way to reset default dependencies,sorry
The Txr file does exist, it contains 2 .blf files,and four. Regtrans-Ms files with long numerical file names which include TMcontainer000000000000002 or similar.
The registry files do exist but I have no way of comparing them to a default win 7 setting.
Shared access(not share) is full of firewall rules,even when it was working,I could not get into set back to default,new rules seemed to be added all the time,but it never advised me of any
Activity,even though notifications enabled.
Trying to change any rule manually resulted in shutdown of whole thing.
Last time think was my fault,tried to stop AxInstSvchost having free access,can't figure how to reverse this
Checked BFE in services.msc,shows as started,trying to start firewall the gives message'windows could not start the firewall on local computer' and mentions 'service specific error code 13"
Although I am the only person with physical access to this machine,am fairly sure thatit has been hijacked,and so I am trying to get firewall started,so I can at least get back online
So what was your opinion of those drivers?Normal for win 7 setup
Thanks again

Kindly reply to @jacee!
I will give you an example of checking for permissions in ,for EX. "Registry". Here's what to do: Go to Start>Run>Regedit, then in the Registry Editor select "HK_Local_Machine". Then go to Edit>Permissions, and make sure that the Administrators group has "Full control" selected. If you are permitted, then that has checked out right.
You have mentioned the probability of a "Hijack". That may/can be the root cause of all your troubles. Download MalwareBytesAntiMalware (MBAM),update and run. It will definitely catch any "Trojan Hijackers" and clean them for you. In that case the Win.Drivers are Kapoot!

Best wishes,
sreedhav

 

[kiwipoppy]

Thanks jacee,followed those instructions,repository was consistent
No 3rd party firewall
Event viewer will not create custom view for firewall but services manager shows"firewall terminated with service specific error.data is invali
Details show "param2. %%13
All relevant service dependencies appear to be started

 

[kiwipoppy]

Have been spending a lot of time making sure administrators have full access,one of the inital symptoms was "access denied" messages
Also think the windows installer is corrupted,no security program shows any infection,they run,but cannot update,and as MBAM runs get "system DLL is being modified"messages
Visits to security forums are blocked or really slow
Random strange websites have been accessed
Credit card details have been stolen
Entries in registry,and other places in foreign text
Windows updateswill not install
Repair or reinstall results in same situation,as soon as supposedly clean backup file is installed
Can put up with these issues,which no one seems able to believe,yet alone solve!
But I would like my firewall back,I am fond of it,hehe
Many thanks to sreedhav

 

[Jacee]

Your computer looks like it's been severly compromised!

runs get "system DLL is being modified"messages
Visits to security forums are blocked or really slow
Random strange websites have been accessed
Credit card details have been stolen
Entries in registry,and other places in foreign text
Windows updateswill not install
Repair or reinstall results in same situation,as soon as supposedly clean backup file is installed

I believe you have a stealth MBR 'Rootkit' and need to wipe the computer and do a "clean install". Don't use the "supposedly clean back up"!! It's obviously not as "clean" as you think.

 

[sreedhav]

Dear kiwipoppy,
I agree with @jacee! Follow this tutorial and select the CLEAN ALL DISKPART COMMAND(8 IN THE LIST) option in it, which makes a thorough job of it(scrubbing the Hard disk). It will take hours,but it's worth the wait as MBR Rootkits stick like glue to the HDD! That's why jacee said a "clean reinstall" just won't be enough!

http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html

regards and best wishes,
sreedhav

 

[kiwipoppy]

Thanks to both of you,backup contains all my photos and graphics files,so not using it is not an option,no point having computer without them!
Am definitely not confident doing disk clean,can barely understand difference between,drives,volumes,disks etc,hehe
I know I have a hidden "X" partition or drive that only appears when I attempt a system repair
Cmd prompt is headed X:\windows,is that normal?
"X" has its own users and owners e.g LSASetupDomain,and cannot be altered
Diskpart(run on normal c drive) shows my setup as follows
Disk 0 online 465gb 0 B
Then disks 1 2 3 4 all no media 0B and under free 0B
Have some more questions,can I continue here,or should I start a new thread
All to do with security,and access,and using commands
Help so far much appreciated,all knowledge good,even if problems can't be fixed,never thought it would be easy!

 

[Victek]

Thanks to both of you,backup contains all my photos and graphics files,so not using it is not an option,no point having computer without them!

To begin with make a backup of just your data. That way you can deal with the system without worrying about data loss.

 

[kiwipoppy]

OK do I need to buy new removable storage of some type for that.should I be able to backup just jpgs,and other picture files,and hopefully 8bfs?that's all that was supposed to be on my previous backup,but obviously my hijacker/rootkit/takeover had other ideas!

 

[Jacee]

You can copy/burn all pictures to a CD. I'm not following what 8bfs are??

 

[Victek]

OK do I need to buy new removable storage of some type for that.should I be able to backup just jpgs,and other picture files,and hopefully 8bfs?that's all that was supposed to be on my previous backup,but obviously my hijacker/rootkit/takeover had other ideas!

You can backup to CD or DVD, but depending on how much data you have that can mean many discs. A simpler, and I think more reliable, solution is a high capacity flash drive. 8 gig and 16 gig flash drives are very affordable. The ideal size is one that all the data will fit on so a backup will not be interrupted.