Mcafee Firewall will not start

Tags

, , , ,

I had this computer that was in for malware removal.  I had clean it mostly up before having a few days off.  When I came back, they were trying to an OS reload on it because it was BSoDing from TDSS and they could not be bothered to fix it.  So I removed TDSS, thus fixing the BSoD during boot, which was 0x0000007B.  I got the rest of the OS clean up and was finishing verification when I noticed Mcafee would not scan and the Mcafee firewall would not start.  

I fixed the not scanning issues by turning the Mcafee services back during boot — I had turned them off during a clean boot.  However, the firewall would still not start, nor was it throwing any helpful errors about the problem.  A quick search of the Mcafee help site did not reveal anything more helpful, than reload the product.  I started poking around the services, on a hunch, when I noticed the Windows Firewall service (MpsSvc) was missing.  I figured, might as well fix this while I think about the Mcafee firewall problem.  I reinstalled the service by importing the registry values from a known good machine.  After an import and reboot, the Mcafee firewall magically started up.  Turns out the Mcafee firewall depends on the Windows firewall service.  

You can query to service for existance by using the command line:

sc query MpsSvc

If you get “The specified service does not exist as an installed service,” then the Windows Firewall service will need to be reinstalled; also, it can be check by looking through the Services tree in Computer managment.  

Here is the text from the .reg file for CurrentControlSet or direct download

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesMpsSvc]

"DisplayName"="@%SystemRoot%\system32\FirewallAPI.dll,-23090"

"Group"="NetworkProvider"

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00, 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73, 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00, 6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63, 00,65,00,4e,00,6f,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,00,00

"Description"="@%SystemRoot%\system32\FirewallAPI.dll,-23091" "ObjectName"="NT Authority\LocalService" "ErrorControl"=dword:00000001 "Start"=dword:00000002 "Type"=dword:00000020

"DependOnService"=hex(7):6d,00,70,00,73,00,64,00,72,00,76,00,00,00,62,00,66,00, 65,00,00,00,00,00 "ServiceSidType"=dword:00000003

"RequiredPrivileges"=hex(7):53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50, 00,72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00, 72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,41,00,75, 00,64,00,69,00,74,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00, 00,00,53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69, 00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00, 53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61, 00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00, 65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,00,74,00,65,00,50, 00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00, 6e,00,63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50, 00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00

"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00, 00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesMpsSvcParameters] "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f, 00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00, 6d,00,70,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesMpsSvcParametersPortKeywords]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesMpsSvcSecurity] "Security"=hex:01,00,14,80,b4,00,00,00,c0,00,00,00,14,00,00,00,30,00,00,00,02, 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00, 00,00,02,00,84,00,05,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00, 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00, 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00, 00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,28,00,15,00, 00,00,01,06,00,00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55,dc,f4,e2, 0e,a7,8b,eb,ca,7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00, 00,00,00,05,12,00,00,00

 

Word 2000 – No toolbars

This computer came in the other day with Word 2000 showing no toolbars.  Shortly later Word 2000, would stop responding and turn into a white window.  Word would open without any problems using winword /a from the run box.  This only seemed to effect Word 2000, but not excel, outlook, or powerpoint.  

I tried reinstalling, repairing, deleting normal.dot, and deleting several recommended registry keys, however none of this resolved the issue.  What did resolve the issue was a solution I saw on Microsoft Answers. The solution was to uninstall the “Office Live Add-in.”  Once removed and the system rebooted, Word 2000 worked perfectly fine.  

Vista – No PS/2 Mouse or Keyboard

After removing malware from this one Vista computer, we had several corrupt drivers (PEauth.sys, processor, and chipset).  Poking around in the removal logs, I found WDF01000.sys had been removed.  I ran SFC and it threw back an error about the replacement file in the store being corrupt too.  So I found a good copy of wdf01000.sys from another vista box, and replaced the file in %windir%system32Drivers with the know good file.  SFC still refused to accept the file as being good.  Looking in the driver store, the actually file was missing, therefore I copied the known good file into the driver store too.  

This fixed all the problems in SFC, but still did not fix the problems in Device Manager (error code 34, if I remember correctly).  After spending, what felt like days, examining files and registry keys, I realized the service information for the driver was missing from the registry.  After exporting a copy of the driver info from another Vista box, and importing the registry information, everything appeared correct.  I rebooted the unit, and all the drivers started up correctly, and the PS/2 mouse and keyboard started working again.  

 

Here is a link (http://www.box.com/s/8464f244b4748b850d0b) to the copy of the WD01000.sys registry file — it was made for Vista x86, but should work on Windows 7 x86/x64, and Vista x64. 

Network Location Awareness service terminated with service-specific error %%-1073741288

This unit came into the store for a virus removal with the note, will not connect to internet; of course, I figured the internet connection problem would be something simple to fix like usual.  Surprisingly, it turned into an interesting problem to solve; I just had to solve it before anyone else go to it and reloaded Windows because they don’t know how to deal with it otherwise.  

Looking through Event viewer I kept seeing “Access denied” errors for DHCP, and “Network Location Awareness service terminated with service-specific error %%-1073741288.”  I figured fixing the DHCP Access denied error would fix the Network location Awareness error too.  After following KB943996 (http://support.microsoft.com/kb/943996 ) to fix the access denied error and to fix the Diagnositc Policy,  I rebooted to the exact same issue.  After poking around the registry verifying permissions and settings, I finally just put it on some automated scans, so I could work on other things.   

After the scans came back clean, and I checked for boot sector infections – none where found.  I looked back at the event viewer.  The only real error now was the Network Location Awareness service error listed above.  Researching on the internet found very few answers beside a repair install.  Digging through the Microsoft forums, I found a man who offered a simple fix, which seemed to help most people.  It is basically adding the “Localservice” user and “NetworkService” user to the adminstrators group.  WIth nothing to lose, I tried it out and it worked flawlessly.  

The commands are (from an administrator command prompt):

net localgroup administrators localservice /add
net localgroup administrators networkservice /add

 

Reboot and done. 

 

Misc IT Notes (2012.01.18)

Acer recovery partition password:  Saved in plain text in a file named aimdrs.dat at the root of the recovery partition. 

 

Mac: F12 ejects media from the optical drive during boot

ERROR: “Windows cannot find ‘(null)’ ” when using IE; FIX: uninstall and reinstall IE

When installing SP1 0x800F0A12: FIX  What I did:  Enabling automount did not fix the problem; mountvol /e did not work.  Using diskpart to set the 100MB “Startup repair” partition to active resolved the problem.  

 

ERROR: When opening a link in Outlook, “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.”  Resolution: (Microsoft KB310049)

Microsoft’s Malicious Software Removal Tool Will Not Run

Tags

, , ,

We ran into a problem while finishing a malware removal, in which the Malicious Software Removal tool (MSRT) would not run.  We first noticed the problem while downloading Windows updates — all the other updates would install, but Windows Update kept reoffering the August 2011 MSRT.  We tried many different things, such as reseting Windows Updates, double checking for root kits, rescanning the machines,  manually checking files in %windir%, and an assortment of other things.  One of the things we tried was downloading the standalone MSRT from http://support.microsoft.com/kb/890830.  The file would download fine, but it would not run.  The extraction dialog boxes would show up, then it would just disappear.  Watching Task Manager while extracting the MSRT standalone package show the package would start running and then just disappear.  We could not find any information in Event viewer, mrt.log, or mrteng.log. 

We double checked the permissions on HKEY_LOCAL_MACHINESOFTWAREMicrosoftRemovalTools to make sure acces was not denied, since the MSRT package updates the Version subkey when a new verison successfully finishes.  Our final idea was to take ownership of %windir%system32mrt.exe and rename the file to %windir%system32mrt.old.  To do this we used the following commands:

takeown /f %windir%system32mrt.exe /a
icacls %windir%system32mrt.exe /grant Administrators:F
ren %windir%system32mrt.exe mrt.old

After successfully taking ownership and renaming the file, We reran the MSRT standalone package.  This time MSRT actually continued to run, and allowed us to complete a scan.   After MSRT finished a scan Windows Update stopped reoffering the the August 2011 MSRT package and offered new Windows Updates.   I am not sure whether the problem was acutally permission or a corrupted mrt.exe, since I was time crunched to fix the problem before the customer returned. 

No Sound in Flash Player

Tags

, , ,

We had this customer bring in a Dell desktop for having sound everywhere but in flash player; the customer had already had two local repair shops take a look at the problem and his IT guru son — none were able to actually fix the problem.  We looked at it for a few minutes with him in the store, but eventually convinced him we should check the computer in for repairs. 

The symptoms were sound every where, but webpages using flash player.  The volume mixer did not show any other devices but the built in sound device (a realtek sound card).  Videos would download without any problems.  All the Windows Vista x64 sounds worked fine, as did any local media.

Attempted resolutions

Uninstall Flash player, and reinstalled — no effect

Flash player removal tool, and reinstall — no effect

After poking around for a little bit, we found the registry keys for sound drivers were missing from the registry.

All the sub keys under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32 were missing.  A post on Technet indicated that the “wavemapper” subkey being missing was often the cause of no sound in flash player.  We created a string value subkey named “wavemapper” under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32, with a value of “msacm32.drv.”  After a reboot, we still had no sound.  We looked under the x64 drivers registry key HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftWindows NTCurrentVersionDrivers32 and found all the subkeys here were missing too.  So we exported a known good list of both the x86 driver32 keys, and the x64 driver32 subkeys.  After importing them and rebooting, there was still no sound.  One of our tools indicated that users did not have permissions to read the registry keys, but it also show the keys existed; however regedit show the keys as still missing.  I tried creating another copy of “wavemapper” in the Drivers32 subkey, but regedit tossed up an error saying the key already existed.

All the permissions on the registry keys looked ok, but I decided to look at the effective permissions.  Luckly, I got the right account off the bat.  It turned out the Administrator account had deny “Full Control” set.  I moved up to the key higher in the tree, and found the the deny permission.  After unsetting it and rebooting, sound worked perfectly. 

 

 

fatal error c0000034 applying update operation at sud.dll

We had another employee’s computer get this error while installing Service Pack 1 for Windows 7 x64.  After poking around for some answer about how to fix the problem, I found most people were having sucess with running dism /image:c: /cleanup-image /revertpendingactions in Windows 7 Recovery Environment.  This seemed to be working for us, but ending up throwing “Error 2” and bailing out.  I pulled up the x:windowslogsdismdism.log and started searching through for a possible answer.  

Near the middle of dism.log, I found an error “Status_object_name_not_found” and a reference to the missing file in d:windowswinsxs.  I pulled a good copy from another Windows 7 x64 SP1 machines.  Reruning dism failed again with the same error, and the log found the same “Status_Object_Name_Not_Found” error.  Also dism.log would indicate a missing directory with the error “Status_Object_Path_Not_Found.”  Between these two errors, my co-worker and I replaced between 200-300 files, and directories.  

So the basic process from the command line in Windows Recovery Environment was:

dism /image:d: /cleanup-image /revertPendingActions
notepad x:windowslogsdismdism.log
copy g:windowswinsxsPathTomissingFile.xxx d:windowswinsxsPathToMissingFile
robocopy g:windowswinsxsMissingDirectory d:windowswinsxsMissingDirectory /e (For Missing Directories)
del x:windowslogsdismdism.log

Once we replaced all the missing file in Windows Recovery Environment, the computer started booting to Windows without any errors; in windows, we ran SFC from an administrative command prompt.  Reading through the SFC log the first time, some missing files from SP1 which I replaced with known good copies from another Windows 7 box.  These first missing files were found by using “findstr /c:”[SR] Cannot” c:windowslogscbscbs.log > c:sfcResults.txt.”  All the missing files are listed in sfcResults.txt.  After fixing these SFC did not show any errors from the above command, but said it found unrepairable errors.  Searching manually through cbs.log, I found a reference to “Status_Object_Path_Not_Found.”  After replacing the missing directory, and a reboot, we ran SFC; the findstr command above found more missing files, which were all in a single missing directory.  We replaced these, and that ended up being all the missing files.   

One note, is /revertPendingActions rolls back filesystem changes, and not changes to the registry.  So Service Pack 1 was seen by Windows as installed, and 99% of the files we replaced by hand were for Service Pack 1.  We had thought about using System Restore, but there was no restore data.