1 2 3 Previous Next 22 Replies Latest reply on Aug 23, 2013 11:53 AM by secured2k

    McAfee Firewall won't stay on and no internet connection

      Hi,

      On morning of 4th July this year I booted up my Windows 7 laptop machine and went to have breakfast.  When i came back the desktop displayed normally but i had no internet access.  I rebooted and after i pressed enter at login screen I had a black screen with cursor for about 20 minutes before desktop was displayed and a bubble popped up at the bottom left saying

       

      'Failed to connect to windows service - Windows could not connect to the System Event Notification Service service.  This service prevents standard ussers form logging on to the system. As an admistrative user, you can review the System Event Log details about why the service did not respond.'

       

      If i try to view event log i get an error. Also, when i went to run a scan using McAfee Security Center i get an error and all the options are greyed out.  Also, McAfee reports tha Firewall is on but when i got into settings it is Off.  It gives me options to turn on or restore defaults.  if i click turn on the Firewall flicks to on briefly and then back to off.

       

      Still during this time i have no internet access and i switched to another laptop for work commitments.

       

      On 5th July I used another laptop i downloaded RogueKiller v8.6.2 by Tigzy and under infection it listed ZeroAccess. After using RogueKiller and using it fix functionality i rebooted.  I still had the same behaviour (i.e. black screen with cursor, 20 minutes to display desktop and warning about System Event Notification service).  I ran RogueKiller again the same day and report came back clean.

       

      So it would seem i was infected with ZeroAccess but that i have removed it but i am still experience the problems above and have no internet connection.

       

      I have used McAfee Virtual Technician before but I can't get it to install on my infected laptop as it seems to need an internet connection.

       

      I was wondering if you would be able to spare some time to help me.  Thus far I have avoided a complete reinstall of windows7 as this is a work laptop with important data.

       

      I am a paid McAfee subscriber for 3 laptops.

       

      Many thanks.

      Simon

        • 1. Re: McAfee Firewall won't stay on and no internet connection
          Peter M

          It sounds like your machine picked up something while you were gone, was it connected to any particular website at the time?

           

          Have you tried System Restore to before it all started?  It can be started in Safe Mode if necessary.

           

          See the last link in my signature below for some hints and tools.

           

          I moved this provisionally to Malware Discussion > Home User Assistance as possibly a better spot for support.

           

           

          .

           

          Message was edited by: Ex_Brit on 17/07/13 6:18:14 EDT PM
          • 2. Re: McAfee Firewall won't stay on and no internet connection
            rmetzger

            Hi Simon,

            simonb79 wrote:

             

            If i try to view event log i get an error. Also, when i went to run a scan using McAfee Security Center i get an error and all the options are greyed out.  Also, McAfee reports tha Firewall is on but when i got into settings it is Off.  It gives me options to turn on or restore defaults.  if i click turn on the Firewall flicks to on briefly and then back to off.

            Sounds like several services have been disabled. Or maybe some underlying services are off and required for the network interface and firewall to work. This can happen when a 'cleanup' occurs, but does not re-enable some of the services.

             

            To view or diagnose the services, you must start the Services.msc program. Open a command prompt :

            Start > type or run 'cmd' > Ctrl-Shift-Enter (Answer Yes or Continue, if UAC is requested; give the administrator password if requested).

             

            Event Viewer relies on "Windows Event Log" (also called 'eventlog') to be running. Normally, it is set to Automatic and is Started. Eventlog has no dependencies. If is not running, 'Start' it and change the 'Startup Type' to 'Automatic.' Once running, check to see if you can open the Event Viewer and review the logs.

            simonb79 wrote:

            'Failed to connect to windows service - Windows could not connect to the System Event Notification Service service.  This service prevents standard ussers form logging on to the system. As an admistrative user, you can review the System Event Log details about why the service did not respond.'

            'System Event Notification Service service' (also called SENS} needs to be running (Started and Automatic), which depends on 'COM+ Event System' which relies on 'Remote Procedure Call (RPC),' 'DCOM Server Process Launcher,' and 'RPC Endpoint Mapper.' All of these should be started and automatic. If these are off, try starting them. If the fail to start, we may need to restore to a previous System Restore Point to a time prior to the infection.

            simonb79 wrote:

             

            If i try to view event log i get an error. Also, when i went to run a scan using McAfee Security Center i get an error and all the options are greyed out.  Also, McAfee reports tha Firewall is on but when i got into settings it is Off.  It gives me options to turn on or restore defaults.  if i click turn on the Firewall flicks to on briefly and then back to off.

            It may be necessary to reset the network and firewall settings in order to repair the damage.

             

            Document all desired TCP/IP and Firewall settings before continuing as they will be reset to default settings.

            Using the cmd console opened above, issue these commands (between the [code] and [/code].

            [code]

                 NETSH INT IP RESET .\RESETTCP.LOG

                 NETSH WINSOCK RESET

                 NETSH FIREWALL RESET

            [/code]

             

            This will reset the firewall to using Microsoft's built-in firewall. However, this may be desirable for a short while. Access the Internet, then download and run the McAfee Virtual Technician. You may also need to run your McAfee Security Center setup routines as well.

             

            Report back on how you are doing.

             

            Thanks,

            Ron Metzger

            • 3. Re: McAfee Firewall won't stay on and no internet connection

              Hi Ron,

              Thanks for your reply and below is an update on my progress.

               

              I tried starting windows event log I get error "Windows could not start the Windows Event Log service on Local Computer Error 1747: The authentication service is unknown."

              I checked the other services that you mention:

              • SENS - says starting and i can't do anything as it is greyed out and it is set to automatic
              • Remote Procedure Call (RPC) status is started and it is set to automatic and options are greyed out
              • DCOM Server Process Launcher status is started and it is set to automatic and options are greyed out
              • RPC Endpoint Managaer status is started and it is set to automatic and options are greyed out.

               

              By greyed out I mean on the context menu when i right-click the options to 'Start', 'Stop' etc are greyed out.

               

              I also tried running these commands:

              [code]

              NETSH INT IP RESET .\RESETTCP.LOG

              NETSH WINSOCK RESET

              NETSH FIREWALL RESET

              [/code]

               

              During the running of each command the first thing to appear is this message:

               

              "Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 11003"

               

              However, the command appears to run successfully with the exception of 'NETSH FIREWALL RESET'.  I get message saying that  netsh firewall is deprecated and to use netsh advfirewall firewall.  So i ran the command 'netsh advfirewall reset' and it retuns message - 'An error occurred while attempting to contact the Windows Firewall service. Make sure that the service is runningand try your request again.'

               

              I tried to start Windows Firewall service through services.msc but i get an error.

               

              I am also attaching the logs files from RogueKiller from 5th July and again from the 10th July so you can see what it found.  In particular both show 'Error reading LL2 MBR!' . 

              I also ran Hitman Pro using Early Warning Scoring, as i don't have internet connection, last night and it returned the following:

               

              'IRP_MJ_SCSI kernel-mode hook on atapi.sys detected.  The device stack of the hard disk is referencing a hidden driver. This could affect the detection of malicious files.'

               

              I know wonder if this could be something infected the MBR as reboots never seem to make any difference.

               

              Thanks in advance for all your help.

               

              Simon

              • 4. Re: McAfee Firewall won't stay on and no internet connection
                rmetzger

                Hi Simon,

                 

                Though I am not comfortable (positive or negative) with the RougeKiller product logs, the reported MBR issue is concerning.

                 

                MBR issues or not, you may be able to restore a System Restore Point to a time prior to the infection, assuming that a restore point exists back then.

                 

                What did HitMan Pro repair? Did it give you an option to repair the MBR? What else did it find?

                 

                Here is a link to 7Forums regarding MBR repair:

                http://www.sevenforums.com/tutorials/20864-mbr-restore-windows-7-master-boot-rec ord.html

                 

                Thanks,

                Ron Metzger

                 

                Message was edited by: rmetzger on 7/19/13 3:36:54 AM EDT
                • 5. Re: McAfee Firewall won't stay on and no internet connection

                  There is a free specialty tool from Kaspersky called TDSSKiller which will detect and remove many rootkits and boot record infections. You can download it here:

                   

                  Main Information: http://support.kaspersky.com/5350?el=88446

                  Direct Download: http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe

                   

                  In the case some system files have been replaced or deleted, you should run the Windows System File Checker.

                  You can do this by typing the following command into an Administrative Command Prompt.

                   

                  SFC /SCANNOW

                   

                  This command will check and attempt to repair any damaged Windows files.

                  • 6. Re: McAfee Firewall won't stay on and no internet connection

                    Hi secured2k,

                     

                    Thank you for your reply and I am sorry for my late reply but I have been away and with work commitments it meant i had to setup another laptop to get up and running.  However, I stil want to fix the issue that I am experiencing.

                     

                    I will try and download TDSSKiller and run it.  Should I run it it Safe Mode or from command line?

                     

                    I will also run the Windows System File Checker.  Should I be looking for anything in particular in the results?

                     

                    I will post my progress here once I have done it.

                    • 7. Re: McAfee Firewall won't stay on and no internet connection

                      Hi Ron,

                       

                      Thanks for your reply and sorry for my late reply.

                       

                      I did not get an option to repair anything using Hitman Pro.  I don't have internet connection so can't run a normal scan as it requires internet connection.  Instead i have to run it in 'Force Breach' mode and run Early Warning Scoring (EWS) and it find the issue with atapi.sys as described above.

                       

                      I have tried system restore but issue still persists.

                       

                      I did try the MBR restore as per your link and I did receive an error after one of the commands so don't think it was successfull.  I will try and remember the error or  will try it again.

                       

                      Do you have any further suggestions?

                      • 8. Re: McAfee Firewall won't stay on and no internet connection
                        rmetzger

                        Hi Simon,

                        simonb79 wrote:

                         

                        I have tried system restore but issue still persists.

                         

                        I did try the MBR restore as per your link and I did receive an error after one of the commands so don't think it was successfull.  I will try and remember the error or  will try it again.

                        That error message is a concern. Please retry the MBR restore and report the error message here. Also, report the actual command line you used to restore the MBR.

                         

                        Since you have run SFC /scannow, what messages it returned?

                        Can you retry this again:

                        [code]

                        NETSH INT IP RESET .\RESETTCP.LOG

                        NETSH WINSOCK RESET

                        NETSH FIREWALL RESET

                        [/code]

                        Do you still get the error message?

                         

                        Secured2k has a good idea on using TDSSkiller. You should be able to run this booting normally. What does it say?

                         

                        Thanks,

                        Ron Metzger

                        • 9. Re: McAfee Firewall won't stay on and no internet connection

                          You may run TDSSKiller in normal or safe mode. The application has it's own graphical user interface.

                           

                          The system file checker (SFC) will run in a console window (Command Prompt) and will either report no issues were found, issues were found and repaired (reboot required), or issues found and not repaired.

                           

                          Resetting TCP/IP Using the commands Ron Metzger just posted may also help in the case some settings have been corrupted.

                          1 2 3 Previous Next