group policy disables firewall - virus result
furball
when it has been TURNED OFF by a *digital criminal* who used GROUP POLICY?
What happens is when I try and chance the firewall or Windows Security
settings it says it is being controlled by Group Policy. Windows XP SP2 Home
Edition does not have gpedit.msc. You can try Administrative Tools >>
Computer Management >> Services and I Clicked Startup *Automatic - it was
*Disabled, then Start. That still is ON but no Firewall.
**windows messages***
********************************************
Windows Firewall -General
For your security, some settings are controlled by Group policy
"Windows Firewall"
'Windows Firewall is turned off. Your network administrator is using Group
Policy to control these settings.'
********************************************
Happened as a result of new unknown virus/malware that includes::::
In C:\ these files.. (Delete)
sw.bat
is.bat
tb.exe
xe.exe
low.exe
mmxateam.exe
IELower.exe
In C:\Windows.. (Delete)
lsass.exe
(Real one is in C:\WINDOWS\SYSTEM32\lsass.exe)
Turn off system restore.
Delete all Browser Cache files
Delete all temp files
Use CCleaner if possible
**There may be other unknown files.
It turned off my Auto-updates and Windows Firewall. WinXP SP2 Home
Appears to be Reg Enteries.... (Picked up by Spybot S&D)
Windows Security Center.SP2Update: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0
Windows Security Center.AntiVirusOverride: Settings (Registry change,
nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusOverride!=dword:0
Windows Security Center.FirewallOverride: Settings (Registry change, nothing
done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallOverride!=dword:0
Windows Security Center.FirewallDisableNotify: Settings (Registry change,
nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallDisableNotify!=dword:0
Windows Security Center.AntiVirusDisableNotify: Settings (Registry change,
nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0
Windows Security Center.UpdateDisableNotify: Settings (Registry change,
nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\UpdatesDisableNotify!=dword:0
IELower.exe is the compressed file silent installer - it appears as a
diferent NAME in each case. sw.bat fires the other files..
What happens is when I try and chance the firewall or Windows Security
settings it says it is being controlled by Group Policy. I go into gpedit.msc
and I found the specific settings but Windows says it is unconfigured.
**WHAT DOES IT APPEAR TO DO?***
SLOWS YOUR INTERNET CONNECTION TO A CRAWL, SAY A FEW BYTES, WHILE UPLOADING
FROM YOUR COMPUTER.
----------------------------------------------------------------------------
~furball .::
Carey Frisch [MVP]
would be in order.
Clean Install Windows XP
http://www.michaelstevenstech.com/cleanxpinstall.html
--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/
-------------------------------------------------------------------------------------------
furball
> In your situation, a "clean install" of Windows XP
> would be in order.
>
> Clean Install Windows XP
> http://www.michaelstevenstech.com/cleanxpinstall.html
>
> --
> Carey Frisch
> Microsoft MVP
> Windows - Shell/User
> Microsoft Community Newsgroups
> news://msnews.microsoft.com/
>
> -------------------------------------------------------------------------------------------
That would be a serious overkill, and a solution of 'last resort.'
There are 44 patches applied from the Windows auto-updates that amount to
274 Mb and I'm on 56K dial-up. Not to mention all the programs to reinstall.
If you cannot restart the Windows Firewall without reinstalling Windows XP
SP2 Home Edition, then Microsoft have a lot to answer for.
What your saying is: If your car won't start - buy another car!
Come on, anyone can take the easy way out. Even I can answer all these
discussion Group questions by saying reinstall Windows to every one. That's
a no-brainer.
(You'd have been better to say - Get another Firewall.)
Another easy way out.
Carey Frisch [MVP]
Viruses are designed to corrupt the operating system
and many times change registry permissions. They
even hide in "stealth mode", only to reappear at a later
date. Any good security expert will tell this.
Microsoft offers free virus-related support for the U.S.
and Canada. Users can obtain this support by calling
1-866-PCSAFETY. You may wish to give them a call.
--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/
-------------------------------------------------------------------------------------------
David H. Lipman
| done)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!
For non-viral malware...
Please download, install and update the following software...
Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
After the software is updated, I suggest scanning the system in Safe Mode.
I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.
BHODemon
http://www.definitivesolutions.com/bhodemon.htm
For viral malware...
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
Line Scanners to remove viruses, Trojans and various other malware.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
furball
--
~furball .::
"David H. Lipman" wrote:
'.. Microsoft offers free virus-related support for the U.S.
and Canada. ...'
I live in paradise; the City of Bayswater, Western Australia.
'.. NOTE: You may have to disable your software FireWall or allow WGET.EXE
to go through your
FireWall to allow it to download the needed AV vendor related files. ..'
I'm actually trying to start it, it is disabled. Someone sent down the Net
a Group Policy command to turn off the Firewall on my PC. And Home Edition
WinXP does not have the tools to override this.
I have WinXP SP2 and all update patches, plus up-to-date the following:::
CCleaner (Crap Cleaner)
RegClean 4.1a
Registry Mechanic
WinsockxpFix-restart xp firewall
CWShredder
Ad-Aware SE
SpywareBlaster
WinPatrol
Spybot - Search & Destroy
Microsoft AntiSpyware Beta
AVG Anti-Virus FREE Edition
-----------------------------------------------------------------------------
A lot of people have this same problem in different forums, and the advice
usually is complex. But the question is very simple:::
How do you turn on the Windows XP SP2 Firewall that has been disabled by an
unknown virus/malware that used a Group Policy setting?
_________________________________________________________________________
**And the answer is:- YOU CAN NOT.. (Not even Bill Gates can do it.)
I just downloaded............
Security Task Manager
Review
Security Task Manager provides detailed information about programs and
processes running on the computer. For each process it shows: file name,
directory path, description, start time, icon, and a unique security risk
rating based on analysis of hidden functions (keylogging, browser
surveillance, autostart entry, ...). The process viewer recognizes virtual
driver software, services, BHOs and stealth processes hidden from the Windows
Task Manager.
System Requirements: Pentium processor, 2 MB free disk space - Microsoft
operating system: Windows 9x/ME/NT/2000/XP/2003.
See if I can pick up any hidden stuff..
[Start Something - Microsoft] I am, I'm trying to start the Windows
firewall :)
David H. Lipman
|
Nevermind. I now agree with Carey Frisch [MVP].
Wipe the computer and reinstall WinXP HE SP2 from scratch !
Torgeir Bakken (MVP)
See if the procedure Ramesh give in the links below
works for you.
Regards,
Torgeir
furball wrote:
--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
furball
--
~furball .::
"Torgeir Bakken (MVP)" wrote:
_________________________________________________________________
* I CANNOT TRY THIS TILL I LOG OFF, BUT THANKS FOR THOSE TWO LINKS - THIS
MAY BE WHAT I AM LOOKING FOR..
Below is what I was going to post, before reading this. MARKED AS 'YES' IT
HELPED ME.
_________________________________________________________________
*Well, thanks for all your suggestions :)
[Beware the surgeon - When in doubt, cut it out.]
----------------------------------------------------------------
----------------------------------------------------------------
Rod Trent, manager of myITforum.com and Microsoft MVP is a leading expert on
Microsoft Systems Management Server. He has more than 18 years of IT
experience --
http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1000900,00.html
-----------------------------------------------------
Expert Knowledgebase - Sponsored by IBM
What is the alternative to GPEDIT.MSC for Windows XP Home edition? QUESTION
POSED ON: 15 FEB 2004
QUESTION ANSWERED BY: Bernie Klinder GPEDIT.MSC (Group Policy Editor) isn't
available on XP Home Edition, partly because XP Home cannot join a domain by
design. Although the took is designed to be used in an Enterprise environment
running Active Directory, all it really does is making registry entries. So,
the best alternative is to edit the registry using Regedit. Be aware that
editing the registry incorrectly can make your system unbootable or cause
other issues, so proceed carefully before diving in!
---------------------------------------------------------------------------
---------------------------------------------------------------------------
*Question:: If XP Home Edition cannot join a domain, how does it receive
Group Policy commands?
*Where would the Group Policy Keys be, so I can delete them?
*This is my machine::
Run:: cmd
C:\>netsh firewall show state
Firewall status:
-------------------------------------------------------------------
Profile = Standard
Operational mode = Disable <<<<<<<************
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable
Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
No ports are currently open on all network interfaces.
C:\>
*netsh firewall set opmode ENABLE
>says OK
But Windows is lying.
Major flaw in Win XP SP2 Home Edition. Cannot override Group Policy. And
digital criminals have found out how to send the command via the Internet.
Best get Zone Alarm.
------------------------------
.::furball::. (aka Press any key)
[Reinstall Windows XP or reinvade Iraq, what to do, tough questions.]
johndp...@gmail.com
firewall disabled)
Open Regedit.exe and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfilÂe
(and)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfÂile
In the right-pane, delete the "EnableFirewall" value.
Close Regedit.exe and restart.