xp home sp2 - can't enable firewall

[Guest]

i have an xp home notebook, fully up-to-date with ms patches, macafee av,
adaware pro with adwatch running in real time.

last week my daughter picked up something that came in from an aim session
where a 'buddy' sent her a link. I found rootkit-J trojan virus among other
things, and went thru an extensive cleanup operation including macafee,
adaware, malwarebouncer, spybot, crapcleaner, hijackthis, msantispyware.

Now all seems clean and the msantispyware AND adwatch are both running in
realtime.... BUT...

The windows firewall is turned off, and I can't turn it on. It says that
this is being controlled by a group policy.

I found references on this forum to a virus that does this and followed the
instructions at
http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
modifying a number of registry entries, but no good so far. I also
downloaded and installed
http://www.dougknox.com/xp/utils/xp_securityconsole.htm and this did not have
any settings for enabling the firewall.

I honestly think the pc is clean right now, I just need to get the firewall
working again...

HELP!?!?!?!

Joe B...

 

[Torgeir Bakken \(MVP\)]

i have an xp home notebook, fully up-to-date with ms patches, macafee av,
adaware pro with adwatch running in real time.

last week my daughter picked up something that came in from an aim session
where a 'buddy' sent her a link. I found rootkit-J trojan virus among other
things, and went thru an extensive cleanup operation including macafee,
adaware, malwarebouncer, spybot, crapcleaner, hijackthis, msantispyware.

Now all seems clean and the msantispyware AND adwatch are both running in
realtime.... BUT...

The windows firewall is turned off, and I can't turn it on. It says that
this is being controlled by a group policy.

I found references on this forum to a virus that does this and followed the
instructions at
http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
modifying a number of registry entries, but no good so far. I also
downloaded and installed
http://www.dougknox.com/xp/utils/xp_securityconsole.htm and this did not have
any settings for enabling the firewall.

I honestly think the pc is clean right now, I just need to get the firewall
working again...

HELP!?!?!?!

Hi,

Put the VBScript below in a .vbs file and run it by double-clicking
on it (it will set a couple of registry values).

It will display the message "Done, please reboot computer" when it
have run.


'--------------------8<----------------------
Set oShell = CreateObject("WScript.Shell")

oShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall" _
& "\DomainProfile\EnableFirewall", 1, "REG_DWORD"

oShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall" _
& "\StandardProfile\EnableFirewall", 1, "REG_DWORD"

MsgBox "Done, please reboot computer", vbSystemModal+vbInformation

'--------------------8<----------------------

 

[Guest]

Thanks torgeir, I'll try that as soon as I get home...

By the way... The registry values your script is setting look familiar.
When I tried the instructions I found at
http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
they included the following:

Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
StandardProfile
In the right pane, reset the value:
"EnableFirewall" = "0x00000000"

It appears that your script sets these 2 values at "1" while the
instructions above set them to "0". Am I reading this correctly? Rather than
the script, can I simply set these to values to "1"? Or is the script doing
something else?

To use your script, I assume that I paste everything including the
'-----8<--- lines into a text file and name it something.vbs, then double
click the file?

Thanks again, and I'll let you know how I make out.

Joe Barry

 

[Torgeir Bakken \(MVP\)]

Thanks torgeir, I'll try that as soon as I get home...

By the way... The registry values your script is setting look familiar.
When I tried the instructions I found at
http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
they included the following:

Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
StandardProfile
In the right pane, reset the value:
"EnableFirewall" = "0x00000000"

It appears that your script sets these 2 values at "1" while the
instructions above set them to "0". Am I reading this correctly?

Yes. Setting those two values to 0 disables the FW, crazy that
Symantec have that in their instructions. I think they have made
an error and really meant 1.

Rather than the script, can I simply set these to values to "1"?
Yes.


Or is the script doing something else?
No.


To use your script, I assume that I paste everything including
the '-----8<--- lines into a text file and name it something.vbs,
then double click the file?

Yes.

 

[Guest]

Thanks again, I'll let you know how I make out...

Joe

 

[Guest]

Torgeir...

You were correct, when I set those 2 registry settings to '1' I was able to
turn on the firewall.

I'm less certain now that I'm completely clean, as I've had a couple of
additional strange things (rootkit?) happen since the other day. I'm posting
my hijackthis log on a couple of spyware forums to get some feedback.

Thanks again for the firewall help.

Joe B...

 

[Guest]

i went to the reg & got my firewall on which is the important thing but if i
wanted to turn it off i'd have to go back to the reg to do it or run a script
which i'm must not be doing right. how or where do i "turn off" group
policies. with my limited understanding of gp their a good thing but i don't
need them in my 2 or 3 computer world.