• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 625
  • Last Modified:

Group Policy disables Firewall -- but PC is not part of a domain or network?

It's a friend's Windows XP HE laptop system.  It was majorly infected with spyware, malware, trojans.  Cleaning up is coming along nicely, but I'm finally at the point where I want to reconnect to the internet, and have discovered there's a group policy preventing my turning on the firewall (the XP default).  This PC isn't part of a network, or under domain control, as far as I can tell.  Something or somebody got control as a domain administrator and set the policy, which I now can't unset (XP Home Edition doesn't support group policies, and there are no available snap-ins).

I've installed ZA personal edition as a stop-gap, but would like to clean up the mess this has probably made in the registry.

Can anyone help me out here?

Thanks,
lefty
0
leftymlb
Asked:
leftymlb
2 Solutions
 
MiguelSilvestreCommented:
Hi lefty,

Vi the contect of this key :

HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/CURRENTVERSION/POLICIES

Miguel
0
 
leftymlbAuthor Commented:
Miguel, I am looking at the Registry key for Policies as you suggested.  There are three keys (NonEnum, Ratings, System).

Under NonEnum,
Name={0DF-44EEA-FF21-4412-828E-250A8728E7F1}
Data=0x00000020 (32)

Name={6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
Data=0x40000021 (1073741857)

Name={BDEADF00-C265-11D0-BCED-00A0C90AB50F}
Data=0x00000001 (1)

Under Ratings, nothing defined.

Under System,
Name=dontdisplaylastusername
Data=0x00000000 (0)

Name=legalnoticecaption

Name=legalnoticetext

Name=shutdownwithoutlogon
Data=0x00000001 (1)

Name=undockwithoutlogon
Data=0x00000001 (1)


Doesn't look like anything to do with group policy.  Is there another place to look?

lefty
0
 
DRZCMCommented:
It is possible that some malware is maintaining the setting on off.  Try starting up with a bare bones system, or use task manager to stop any but known proccesses.  I assume you are using SP2.  If it is a program that is emulating a domain server connection, you might be able to identify which one it is by a process of elimination.

Try logging in as "administrator" (press ctrl-alt-del twice in quick succession at the log in screen if it is not an option) and see if you can change the firewall setting from the security center in the control panel.

Dr. Z
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
TolomirAdministratorCommented:
I got 2 group policies (windows xp pro sp2)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects

and

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy

and one for the desktop

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

and a 3rd

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft

---

Alright, maybe it helps to reinstall sp2. I see no need to deinstall it before, just install it again.

Tolomir
0
 
leftymlbAuthor Commented:
I'm using procexp.exe to do as DRZCM has suggested, however, it's not yielding results yet.  

I also suspect malware -- there was a LOT of infestation on this system, and I'm still trying to ditch W32.PINFI (Symantec SystemWorks 2004 keeps finding it, and won't heal or quarantine the files it finds, and then I'm darned if I can find the files it identifies out on the disk anywhere), without much success yet.

It makes perfect sense that somebody got control and then remotely configured the firewall to disable it, however, I have been logged in (Safe Mode, as Administrator) and can't bypass the group policy setting (which doesn't make any sense to me, because I thought Home Edition wasn't supposed to support Group Policy settings).

Any suggestions for other diagnostic procedures I should be using?

Thanks,
lefty
0
 
TolomirAdministratorCommented:
Alrigth first get rid of remaining spyware.

try this: http://www.sophos.com/support/disinfection/pedis.html

1. Disinfecting PE executables in Windows NT/2000/XP/2003

On a lightly infected computer running Windows NT/2000/XP/2003, where no significant services have become infected, it may be possible to run SAV32CLI from a command prompt with the -DI switch.

First, check the recovery instructions in the virus analysis for any extra measures you should take before (and after) disinfecting. Also, check to see if you need an IDE file. If you do, download it and save it to a floppy disk.

Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).

Now close down all possible programs and services, then open a command prompt.

-----
On Windows 2000/XP/2003

    * Go to Start|Shut Down.
    * Select 'Restart' from the dropdown list and click 'OK'. Windows will restart.
    * Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8".
    * In the Windows 2000 Advanced Options Menu, select the third option "Safe Mode with Command Prompt".
    * When requested, logon as local administrator.
    * When Windows 2000/XP/2003 has started in Safe Mode, insert the write-protected disk from which you are using SAV32CLI.

At the command prompt type

    E:

where E: is the drive in which you placed the SAV32CLI disk.

Type:

    CD SAV32CLI

Now type:

    SAV32CLI -DI -P=C:\VIRUSLOG.TXT

to disinfect all fixed drives.

The command above runs SAV32CLI, which scans all of the directories and files on your PC, including subdirectories. Files which the virus has infected are cleaned and a report is made of them in the root of the C: drive. SAV32CLI will disinfect all files that can be disinfected.

All other files must be deleted. Some of these were dropped by the virus and need not be restored. Others should be recovered from backups.

    SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT

This command writes a report to the root of the C: drive. This report can be used to check which deleted files should be restored from backups.

In Windows NT when disinfection and deletion have finished, type 'Explorer' to restart the Windows Desktop.

In Windows 2000/XP/2003 when disinfection and deletion have finished, restart the computer in Windows.

Install or reinstall Sophos Anti-Virus then run an 'All files' scan to check that the virus has gone.
System Restore and Windows XP

Note: This will delete any previously created restore points.

    * Infected files may be found in the System Restore area in Windows XP.
    * Go to Start|Control Panel|Performance and Maintenance.
    * Double-click 'System', then select the System Restore tab.
    * Click to select the 'Turn off System Restore on all drives' box.
    * Click 'Apply'.
    * Click 'Yes'.
    * Now click to clear the 'Turn off System Restore on all drives' box.
    * Click 'OK'.
    * Restart the computer.

If the virus has not gone, contact Sophos technical support.

Infected files may not always be restored to their original state. A file that has been disinfected cannot be guaranteed to function correctly. In order to recover files to their original state, they should be subsequently restored from backups, new media or a clean computer.

---
Btw. try microsoft antispyware or spybot search and destroy, but try to get rid of symantec, I mean you can stick with it, if you want a 2 Ghz computer perform like 400 MHz...

Tolomir
0
 
TolomirAdministratorCommented:
This might help too:

turn off system restore,boot in safe mode,
scan again and repair,using regedit,go to

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer


In the right pane, delete the value: PINF
Exit the Registry Editor.,
empty temp folders...:)
0
 
leftymlbAuthor Commented:
yep... did all those things, Tolomir, about 8 hours ago.  Didn't help.  There is NOTHING in the Registry showing "PINF," and I have used about 10 different removal tools, none of which have brought success.  I'm starting to think Symantec's giving me a false positive.  SAVCLI isn't helping me.

Regardless, my biggest issue is the bogus Group Policy setting for the firewall, and I'd like to stay focused on that one.  

Thanks,
leftymlb
0
 
TolomirAdministratorCommented:
So enabling in system settings is not possible?

0
 
TolomirAdministratorCommented:
maybe this helps:

How to Use the Group Policy Results (GPResult.exe) Command Line Tool
Published: October 25, 2001
*      *
Related Links
•      How to Verify Policies on Your Computer
*      *

Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifies all policy settings in effect for a specific user or computer. Administrators can run GPResult on any remote computer within their scope of management. By default, GPResult returns settings in effect on the computer on which GPResult is run.

To run GPResult on your own computer:

1. Click Start, Run, and enter cmd to open a command window.

2. Type gpresult and redirect the output to a text file as shown in Figure 1 below:

http://www.microsoft.com/windowsxp/using/setup/expert/gpresults.mspx

0
 
leftymlbAuthor Commented:
Tolomir, maybe I'm not being clear -- the machine in question is running Windows XP HOME EDITION.  There are no administration tools on that OS, and according to Microsoft, group policies aren't supported under that edition of XP. GPRESULT is a group administrator tool.  It doesn't exist under Windows XP home edition.

That's the trouble.  When I try to enable the default XP firewall, it opens with a message that the group policy prevents enabling.  This machine is not part of a network, and there is no controlling server (as far as I know).  What I want to do is brute-force find and remove the offending entry (or entries) that prevent enabling that firewall.

In the meantime, I've installed ZoneAlarm, which works fine, and has allowed my friend back on the internet.  Also, I did manage to clean up all the spyware/malware/virii -- I only have this one thing left to do.

Regards,
Lefty
0
 
TolomirAdministratorCommented:
Ok, didn't know what files are available under xp home.

The file Gpresult could have existed.

You could check with regmon, maybe this way you get aclue what registry keys are checked, before the message pops up.

http://www.sysinternals.com/ntw2k/source/regmon.shtml

Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry. With static tools you might be able to see what Registry values and keys changed. With Regmon you'll see how the values and keys changed..

Regmon works on Windows NT/2000/XP/2003, Windows 95/98/Me and Windows 64-bit for Itanium and x64.
0
 
leftymlbAuthor Commented:
Regmon wasn't useful.  I finally gave up, and my friend contacted Microsoft for paid assistance.  Turns out, it was indeed a munged up setting, but not in a place anyone would have figured out without knowing the Windows XP internals.  

The problem is fixed; XP Home Edition does not support group policies; and the firewall has been activated again.

Let's hope he stays clean from here forward.

Lefty
0
 
TolomirAdministratorCommented:
Could you please post the recommendations from MS, or is that top secret?

Tolomir
0
 
leftymlbAuthor Commented:
Sorry, I don't have the solution.  

My friend paid cash for the support (using his credit card), and the answer went to him in his email. I got a call on Saturday evening, telling me he'd solved the problem through what MS did.  I only have sketchy details, but it sounded like a reset of some registry keys -- after which he did a reboot and "everything worked right again."  

I didn't have the nerve to ask him for the full text of the solution, since I'd already assured him we'd find the answer through Experts Exchange (I'm the one who pays $$ for access to this site).  

lefty
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now