?
Solved

XP Home SP2 Windows firewall turned off at boot

Posted on 2006-03-26
17
Medium Priority
?
4,231 Views
Last Modified: 2013-12-04
Running XP Home with SP2 and trying to keep Windows firewall running at all times. However, it is always coming up off on reboot. The Windows Firewall service is set to automatic and it does start automatically at bootup. What else needs to be done to get XP to retain the firewall on setting?

Thanks
0
Comment
Question by:parkhensley
  • 6
  • 4
  • 2
  • +5
17 Comments
 
LVL 17

Expert Comment

by:Dushan De Silva
ID: 16294457
you can try with sygate firewall.

BR Dushan
0
 

Author Comment

by:parkhensley
ID: 16294489
Thanks, but I want to know why Windows firewall won't come up in the "on" state upon reboot.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16294515
Does it stay on when you enable it manually?
Is this a new problem, or did you always have it this way?

0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:parkhensley
ID: 16294702
It stays up until rebooting. I have just inherited this computer in my office and don't really know its history.
0
 
LVL 17

Expert Comment

by:paulop1975
ID: 16295351
"The Windows Firewall service is set to automatic and it does start automatically at bootup" - You mean to say that the service actually stats at reboot?
Did you check the user which starts the Windows Firewall Service. Could be athor than LocalSystem and, if so, you need to update that users password. It may have been change.
0
 

Author Comment

by:parkhensley
ID: 16295979
Windows Firewall Service starts with user Local System and yes - its startup method is automatic and there's no problem with that. So the Windows Firewall Service is up and running at bootup, but the firewall tool shows the firewall to be "off". I also have several uninvited connections established on different ports when I do "netstat -a" from the command prompt.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16296236
Is there anything of interest in the Event Viewer logs?
(Control Panel -> Admin Tools -> Event Viewer)

0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 16296322
Have you checked for viruses/trojans? they can also turn off firewall.

You can eliminate the possibility of virus being the culprit by running an antivirus scan with the latest virus definitions, or try Ewido:
Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.


Also, a hijackthis log might show something;
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.
0
 

Author Comment

by:parkhensley
ID: 16297302
In answer to previous responses:

Event Viewer Security has some failed attempts at password change by the Help Assistant and some successful attempts at User Account changing for Help Assistant and ASPNET. What is happening here, I haven't the foggiest clue. I don't see other things. Did a full system scan with Norton and it's negative although yesterday it (Norton AV)  popped up about 10 - 15 messages saying that it had automatically deleted a virus "hacker.exe" and "hacktool.exe".
0
 
LVL 32

Expert Comment

by:r-k
ID: 16297722
You may have a hidden rootkit. Just to be sure, download and run RootkitRevealer from:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html

Save the log if it produces anything of interest, and let us know what it finds.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 16300417
"but the firewall tool shows the firewall to be "off". I also have several uninvited connections established on different ports when I do "netstat -a" from the command prompt" - the firewall tool, do you mean the security center?
Give examples of what connections netstat -a does show.
Do a portscan at symantec's http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym and submit the results.
0
 
LVL 1

Assisted Solution

by:Vittorio301
Vittorio301 earned 100 total points
ID: 16300532
I would follow what everone has stated and do a full system scan (I recommend Panda Platinum trial www.pandasoftware.com which by the way has anti-root kit technology among others).

After the scan is complete go to Start>run>services.msc>Windows firewall and right click it and select properties it should display "start" on service status and "automatic" on start-up type - if not select them and then click apply then okay.

Please let us know if none of this worked so we can try something else.  :)
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 16300634
Comment on "anti-root kit technology" - Only an offline scan from within a second system will bring reliable results. At "the hacker defender project" they offered films for download to show live that their latest version of hxdef fooled every one of the 12 leading rootkit revealers or whatever they call themselves.
0
 
LVL 9

Accepted Solution

by:
maninblac1 earned 800 total points
ID: 16301436
First of all, you should download all the latest virus/antispyware trojan and rootkit tools you can find install and update them to the fullest.  Then, you need to UNPLUG YOUR COMPUTER FROM THE NETWORK, and start cleaning.  The only way to keep attacks out while you're cleaning the system is to make sure they can't just come back.  Your firewall is being disabled because of a trojan of some sorts, that's almost certain.  Make sure that you scan all of your computer's active accounts, administrators, and standard users.  Because of the way many programs operate certain areas of the system aren't scanned because they are protected through the OS and abstracted between users.  You should also do these scans in safemode in addition to normal.

Now, when you think you finally have everything gone, now it's time to check again, make sure you have the tool "autoruns.exe" from sysinternals, after it's done checking, look for anything you're not aware of that's running or set to run.  The simplest way to handle this is to find a second computer and look up all the files that aren't listed as Microsoft something or other or some other trusted program i.e JAVA/SUN, AOL (though i don't like them) etc.  If you find something that's listed as dangerous, you simply hit delete and remove it from that list.  That will stop all the spyware from running on startup for sure.  If you run into any snags, you're only hope will be the delete file on startup or delete service from hijackthis.exe, however, i my opinion your infection sounds bad enough it's time to wipe the hard drive and start from scratch, after being compromised to this extent it's not likely you'll be able to recover back to 100%.

It really all depends on how sensitive the data on your computer is, and how much you want to work to resolve the issue.  Also as a note, if Norton found hacktool.exe on your machine, and you yourself do not use hacktools, i.e. pwdump.exe and others like it.  Your computer has been hacked.  The only people who have those tools are those who know how to use them and do use them, and it sounds like you're not the type, no offense.  Make sure you clean your machine when there's no internet connection, good luck.
0
 

Author Comment

by:parkhensley
ID: 16306558
After doing all the suggestions here and getting what looks like a clean bill of health from all and still there are problems, so I have decided to do a clean install.

Let me get one thing clear: If I do netstat -a and see a connection labeled ESTABLISHED or LISTENING and the foreign IP address is from outside my network and I am not browsing the web or have any other connections that I know of external to my machine and my network, then does this mean that someone has gotten past the hw firewall and Windows firewall and is actively connected and therefore this is something I need to be concerned about?

Here is an example from netstat -a:

TCP MyMachineName:port# 129-171-5-17.kakui.Ifa.Hawaii.Edu:50609 ESTABLISHED.

Thanks,
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 400 total points
ID: 16306611
Well that depends on what machine you're connected to, and what port, etc.

If you do "netstat -ab" instead of "netstat -a" you'll get a lot more useful information, such as what program is involved in each connection.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question