XP Home SP2 Windows firewall turned off at boot

Running XP Home with SP2 and trying to keep Windows firewall running at all times. However, it is always coming up off on reboot. The Windows Firewall service is set to automatic and it does start automatically at bootup. What else needs to be done to get XP to retain the firewall on setting?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dushan De SilvaTechnology ArchitectCommented:
you can try with sygate firewall.

BR Dushan
parkhensleyAuthor Commented:
Thanks, but I want to know why Windows firewall won't come up in the "on" state upon reboot.
Does it stay on when you enable it manually?
Is this a new problem, or did you always have it this way?

Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

parkhensleyAuthor Commented:
It stays up until rebooting. I have just inherited this computer in my office and don't really know its history.
Paulo PimentaProject ManagerCommented:
"The Windows Firewall service is set to automatic and it does start automatically at bootup" - You mean to say that the service actually stats at reboot?
Did you check the user which starts the Windows Firewall Service. Could be athor than LocalSystem and, if so, you need to update that users password. It may have been change.
parkhensleyAuthor Commented:
Windows Firewall Service starts with user Local System and yes - its startup method is automatic and there's no problem with that. So the Windows Firewall Service is up and running at bootup, but the firewall tool shows the firewall to be "off". I also have several uninvited connections established on different ports when I do "netstat -a" from the command prompt.
Is there anything of interest in the Event Viewer logs?
(Control Panel -> Admin Tools -> Event Viewer)

Have you checked for viruses/trojans? they can also turn off firewall.

You can eliminate the possibility of virus being the culprit by running an antivirus scan with the latest virus definitions, or try Ewido:
Download and install the free version of Ewido anti-malware.
Update first then scan in safe mode.

Also, a hijackthis log might show something;
Please download HijackThis 1.99.1
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
and click "Analyse", "Save".  Post a link to the saved list here.
parkhensleyAuthor Commented:
parkhensleyAuthor Commented:
In answer to previous responses:

Event Viewer Security has some failed attempts at password change by the Help Assistant and some successful attempts at User Account changing for Help Assistant and ASPNET. What is happening here, I haven't the foggiest clue. I don't see other things. Did a full system scan with Norton and it's negative although yesterday it (Norton AV)  popped up about 10 - 15 messages saying that it had automatically deleted a virus "hacker.exe" and "hacktool.exe".
You may have a hidden rootkit. Just to be sure, download and run RootkitRevealer from:


Save the log if it produces anything of interest, and let us know what it finds.
"but the firewall tool shows the firewall to be "off". I also have several uninvited connections established on different ports when I do "netstat -a" from the command prompt" - the firewall tool, do you mean the security center?
Give examples of what connections netstat -a does show.
Do a portscan at symantec's http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym and submit the results.
I would follow what everone has stated and do a full system scan (I recommend Panda Platinum trial www.pandasoftware.com which by the way has anti-root kit technology among others).

After the scan is complete go to Start>run>services.msc>Windows firewall and right click it and select properties it should display "start" on service status and "automatic" on start-up type - if not select them and then click apply then okay.

Please let us know if none of this worked so we can try something else.  :)
Comment on "anti-root kit technology" - Only an offline scan from within a second system will bring reliable results. At "the hacker defender project" they offered films for download to show live that their latest version of hxdef fooled every one of the 12 leading rootkit revealers or whatever they call themselves.
First of all, you should download all the latest virus/antispyware trojan and rootkit tools you can find install and update them to the fullest.  Then, you need to UNPLUG YOUR COMPUTER FROM THE NETWORK, and start cleaning.  The only way to keep attacks out while you're cleaning the system is to make sure they can't just come back.  Your firewall is being disabled because of a trojan of some sorts, that's almost certain.  Make sure that you scan all of your computer's active accounts, administrators, and standard users.  Because of the way many programs operate certain areas of the system aren't scanned because they are protected through the OS and abstracted between users.  You should also do these scans in safemode in addition to normal.

Now, when you think you finally have everything gone, now it's time to check again, make sure you have the tool "autoruns.exe" from sysinternals, after it's done checking, look for anything you're not aware of that's running or set to run.  The simplest way to handle this is to find a second computer and look up all the files that aren't listed as Microsoft something or other or some other trusted program i.e JAVA/SUN, AOL (though i don't like them) etc.  If you find something that's listed as dangerous, you simply hit delete and remove it from that list.  That will stop all the spyware from running on startup for sure.  If you run into any snags, you're only hope will be the delete file on startup or delete service from hijackthis.exe, however, i my opinion your infection sounds bad enough it's time to wipe the hard drive and start from scratch, after being compromised to this extent it's not likely you'll be able to recover back to 100%.

It really all depends on how sensitive the data on your computer is, and how much you want to work to resolve the issue.  Also as a note, if Norton found hacktool.exe on your machine, and you yourself do not use hacktools, i.e. pwdump.exe and others like it.  Your computer has been hacked.  The only people who have those tools are those who know how to use them and do use them, and it sounds like you're not the type, no offense.  Make sure you clean your machine when there's no internet connection, good luck.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
parkhensleyAuthor Commented:
After doing all the suggestions here and getting what looks like a clean bill of health from all and still there are problems, so I have decided to do a clean install.

Let me get one thing clear: If I do netstat -a and see a connection labeled ESTABLISHED or LISTENING and the foreign IP address is from outside my network and I am not browsing the web or have any other connections that I know of external to my machine and my network, then does this mean that someone has gotten past the hw firewall and Windows firewall and is actively connected and therefore this is something I need to be concerned about?

Here is an example from netstat -a:

TCP MyMachineName:port# 129-171-5-17.kakui.Ifa.Hawaii.Edu:50609 ESTABLISHED.

Well that depends on what machine you're connected to, and what port, etc.

If you do "netstat -ab" instead of "netstat -a" you'll get a lot more useful information, such as what program is involved in each connection.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.