We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

XP Home SP2 Windows firewall turned off at boot

parkhensley
parkhensley asked
on
Medium Priority
4,245 Views
Last Modified: 2013-12-04
Running XP Home with SP2 and trying to keep Windows firewall running at all times. However, it is always coming up off on reboot. The Windows Firewall service is set to automatic and it does start automatically at bootup. What else needs to be done to get XP to retain the firewall on setting?

Thanks
Comment
Watch Question

Dushan De SilvaTechnology Architect

Commented:
you can try with sygate firewall.

BR Dushan

Author

Commented:
Thanks, but I want to know why Windows firewall won't come up in the "on" state upon reboot.
r-k

Commented:
Does it stay on when you enable it manually?
Is this a new problem, or did you always have it this way?

Author

Commented:
It stays up until rebooting. I have just inherited this computer in my office and don't really know its history.
Paulo PimentaProject Manager

Commented:
"The Windows Firewall service is set to automatic and it does start automatically at bootup" - You mean to say that the service actually stats at reboot?
Did you check the user which starts the Windows Firewall Service. Could be athor than LocalSystem and, if so, you need to update that users password. It may have been change.

Author

Commented:
Windows Firewall Service starts with user Local System and yes - its startup method is automatic and there's no problem with that. So the Windows Firewall Service is up and running at bootup, but the firewall tool shows the firewall to be "off". I also have several uninvited connections established on different ports when I do "netstat -a" from the command prompt.
r-k

Commented:
Is there anything of interest in the Event Viewer logs?
(Control Panel -> Admin Tools -> Event Viewer)

CERTIFIED EXPERT
Top Expert 2007
Commented:
Have you checked for viruses/trojans? they can also turn off firewall.

You can eliminate the possibility of virus being the culprit by running an antivirus scan with the latest virus definitions, or try Ewido:
Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.


Also, a hijackthis log might show something;
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", "Save".  Post a link to the saved list here.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
In answer to previous responses:

Event Viewer Security has some failed attempts at password change by the Help Assistant and some successful attempts at User Account changing for Help Assistant and ASPNET. What is happening here, I haven't the foggiest clue. I don't see other things. Did a full system scan with Norton and it's negative although yesterday it (Norton AV)  popped up about 10 - 15 messages saying that it had automatically deleted a virus "hacker.exe" and "hacktool.exe".
r-k

Commented:
You may have a hidden rootkit. Just to be sure, download and run RootkitRevealer from:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html

Save the log if it produces anything of interest, and let us know what it finds.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
"but the firewall tool shows the firewall to be "off". I also have several uninvited connections established on different ports when I do "netstat -a" from the command prompt" - the firewall tool, do you mean the security center?
Give examples of what connections netstat -a does show.
Do a portscan at symantec's http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym and submit the results.
I would follow what everone has stated and do a full system scan (I recommend Panda Platinum trial www.pandasoftware.com which by the way has anti-root kit technology among others).

After the scan is complete go to Start>run>services.msc>Windows firewall and right click it and select properties it should display "start" on service status and "automatic" on start-up type - if not select them and then click apply then okay.

Please let us know if none of this worked so we can try something else.  :)
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Comment on "anti-root kit technology" - Only an offline scan from within a second system will bring reliable results. At "the hacker defender project" they offered films for download to show live that their latest version of hxdef fooled every one of the 12 leading rootkit revealers or whatever they call themselves.
First of all, you should download all the latest virus/antispyware trojan and rootkit tools you can find install and update them to the fullest.  Then, you need to UNPLUG YOUR COMPUTER FROM THE NETWORK, and start cleaning.  The only way to keep attacks out while you're cleaning the system is to make sure they can't just come back.  Your firewall is being disabled because of a trojan of some sorts, that's almost certain.  Make sure that you scan all of your computer's active accounts, administrators, and standard users.  Because of the way many programs operate certain areas of the system aren't scanned because they are protected through the OS and abstracted between users.  You should also do these scans in safemode in addition to normal.

Now, when you think you finally have everything gone, now it's time to check again, make sure you have the tool "autoruns.exe" from sysinternals, after it's done checking, look for anything you're not aware of that's running or set to run.  The simplest way to handle this is to find a second computer and look up all the files that aren't listed as Microsoft something or other or some other trusted program i.e JAVA/SUN, AOL (though i don't like them) etc.  If you find something that's listed as dangerous, you simply hit delete and remove it from that list.  That will stop all the spyware from running on startup for sure.  If you run into any snags, you're only hope will be the delete file on startup or delete service from hijackthis.exe, however, i my opinion your infection sounds bad enough it's time to wipe the hard drive and start from scratch, after being compromised to this extent it's not likely you'll be able to recover back to 100%.

It really all depends on how sensitive the data on your computer is, and how much you want to work to resolve the issue.  Also as a note, if Norton found hacktool.exe on your machine, and you yourself do not use hacktools, i.e. pwdump.exe and others like it.  Your computer has been hacked.  The only people who have those tools are those who know how to use them and do use them, and it sounds like you're not the type, no offense.  Make sure you clean your machine when there's no internet connection, good luck.

Author

Commented:
After doing all the suggestions here and getting what looks like a clean bill of health from all and still there are problems, so I have decided to do a clean install.

Let me get one thing clear: If I do netstat -a and see a connection labeled ESTABLISHED or LISTENING and the foreign IP address is from outside my network and I am not browsing the web or have any other connections that I know of external to my machine and my network, then does this mean that someone has gotten past the hw firewall and Windows firewall and is actively connected and therefore this is something I need to be concerned about?

Here is an example from netstat -a:

TCP MyMachineName:port# 129-171-5-17.kakui.Ifa.Hawaii.Edu:50609 ESTABLISHED.

Thanks,
r-k
Commented:
Well that depends on what machine you're connected to, and what port, etc.

If you do "netstat -ab" instead of "netstat -a" you'll get a lot more useful information, such as what program is involved in each connection.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.