Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Firewall Eceptions list problem


  • Please log in to reply
1 reply to this topic

#1 ognjen

ognjen

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 12 August 2009 - 03:32 AM

Hi all,

I got malware several weeks ago, and I (hopefully) got rid of it using Sysinternals Autoruns and Avast antivirus.

Now everything works fine, except for the problem with the Windows firewall. I know this is not the best firewall on the market, and I could switch to another one, but still, I'm interested in locating the reasons below described behavior.

Namely, at the system restart I have 9 items in the Windows firewall Exceptions list:

[V] Azureus
[V] eclipse
[V] File and print sharing
[V] Java™ Platform SE binary
[V] Network Diagnostics for Windows XP
[V] psi
[ ] Remote Assistance
[V] Remote Desktop
[ ] UPnP framework

But, after 2-3 hours without restarting Windows, the list reverts to the old version that was active at the time I noticed malware (2-3 weeks ago):

[ ] ACServer
[V] Azureus
[V] Cain
[V] Checkhost
[V] eclipse
[V] File and print sharing
[V] File transfer program
[V] Hewlett-Packard Installer
[V] Java™ Platform SE binary
[ ] Java™ Platform SE binary
[V] Java™ Platform SE binary
[V] Java™ Platform SE binary
[V] Java™ Platform SE binary
[V] Java™ Platform SE binary
[V] Network Diagnostics for Windows XP
[V] Promo
[V] Promo
[V] Promo
[V] psi
[V] Remote Assistance
[V] Remote Desktop
[V] Skype
[V] Total Commander
[ ] UPnP framework
[V] VLC media player
[V] VNC server for Win32

(Note that I am aware of the risks connected with the usage of Azureus and Cain. These programs were not connected with the initial infection, and I will not use them during the problem solving.)

The "Promo" items was inserted by the earlier mentioned malware (C:\WINDOWS\Temp\_ex-68.exe), that is deleted few weeks ago. VNC server is also connected with the executable (D:\ultravnc\winvnc.exe) that is deleted earlier.

Behavior is repeated. After restarting Windows, the list is short, and 2-3 hours later, it gets longer (and check boxes are changed). It doesn't matter if the computer is used or if it's idle.

I'm using updated Windows XP SP3. The computer is fully scanned under safe mode, using: Avast Antivirus (latest), Kaspersky online scanner, Spybot Search & Destroy (latest), Malware bytes Anti-Malware (latest), CCleaner, and RootkitRevealer. Sysinternals Autoruns shows nothing suspicious. Same with Task manager and Process Explorer. Also, "netstat -an" and Active ports looks ok. They don't list TCP ports 80 and UDP port 53 which malware used to listen on.

In other words, I can't find any other erratic behavior except this problem with the Exceptions list.

Can you help me locating the source of this behavior?

Regards,
Ognjen

--

PS. Removed the log it is not necessary anymore. See the next message for details.

Edited by ognjen, 12 August 2009 - 06:50 AM.


BC AdBot (Login to Remove)

 


#2 ognjen

ognjen
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 12 August 2009 - 06:59 AM

I located the source for this behavior.

Windows Firewall have two profiles: Standard profile and Domain profile. One can list both of them from the command line:

>netsh firewall show all

Unfortunately from the GUI it is not possible to make the difference which profile is active. In my case the Standard profile was active first, and after several hours delay, the Domain profile was activated.

Turning on Network Location Awareness service changed this, so now is Domain profile is loaded during Windows boot.

Usefull links:

http://lantoolbox.com/network-administrati...command-line/1/
http://www.frickelsoft.net/blog/?p=32
http://technet.microsoft.com/en-us/library/bb878049.aspx

And, of course:
http://en.wikipedia.org/wiki/Rubber_duck_debugging

Edited by garmanma, 12 August 2009 - 08:36 AM.
Moved to more appropriate forum~Help not needed~No logs posted





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users