Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win Firewall Disabled By "group Policy" +++


  • Please log in to reply
1 reply to this topic

#1 OzzieBrian

OzzieBrian

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 08 October 2006 - 02:04 AM

Hi,

Heaps of problems -- most sorted (?), hope you can help.

Started about 3-weeks ago, with three disasters all at once:

1) Lost broadband
2) Lost one of my two drives
3) Various - unrelated? - malware symptoms

1) Broadband
The source of this is the ISP going out of business. Have sorted that out and am certain that the cause was nothing to do with my computer!

2) My 3-month old Seagate 160 GB IDE drive won't boot -- not even recognised by BIOS. Have tried it on another machine, including moving jumpers. Drive gets quite hot -- as if the motor is trying to spin the drive, but can't? Seems to definitely be something wrong with the drive, but hard to believe that all of this is just coincidence. While it is under warranty, I would really like to recover the data (no, no backup -- wife is very unhappy) (wife did report it making a funny noise earlier, that then went away and then came back again). Any suggestions re software, etc. would be welcome. I did come across a company called Salvation Data, that has some freeware and some not cheap full-version packages, that would seem to offer some hope even when BIOS fails to recognise the drive...

3) Malware
A week or two before all of this, started getting warnings from virus software (Windows Live One Care), that a file "b.exe" was trying to execute and had been quarantined. Regrettably, I ignored it, as I figured it had been safely sequestered. While One Care did prevent the file from launching -- I think -- my research now suggests that something was generating it; it did keep regenerating.

I have been through lots of scans, fixes, etc. The other nasty (besides tracking cookies, etc.) I came across was drsmart. From reading, sounds like this might be the trojan that let other stuff through?

Have made several attempts to get win firewall running. Not real desperate to get it going, as I have replaced with Zone Alarm, but it bothers me that I can't get it up again. Could just be damage to the software, but it looks as if something keeps "breaking" it again. This makes me think I'm not clean, which is my real worry.

This fix from the Windows website appears to work -- temporarily:

Contact Help Center
Windows Live OneCare Firewall service could not start."
Print or make a note of these steps, and then close all the programs on your computer.
On the Start menu, click Run.
Type sysdm.cpl, and then press ENTER.
On the Advanced tab, click Environment Variables.
In the System variables box, click PATH, and then click Edit.
In the Variable value box, add ;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM at the end of any existing value. Make sure that you include the semicolon at the beginning.
Click OK, and then restart your computer.
If the problem persists:
On the Start menu, click Run.
Type Regsvr32 %SystemRoot%\System32\wbem\wmidcprv.dll, and then press ENTER.
Restart your computer

The correction to the environment variable seems to stick. Registering the dll appears to work, in that the computer on re-start shows the 1-care icon in the system tray as "green". However, when you open 1-care, the firewall is actually off. 1-care in not able to start the firewall (long delay). If you open the win firewall control panel (run firewall.cpl), the radio buttons to turn it on and off are greyed out and it says at the top that they are being controlled by group policy. However, if you go the group policy area, all the settings appear to be OK.

The registry does show the following keys, which appear to be associated with a few worms:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
"EnableFirewall" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
"EnableFirewall" = "0"

Tried deleting those keys, but they come back again...

Besides reports of malware related to these symptoms, also seem to be WOLC problems with XP SP2. Not so worried about the latter, but do want to make sure I am clean...

Have done all of the suggested checks & scans:
- AdAware SE
- Spybot
- Housecall.
- Panda &
- Bit Defender on-line virus scans
- Stinger

Running Zone Alarm and all Win components should be up to date (via WOLC).

Have posted HijackThis log below. Also read an earlier posting that sounded similar:

http://www.bleepingcomputer.com/forums/t/34748/windows-firewall-cant-turn-it-on/

Based on that, also ran:
- RootKit revealer (got short log, then ran in safe mode)
Have that log to post if you want (ran it a while ago -- could run fresh).

THANKS !! Brian


Logfile of HijackThis v1.99.1
Scan saved at 3:32:30 PM, on 8/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\Guardware\GWPUM\updsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\iShield.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\IObit\Advanced WindowsCare V2\Awc.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\ClipMate6\ClipMate.exe
C:\PROGRA~1\INTERN~2\mum.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\RSSMate\RSSMate.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

http://localhost
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} -

C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: EventIntercept Class - {3050CDCA-E35E-4696-A544-8B0A589CE885} -

C:\WINDOWS\system32\ISIEEdit.dll
O2 - BHO: SpywareGuard Download Protection -

{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar2.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program

Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft

Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [eBayToolbar] "C:\Program Files\eBay\eBay

Toolbar2\eBayTBDaemon.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare

Live\winssnotify.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iShield] C:\WINDOWS\system32\iShield.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [pumcfgp] "C:\Program Files\Guardware\GWPUM\proxycfg.exe" /ie
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy

Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Personal] "C:\Program

Files\IObit\Advanced WindowsCare V2\Awc.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ClipMate6] "F:\Program Files\ClipMate6\ClipMate.exe"
O4 - HKCU\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~2\mum.exe
O4 - HKCU\..\Run: [RssMate] C:\PROGRA~1\RSSMate\RSSMate.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay

Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: + &Mass Downloader: download this file - K:\Program

Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - K:\Program

Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Add this site to iShield black list -

C:\WINDOWS\system32\isBRclick.htm
O8 - Extra context menu item: Add this site to iShield white list -

C:\WINDOWS\system32\isWRclick.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -

https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) -

https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) -

https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/.../wuweb_site.cab?

1121869961395
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat.../muweb_site.cab

?1144654527374
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) -

http://web1.nugs.net/dev/dlControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF5316F5-1ED2-4F41-AE7A-65A1F2DCB98F}:

NameServer = 192.168.1.254
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - F:\Program Files\Gizmo

Project\mDNSResponder.exe
O23 - Service: Guardware Product Update Service - APIIT R&D Sdn Bhd - C:\Program

Files\Guardware\GWPUM\updsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - F:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program

Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows

OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot

Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:47 AM

Posted 14 October 2006 - 09:35 AM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users