Re: group policy disables firewall - virus result

From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 11/03/05

  • Next message: Tomm: "Linking User accounts and Hardware profiles" 
    Date: Thu, 03 Nov 2005 10:52:14 +0100

    Hi,

    See if the procedure Ramesh give in the links below
    works for you.

    http://groups.google.com/group/microsoft.public.windowsxp.help_and_support/msg/de383a95bc9e3d5d?hl=en

    http://groups.google.com/group/microsoft.public.windowsxp.general/browse_frm/thread/64d550eee57fa943/e9382e3215aeb3b6#e9382e3215aeb3b6

    Regards,
    Torgeir

    furball wrote:

    > How do you TURN ON the Acer Notebook OEM Windows XP SP2 Home Edition FIREWALL
    > when it has been TURNED OFF by a *digital criminal* who used GROUP POLICY?
    >
    > What happens is when I try and chance the firewall or Windows Security
    > settings it says it is being controlled by Group Policy. Windows XP SP2 Home
    > Edition does not have gpedit.msc. You can try Administrative Tools >>
    > Computer Management >> Services and I Clicked Startup *Automatic - it was
    > *Disabled, then Start. That still is ON but no Firewall.
    >
    > **windows messages***
    > ********************************************
    > Windows Firewall -General
    > For your security, some settings are controlled by Group policy
    >
    > "Windows Firewall"
    > 'Windows Firewall is turned off. Your network administrator is using Group
    > Policy to control these settings.'
    > ********************************************
    >
    > Happened as a result of new unknown virus/malware that includes::::
    > In C:\ these files.. (Delete)
    > sw.bat
    > is.bat
    > tb.exe
    > xe.exe
    > low.exe
    > mmxateam.exe
    > IELower.exe
    >
    > In C:\Windows.. (Delete)
    > lsass.exe
    >
    > (Real one is in C:\WINDOWS\SYSTEM32\lsass.exe)
    >
    > Turn off system restore.
    >
    > Delete all Browser Cache files
    >
    > Delete all temp files
    >
    > Use CCleaner if possible
    >
    > **There may be other unknown files.
    >
    > It turned off my Auto-updates and Windows Firewall. WinXP SP2 Home
    >
    > Appears to be Reg Enteries.... (Picked up by Spybot S&D)
    >
    > Windows Security Center.SP2Update: Settings (Registry change, nothing done)
    > HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0
    >
    > Windows Security Center.AntiVirusOverride: Settings (Registry change,
    > nothing done)
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
    > Center\AntiVirusOverride!=dword:0
    >
    > Windows Security Center.FirewallOverride: Settings (Registry change, nothing
    > done)
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
    > Center\FirewallOverride!=dword:0
    >
    > Windows Security Center.FirewallDisableNotify: Settings (Registry change,
    > nothing done)
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
    > Center\FirewallDisableNotify!=dword:0
    >
    > Windows Security Center.AntiVirusDisableNotify: Settings (Registry change,
    > nothing done)
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
    > Center\AntiVirusDisableNotify!=dword:0
    >
    > Windows Security Center.UpdateDisableNotify: Settings (Registry change,
    > nothing done)
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
    > Center\UpdatesDisableNotify!=dword:0
    >
    > IELower.exe is the compressed file silent installer - it appears as a
    > diferent NAME in each case. sw.bat fires the other files..
    >
    > What happens is when I try and chance the firewall or Windows Security
    > settings it says it is being controlled by Group Policy. I go into gpedit.msc
    > and I found the specific settings but Windows says it is unconfigured.
    >
    > **WHAT DOES IT APPEAR TO DO?***
    >
    > SLOWS YOUR INTERNET CONNECTION TO A CRAWL, SAY A FEW BYTES, WHILE UPLOADING
    > FROM YOUR COMPUTER.
    > ----------------------------------------------------------------------------
    >
    > ~furball .:: 

    -- 
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
  • Next message: Tomm: "Linking User accounts and Hardware profiles"

    Relevant Pages

    • Re: Trojan horse BackDoor.Generic3.EKW
      ... | I discovered the problem when I used Spybot S&D to scan my machine. ... There are changes made in the antivirus, firewall, and SP2update settings ... | Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, ...
      (microsoft.public.security.virus)
    • Trojan horse BackDoor.Generic3.EKW
      ... My daughter clicked on a link and I got infected with this virus. ... There are changes made in the antivirus, firewall, and SP2update settings ... Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, ...
      (microsoft.public.security.virus)
    • Re: Update applies unwanted firewall settings
      ... settings that make it impossible to use the internet. ... option is to disable the firewall and use Windows Security Center's ... What is your third party firewall software? ...
      (microsoft.public.windowsupdate)
    • Re: group policy disables firewall - virus result
      ... > | How do you TURN ON the Acer Notebook OEM Windows XP SP2 Home Edition FIREWALL ... > | What happens is when I try and chance the firewall or Windows Security ... > | settings it says it is being controlled by Group Policy. ...
      (microsoft.public.windowsxp.security_admin)
    • SpyBot Warning
      ... Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, ... (I'm a belt and suspenders guy) ...
      (microsoft.public.access.security)