i have an xp home notebook, fully up-to-date with ms patches, macafee av,
adaware pro with adwatch running in real time.

last week my daughter picked up something that came in from an aim session
where a 'buddy' sent her a link. I found rootkit-J trojan virus among other
things, and went thru an extensive cleanup operation including macafee,
adaware, malwarebouncer, spybot, crapcleaner, hijackthis, msantispyware.

Now all seems clean and the msantispyware AND adwatch are both running in
realtime.... BUT...

The windows firewall is turned off, and I can't turn it on. It says that
this is being controlled by a group policy.

I found references on this forum to a virus that does this and followed the
instructions at
http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
modifying a number of registry entries, but no good so far. I also
downloaded and installed
http://www.dougknox.com/xp/utils/xp_securityconsole.htm and this did not have
any settings for enabling the firewall.

I honestly think the pc is clean right now, I just need to get the firewall
working again...

HELP!?!?!?!

Joe B...

Joe B wrote:

> i have an xp home notebook, fully up-to-date with ms patches, macafee av,
> adaware pro with adwatch running in real time.
>
> last week my daughter picked up something that came in from an aim session
> where a 'buddy' sent her a link. I found rootkit-J trojan virus among other
> things, and went thru an extensive cleanup operation including macafee,
> adaware, malwarebouncer, spybot, crapcleaner, hijackthis, msantispyware.
>
> Now all seems clean and the msantispyware AND adwatch are both running in
> realtime.... BUT...
>
> The windows firewall is turned off, and I can't turn it on. It says that
> this is being controlled by a group policy.
>
> I found references on this forum to a virus that does this and followed the
> instructions at
> http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
> modifying a number of registry entries, but no good so far. I also
> downloaded and installed
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm and this did not have
> any settings for enabling the firewall.
>
> I honestly think the pc is clean right now, I just need to get the firewall
> working again...
>
> HELP!?!?!?!
Hi,

Put the VBScript below in a .vbs file and run it by double-clicking
on it (it will set a couple of registry values).

It will display the message "Done, please reboot computer" when it
have run.


'--------------------8<----------------------
Set oShell = CreateObject("WScript.Shell")

oShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall" _
& "\DomainProfile\EnableFirewall", 1, "REG_DWORD"

oShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall" _
& "\StandardProfile\EnableFirewall", 1, "REG_DWORD"

MsgBox "Done, please reboot computer", vbSystemModal+vbInformation

'--------------------8<----------------------



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Thanks torgeir, I'll try that as soon as I get home...

By the way... The registry values your script is setting look familiar.
When I tried the instructions I found at
http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
they included the following:

Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\
DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\
StandardProfile
In the right pane, reset the value:
"EnableFirewall" = "0x00000000"

It appears that your script sets these 2 values at "1" while the
instructions above set them to "0". Am I reading this correctly? Rather than
the script, can I simply set these to values to "1"? Or is the script doing
something else?

To use your script, I assume that I paste everything including the
'-----8<--- lines into a text file and name it something.vbs, then double
click the file?

Thanks again, and I'll let you know how I make out.

Joe Barry

"Torgeir Bakken (MVP)" wrote:

> Joe B wrote:
>
> > i have an xp home notebook, fully up-to-date with ms patches, macafee av,
> > adaware pro with adwatch running in real time.
> >
> > last week my daughter picked up something that came in from an aim session
> > where a 'buddy' sent her a link. I found rootkit-J trojan virus among other
> > things, and went thru an extensive cleanup operation including macafee,
> > adaware, malwarebouncer, spybot, crapcleaner, hijackthis, msantispyware.
> >
> > Now all seems clean and the msantispyware AND adwatch are both running in
> > realtime.... BUT...
> >
> > The windows firewall is turned off, and I can't turn it on. It says that
> > this is being controlled by a group policy.
> >
> > I found references on this forum to a virus that does this and followed the
> > instructions at
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
> > modifying a number of registry entries, but no good so far. I also
> > downloaded and installed
> > http://www.dougknox.com/xp/utils/xp_securityconsole.htm and this did not have
> > any settings for enabling the firewall.
> >
> > I honestly think the pc is clean right now, I just need to get the firewall
> > working again...
> >
> > HELP!?!?!?!
> Hi,
>
> Put the VBScript below in a .vbs file and run it by double-clicking
> on it (it will set a couple of registry values).
>
> It will display the message "Done, please reboot computer" when it
> have run.
>
>
> '--------------------8<----------------------
> Set oShell = CreateObject("WScript.Shell")
>
> oShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall" _
> & "\DomainProfile\EnableFirewall", 1, "REG_DWORD"
>
> oShell.RegWrite "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall" _
> & "\StandardProfile\EnableFirewall", 1, "REG_DWORD"
>
> MsgBox "Done, please reboot computer", vbSystemModal+vbInformation
>
> '--------------------8<----------------------
>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
>

Joe B wrote:

> Thanks torgeir, I'll try that as soon as I get home...
>
> By the way... The registry values your script is setting look familiar.
> When I tried the instructions I found at
> http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
> they included the following:
>
> Navigate to the subkeys:
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\
> DomainProfile
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\
> StandardProfile
> In the right pane, reset the value:
> "EnableFirewall" = "0x00000000"
>
> It appears that your script sets these 2 values at "1" while the
> instructions above set them to "0". Am I reading this correctly?

Yes. Setting those two values to 0 disables the FW, crazy that
Symantec have that in their instructions. I think they have made
an error and really meant 1.


> Rather than the script, can I simply set these to values to "1"?

Yes.


> Or is the script doing something else?

No.


> To use your script, I assume that I paste everything including
> the '-----8<--- lines into a text file and name it something.vbs,
> then double click the file?

Yes.



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Thanks again, I'll let you know how I make out...

Joe

"Torgeir Bakken (MVP)" wrote:

> Joe B wrote:
>
> > Thanks torgeir, I'll try that as soon as I get home...
> >
> > By the way... The registry values your script is setting look familiar.
> > When I tried the instructions I found at
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
> > they included the following:
> >
> > Navigate to the subkeys:
> > HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\
> > DomainProfile
> > HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\
> > StandardProfile
> > In the right pane, reset the value:
> > "EnableFirewall" = "0x00000000"
> >
> > It appears that your script sets these 2 values at "1" while the
> > instructions above set them to "0". Am I reading this correctly?
>
> Yes. Setting those two values to 0 disables the FW, crazy that
> Symantec have that in their instructions. I think they have made
> an error and really meant 1.
>
>
> > Rather than the script, can I simply set these to values to "1"?
>
> Yes.
>
>
> > Or is the script doing something else?
>
> No.
>
>
> > To use your script, I assume that I paste everything including
> > the '-----8<--- lines into a text file and name it something.vbs,
> > then double click the file?
>
> Yes.
>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
>

Torgeir...

You were correct, when I set those 2 registry settings to '1' I was able to
turn on the firewall.

I'm less certain now that I'm completely clean, as I've had a couple of
additional strange things (rootkit?) happen since the other day. I'm posting
my hijackthis log on a couple of spyware forums to get some feedback.

Thanks again for the firewall help.

Joe B...

"Torgeir Bakken (MVP)" wrote:

> Joe B wrote:
>
> > Thanks torgeir, I'll try that as soon as I get home...
> >
> > By the way... The registry values your script is setting look familiar.
> > When I tried the instructions I found at
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
> > they included the following:
> >
> > Navigate to the subkeys:
> > HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\
> > DomainProfile
> > HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\
> > StandardProfile
> > In the right pane, reset the value:
> > "EnableFirewall" = "0x00000000"
> >
> > It appears that your script sets these 2 values at "1" while the
> > instructions above set them to "0". Am I reading this correctly?
>
> Yes. Setting those two values to 0 disables the FW, crazy that
> Symantec have that in their instructions. I think they have made
> an error and really meant 1.
>
>
> > Rather than the script, can I simply set these to values to "1"?
>
> Yes.
>
>
> > Or is the script doing something else?
>
> No.
>
>
> > To use your script, I assume that I paste everything including
> > the '-----8<--- lines into a text file and name it something.vbs,
> > then double click the file?
>
> Yes.
>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
>

i went to the reg & got my firewall on which is the important thing but if i
wanted to turn it off i'd have to go back to the reg to do it or run a script
which i'm must not be doing right. how or where do i "turn off" group
policies. with my limited understanding of gp their a good thing but i don't
need them in my 2 or 3 computer world.

"Torgeir Bakken (MVP)" wrote:

> Joe B wrote:
>
> > Thanks torgeir, I'll try that as soon as I get home...
> >
> > By the way... The registry values your script is setting look familiar.
> > When I tried the instructions I found at
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html
> > they included the following:
> >
> > Navigate to the subkeys:
> > HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\
> > DomainProfile
> > HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dowsFirewall\
> > StandardProfile
> > In the right pane, reset the value:
> > "EnableFirewall" = "0x00000000"
> >
> > It appears that your script sets these 2 values at "1" while the
> > instructions above set them to "0". Am I reading this correctly?
>
> Yes. Setting those two values to 0 disables the FW, crazy that
> Symantec have that in their instructions. I think they have made
> an error and really meant 1.
>
>
> > Rather than the script, can I simply set these to values to "1"?
>
> Yes.
>
>
> > Or is the script doing something else?
>
> No.
>
>
> > To use your script, I assume that I paste everything including
> > the '-----8<--- lines into a text file and name it something.vbs,
> > then double click the file?
>
> Yes.
>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
>