Author Topic: Missing All Windows Firewall Predefined Rules  (Read 19526 times)

0 Members and 1 Guest are viewing this topic.

Offline Zentard

  • Newbie
  • *
  • Join Date: Jul 2012
  • Posts: 9
  • Karma: 0
    • View Profile
Missing All Windows Firewall Predefined Rules
« on: July 21, 2012, 04:51:37 PM »
I moved my own post because it had little to do with feedback...

I'm running Windows Vista Home Premium (64) SP2

Recently a Virus attacked my system and among other things I lost all Windows Firewall Predefined Rules.  I managed to repair most of the damage done except this one particular issue, the aforementioned missing predefined rules.  This has caused the exact issue that is described in the following link, except I'm running Vista, not Windows 7.  I'm linking the following description because it is an extremely well made presentation of the problem: http://superuser.com/questions/375042/cannot-turn-on-network-discovery-and-file-sharing-when-windows-firewall-is-ena

The fix is relatively simple provided you have access to another machine with a working copy of the exact same version OS.  Unfortunately that is something I do not have on hand.  I tried to see if my copy of Vista had some sort of repair option, but it turns out that Vista has not repair option at all, unless I run an "upgrade" install.   I've done that sort of thing in the past and it can cause some major headaches with overwriting settings and file versions.  I'll end up with more problems than I currently have.

What I need is a .reg file with the missing registry entries.  Does anyone know where I could find such a thing?

I ran Windows Repair (All in One).  I believe it caught some things I hadn't yet fixed, but it did not fix the missing predefined rules.  I can easily understand why that particular fix is not included, it's not common and it can potentially be a real headache to include fixes for every version.  But Windows Repair is an awesome program, thank you for building it.  If I ever get up on my feet I will give support.

Offline Zentard

  • Newbie
  • *
  • Join Date: Jul 2012
  • Posts: 9
  • Karma: 0
    • View Profile
Re: Missing All Windows Firewall Predefined Rules
« Reply #1 on: July 21, 2012, 07:55:01 PM »
I have been working to fix this issue by installing Virtualbox and creating a Vista virtual machine.  I e-mailed the missing reg keys to myself (in txt form since I can't email reg files  :rolleyes:) and I'm in the process of trying to get file sharing back up and running.

Offline Zentard

  • Newbie
  • *
  • Join Date: Jul 2012
  • Posts: 9
  • Karma: 0
    • View Profile
Re: Missing All Windows Firewall Predefined Rules
« Reply #2 on: July 21, 2012, 08:08:39 PM »
Now the predefined rules are present.  However, I believe whatever file "file sharing" is based on is still missing, because the service still will not work correctly and throws an unspecified error when activated through "Windows Firewall With Advanced Security".  I also found and ran "MicrosoftFixit.WindowsFirewall" for Vista, but it fails to repair the problem and even recognizes that it failed without mentioning why.

Anyone have any ideas?  I'm really running out of steam on this... :confused:

Offline Shane

  • Lead Developer - Coder
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9279
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Missing All Windows Firewall Predefined Rules
« Reply #3 on: July 23, 2012, 12:20:14 PM »
I havent looked into the predefined rules yet.

My repair firewall tool mainly works with the files and services, it doesn't mess with the rules.

When you turn the firewall off do things work fine?

Shane

Offline Zentard

  • Newbie
  • *
  • Join Date: Jul 2012
  • Posts: 9
  • Karma: 0
    • View Profile
Re: Missing All Windows Firewall Predefined Rules
« Reply #4 on: July 26, 2012, 08:59:14 AM »
I wish I knew how my problem eventually resolved itself.  After hours of attempting to even comprehend all the files associated with Windows Firewall and its rules, I eventually called it a night.  The next morning the issues with file sharing appeared to have magically disappeared.  It could have been an update and restart that replaced missing files, or some other automatic process made repairs somehow.  But the trick with the Virtual Machine install where I e-mailed registry entries to myself was a life-saver on those missing Firewall rules, although it did overwrite some of my Firewall settings.  Re-setting them wasn't too much of a headache.

Also of note:  I had one of those infamous "redirect" viruses which also appeared to have mysteriously disappeared.  As I was following instructions from a couple different programmers on how to remove it by hand I discovered that it simply wasn't there, and my browser no-longer redirects randomly.

Musta been some ninja haxxor playing vigilante I guess.  :wink:

Offline Zentard

  • Newbie
  • *
  • Join Date: Jul 2012
  • Posts: 9
  • Karma: 0
    • View Profile
Re: Missing All Windows Firewall Predefined Rules
« Reply #5 on: July 26, 2012, 09:10:25 AM »

When you turn the firewall off do things work fine?

Shane

No, they did not.  Vista has a nasty little quirk involving Windows Firewall.  If the predefined rules are not present, you cannot use the features that they defined.  Even if Windows Firewall is turned off.

Offline Shane

  • Lead Developer - Coder
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9279
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Missing All Windows Firewall Predefined Rules
« Reply #6 on: July 26, 2012, 10:40:05 AM »
The redirect virus could have been causing a lot of the problems.

tdsskiller.exe is pretty good at removing those infections :wink:

Might be a good idea to run tdsskiller.exe just to make sure, it is a fast scan.

Shane

Offline Zentard

  • Newbie
  • *
  • Join Date: Jul 2012
  • Posts: 9
  • Karma: 0
    • View Profile
Re: Missing All Windows Firewall Predefined Rules
« Reply #7 on: July 26, 2012, 10:51:03 AM »
Yes, the redirect virus was causing me to encounter other viruses from...  well, redirection.  One of those other viruses was the one that wiped out my firewall.  After removal of the "other" viruses, the redirect virus was still going strong and proved to be ridiculously difficult to remove until it just up and disappeared.  It could still be hiding out even though I haven't experienced any of it's symptoms and haven't found any traces of known redirect rootkits anywhere, so thanks for the tip about TDSSKiller.exe, I'll be running that ASAP.

EDIT: After scan, TDSSKiller found the following: Rootkit.Boot.Sinowal.b, and Rootkit.Boot.Pihar.c.  Thanks again.
« Last Edit: July 26, 2012, 11:00:38 AM by Zentard »

Offline Shane

  • Lead Developer - Coder
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9279
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Missing All Windows Firewall Predefined Rules
« Reply #8 on: July 26, 2012, 10:52:43 AM »
tdsskiller.exe, combfix.exe and malwarebytes along with the free version of Avast are my normal tools when cleaning up a customers machine. I also know how to find an infection manually so that helps when the scanners dont find anything :wink:

Shane

Offline Zentard

  • Newbie
  • *
  • Join Date: Jul 2012
  • Posts: 9
  • Karma: 0
    • View Profile
Re: Missing All Windows Firewall Predefined Rules
« Reply #9 on: July 26, 2012, 11:53:03 AM »
Redirect rootkit re-installed itself and symptoms reappeared after running TDSSKiller.exe and eliminating a couple files.  Kinda like bashing a wasp's nest with a baseball bat I guess.  What pain in the A.  I'll try some of the other tools you mentioned, and try to look for it by hand again.

Offline Shane

  • Lead Developer - Coder
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9279
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Missing All Windows Firewall Predefined Rules
« Reply #10 on: July 26, 2012, 12:05:09 PM »
Run tdsskiller again, if it finds anything have it clean them and then reboot.

I find combofix is good and getting anything left over.

Shane

Offline Zentard

  • Newbie
  • *
  • Join Date: Jul 2012
  • Posts: 9
  • Karma: 0
    • View Profile
Re: Missing All Windows Firewall Predefined Rules
« Reply #11 on: July 26, 2012, 12:56:02 PM »
Running TDSSKiller.exe a second time came up with no hits.

Interestingly, when I searched ComboFix and clicked the search engine link to the website I was diverted to the Norton Antivirus site (or maybe an impressive mock-up).  So I copy-link-locationed the link instead and pasted that into the navbar.  That led me to the correct site.

ComboFix eliminated a number of files:
c:\users\USER\AppData\Roaming\defefc.dll
c:\users\USER\AppData\Roaming\shapr.dll
c:\windows\Installer\{289ca96a-9541-dde9-00a7-af80f2d9616f}\@
c:\windows\Installer\{289ca96a-9541-dde9-00a7-af80f2d9616f}\L\00000004.@
c:\windows\Installer\{289ca96a-9541-dde9-00a7-af80f2d9616f}\L\1afb2d56
c:\windows\Installer\{289ca96a-9541-dde9-00a7-af80f2d9616f}\L\201d3dde
c:\windows\Installer\{289ca96a-9541-dde9-00a7-af80f2d9616f}\U\00000008.@
c:\windows\SysWow64\SET809B.tmp
c:\windows\SysWow64\SETD55C.tmp
c:\windows\SysWow64\SETD688.tmp
c:\windows\SysWow64\SETE679.tmp
c:\windows\SysWow64\SETE97D.tmp

Tentatively, I can say this may have ripped out the rootkit.  I'm no-longer seeing evidence of redirection. I recognize some of these files which I have ripped out multiple times.
« Last Edit: July 26, 2012, 12:57:37 PM by Zentard »

Offline Shane

  • Lead Developer - Coder
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9279
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Missing All Windows Firewall Predefined Rules
« Reply #12 on: July 26, 2012, 01:35:44 PM »
Good :-)

Keep an eye on things, and now with the rootkit gone things should start acting like normal again :wink:

Shane

Offline Zentard

  • Newbie
  • *
  • Join Date: Jul 2012
  • Posts: 9
  • Karma: 0
    • View Profile
Re: Missing All Windows Firewall Predefined Rules
« Reply #13 on: July 26, 2012, 01:52:47 PM »
Ugh.  Sprang up again.  Sorry I keep spamming this thread with failure.  :tongue:  I'm looking into, diverting all firepower to the super star destroyer.

Offline Shane

  • Lead Developer - Coder
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9279
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Missing All Windows Firewall Predefined Rules
« Reply #14 on: July 26, 2012, 02:05:49 PM »
Those didn't clean it up? VERY odd.

I wonder if you have something new.

Also always make sure your java and flash are always up to date. It is holes in those that allow infected ads or bad sites to infect you without you knowing. They are always plugging holes. So make sure they are up to date! :wink:

Shane