There is a new trojan that turns off Windows Firewall, without letting you know.

  • Thread starter Thread starter Jonas The Swedish Goth
  • Start date Start date
J

Jonas The Swedish Goth

Hey everyone


I had, and still have, a minor problem with Windows Firewall.

First, Microsoft has done one HELL of a good firewall.

I have run my own firewall on linux, used lots of different firewalls since Microsoft never really had any protection to speak of.


Before win 10! Win 10 Firewall + Windows Defender is all most users needs. Get a malware scanner IF you think you might caught something.


Does anyone know a permanent fix to stop this critter?

Now, there has been a "new" worm/trojan, that does nothing else, then turns off Windows firewall.

The UI, shows that the firewall is up. But if you check services and try to load the Firewall advanced features, it says its down. And it is.


That trojan slips by most things because....it does not do anything else then inject your user, with a normal windows command, to turn off the firewall when you start the computer the next time. This is the same command windows gives itself when the user installs any other kind of firewall.
I've spoken to Microsoft support and sent logs, and I am sure there will be an update to stop it.


Until then, Microsoft own tool "MSERT" finds it when you run a QUICK scan with the tool. I dont know why it doesnt detect it when I tried full scan.
Since you may have been without a firewall, you need to check where you download things from.


Here is the real link to Microsoft MSERT:
Microsoft Safety Scanner Download - Windows security
I highly suggest you only use the 64-bit one.

The problem I have with this, is that the trojan itself only injects the command in your user folder.

Which gives quite annying but harmless problems.


Your user now has "Account Unknown 5-1-5-1-5-232352428348309xxxxxxxx", on random exe files. Like Microsoft store, notepad, etc.

This is not another user. Its not someone who hacked you. Its a user that does not exist anymore.


It adds itself to things like Edge, or paint! Or if you are unlucky, it adds itself to the startup path where all the Microsoft tools are. Like "wordpad".

The system still works fine. But you will not be the default admin user. And everything you do with the program with this ghost user, will threat you as nr 2.


It looks like this:






However:

"Account Unknown 5-1-5-1-5-45-345334589348590385xxxxxxs", is actually perfectly normal on some files. Because it's a user that doesn't exist.

For example, anyone who upgraded from Win 7 to 10, with the same user, has this account unknown, in random rare places. But that account, has NO Rights. There are no boxes, to give or take rights.


These 1 or 2 Account unknown, are just like your user, you can enter what rights they have and not.


Unless you remove that user from the .exe file, or in my case, one of my Disk drives, changes owner from "System", to this Account Unknown".

I can use the drive and the files just fine.

HOWEVER, it prompts you for admin rights every time you open a file or program from that drive, that requires you to "be you".


Also, check when you download graphic drivers. If there are "Account unknown" in that file. You need to remove those accounts from the file.

You can do this in 2 ways.


1. Delete the Nvidia driver you just download. And download it again, to a DIFFERENT FOLDER. Preferably in your C drive.
Check what users have rights to that file, and the Account Unknown" should be gone.


2.

Right click on the filename.exe, and go to the security tab.



Then click "Advanced".


And you get this section up. Please follow exactly what I type here. Because you are messing with "rights" which if you are unlucky, can block yourself out of the system :)





You need to be an admin user for this btw.


Click on "Change Permissions"

Then

Click on DISABLE Inheritance


Now, an "ADD" and "REMOVE" button will now appear beside "view"


Now, you click on the principal 5-1-5-21-345233248xxxx.

That user must be highlighted!


Click on REMOVE. And windows will ask if you want to remove the inherited permission only for this user, or for all. You choose the first, "this user only".


If you have two, like I have here, then do the same with the second one.


IMPORTANT

Check your own user, or users/administrator in this window.


They need to have ALL boxes clicked in, so you have full rights to this file/application.


The problem this can cause, is that the "account unknown" do not have the same rights as you.

Which means, Virus killers, like windows defender, does not "find" what they should, because they might need to be administrator to even check a certain file.


Also, when installing games, and graphic drivers etc. There is a possibility, that the driver will not install. Without telling you this.

You see that in the logs in windows, and in the device manager if you look at the driver, and "events".

It sais the driver, but the events says "Driver failed to install".


Microsoft's support told me first, that since the driver "seams" to be installed, its nothing to worry about.


When I showed them, the same thing with Windows defender, they send me to second-line support.

Since the logs from my offline scan with windows defender finished scanning 500.000 files, in 26 seconds.

They did not believe it was that fast.....


I gave them the second log, after I've removed the account unknown from the defender.exe, which scanned 150.000 files, and found 2 critters it removed.


Has anyone heard anything about this?
Is there any malware hunter out there that removes this completely!?


I have tried, 1, or 2, or 54. I lost count.


I have made a repair upgrade. That did work for a while, but it came back via Microsoft Store app this time (could been anything).


To fix this, you need to:

- FORMAT C: (Factory format. Which writes 0 in every block). And you do NOT do this on the same computer.

  • - Create a new win 10 installation media from ANOTHER computer.
  • - Install a complete new Win 10. Without my user, settings, or even google, OneDrive, iCloud sync for bookmarks, passwords, etc.
  • - Your Win 10 licence is safe in your Microsoft digital account, so just connect again, and you have your windows back.


You can NOT use a backup and restore.

You can save files on another drive. But you need to check every single file, that it doesnt have any "Account unknown" on it!.


You can NOT sync bank your windows settings, theme etc.


You need to do everything from start. And this annoying mosquito will not appear again.


NOTE
: You will need to write down bookmarks and passwords. WITH A PEN!

Then download a new browser and set it up like it was the first time. TYPE the homepage, like www.google.com, and put in your user and password manually.


Has anyone found a software the seeks and destroys every single "account unknown".

Creating a new user, did not work for me.


This happened after I did a repair upgrade, and created a new user.

Everything looked good, so I installed CCleaner (I downloaded the file. I did not use the file I had on the computer)







CCleaner got installed correctly, and did its job for a week.

Before I saw this....

That means, every time I run CCleaner, it has the rights of the whole Win 10 system.

Which is not bad when you remove things with CCleaner. But when you enable servcies, like "trusted installer", which was not active for some reason?

You give trusted installer these accounts unknown, which puts on everything it installs. And these account unknown, has NO RIGHTS.


In my case, it led to windows update stopped getting any updates, what to ever!!

I fixed that with resetting Win updates. 1 week, after I did a repair upgrade.....


This "problem", is not a virus per say. It just gives you problems in the long run.

And not having a firewall + not getting win updates, in my case, is not accepteble.


I have removed these account unknown as much as I found them, so my firewall works and I get updates.

'But, when I was typing this post, I used paint, to cut the screenshots.....and paint.exe, had 2x account unknown"


Help?

I really dont want to do a completely new Win 10. With over 600 bookmarks and passwords.


Any suggestions are welcome! Out of the box thinking is needed!

  • SFC /SCANNOW = didnt fix anything
  • System Restore, of course didnt remove the account unknown on the files.
  • DISM /online and /repair-image, did not work either online, nor with an offline source I made with a USB from another computer.


Microsoft support, has asked for my logs and told me that these account unknown, is NOT the same as the harmless account unknown that pops up on some systems and does nothing.


Any ideas? Suggestions? Drinks?
No suggestion is "dumb" btw.

I dont think this can be solved by follow best practice...... Because I have done just that! =)


I need you users, who knows enough about systems, that you think you dont know much.

When normal solutions does not work....the solutions that I, and other power users knows will not work.....is what we should do.


Heeeeeeelp. Please?

Jonah, The Swedish Goth.

Continue reading...
 
Back
Top