Windows 10: There is a new trojan that turns off Windows Firewall, without letting you know.

Hey everyone


I had, and still have, a minor problem with Windows Firewall.

First, Microsoft has done one HELL of a good firewall.

I have run my own firewall on linux, used lots of different firewalls since Microsoft never really had any protection to speak of.


Before win 10! Win 10 Firewall + Windows Defender is all most users needs. Get a malware scanner IF you think you might caught something.


Does anyone know a permanent fix to stop this critter?

Now, there has been a "new" worm/trojan, that does nothing else, then turns off Windows firewall.

The UI, shows that the firewall is up. But if you check services and try to load the Firewall advanced features, it says its down. And it is.


That trojan slips by most things because....it does not do anything else then inject your user, with a normal windows command, to turn off the firewall when you start the computer the next time. This is the same command windows gives itself when the user installs any other kind of firewall.
I've spoken to Microsoft support and sent logs, and I am sure there will be an update to stop it.


Until then, Microsoft own tool "MSERT" finds it when you run a QUICK scan with the tool. I dont know why it doesnt detect it when I tried full scan.
Since you may have been without a firewall, you need to check where you download things from.


Here is the real link to Microsoft MSERT:
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
I highly suggest you only use the 64-bit one.

The problem I have with this, is that the trojan itself only injects the command in your user folder.

Which gives quite annying but harmless problems.


Your user now has "Account Unknown 5-1-5-1-5-232352428348309xxxxxxxx", on random exe files. Like Microsoft store, notepad, etc.

This is not another user. Its not someone who hacked you. Its a user that does not exist anymore.


It adds itself to things like Edge, or paint! Or if you are unlucky, it adds itself to the startup path where all the Microsoft tools are. Like "wordpad".

The system still works fine. But you will not be the default admin user. And everything you do with the program with this ghost user, will threat you as nr 2.


It looks like this:






However:

"Account Unknown 5-1-5-1-5-45-345334589348590385xxxxxxs", is actually perfectly normal on some files. Because it's a user that doesn't exist.

For example, anyone who upgraded from Win 7 to 10, with the same user, has this account unknown, in random rare places. But that account, has NO Rights. There are no boxes, to give or take rights.


These 1 or 2 Account unknown, are just like your user, you can enter what rights they have and not.


Unless you remove that user from the .exe file, or in my case, one of my Disk drives, changes owner from "System", to this Account Unknown".

I can use the drive and the files just fine.

HOWEVER, it prompt you for admin rights every time you open a file or program from that drive, that requires you to "be you".


Also, check when you download graphic drivers. If there are "Account unknown" in that file. You need to remove those accounts from the file.

You can do this in 2 ways.


1. Delete the Nvidia driver you just download. And download it again, to a DIFFERENT FOLDER. Preferbly in your C drive.
Check what users has rights to that file, and the Account Unknown" should be gone.


2.

Right click on the filename.exe, and go to the security tab.



Then click "Advanced".


And you get this section up. Please follow exactly what I type here. Because you are messing with "rights" which if you are unlucky, can block yourself out of the system :





You need to be an admin user for this btw.


Click on "Change Permissions"

Then

Click on DISABLE Inheritance


And "ADD" and "REMOVE" button will now appear besite "view"


Now, you click on the principal 5-1-5-21-345233248xxxx.

That user must be highlighted!

Click on REMOVE. And windows will ask if you want to remove the inherated permission only for this user, or for all. You choose the first, "this user only".

If you have two, like I have here, then do the same with the second one.


IMPORTANT

Check your own user, or users/administrator in this window.

They need to have ALL boxes clicked in, so you have full rights to this file/application.

The problem this can cause, is that the "account unknown" do not have the same rights as you.

Which means, Viruskillers, like windows defenser, does not "find" what they should, because they might need to be adminitrator to even check a certain file.


Also, when installing games, and graphic drivers etc. There is a possibility, that the driver will not install. Without telling you this.

You see that in the logs in windows, and in the device manager if you look at the driver, and "events".

It sais the driver, but the events says "Driver failed to install".


Microsoft support told me first, that since the driver "seams" to be installed, its nothing to worry about.


When I showed them, the same thing with Windows defender, they send me to second-line support.

Since the logs from my offline scan with windows defender finished scanning 500.000 files, in 26 seconds.

They did not believe it was that fast.....


I gave them the second log, after I've removed the account unknown from the defender exe, which scanned 150.000 files, and found 2 critters it removed.


Has anyone heard anything about this?
Is there any malware hunter out there that removes this completely!?


I have tried, 1, or 2, or 54. I lost count.


I have made a repair upgrade. That did work for a while, but it came back via Microsoft Store app this time could beeen anything.


To fix this, you need to:

- FORMAT C: Factory format. Which writes 0 in every block. And you do NOT do this on the same computer.


- Create a new win 10 installation media from ANOTHER computer.

- Install a complete new Win 10. Without my user, settings, or even google, onedrive, Icloud sync for bookmarks, passwords, etc.

- Your Win 10 license is safe in your microsoft digital account, so just connect again, and you have your windows back.


You can NOT use a backup and restore.

You can save files on another drive. But you need to check every single file, that it doesnt have any "Account unknown" on it!.


You can NOT sync bank your windows settings, theme etc.


You need to do everything from start. And this annoying mosquito will not appear again.


NOTE: You will need to write down bookmarks and passwords. WITH A PEN!

Then download a new browser and set it up like it was the first time. TYPE the homepage, like www.google.com, and put in your user and password manully.


Has anyone found a software the seeks and destroys every single "account unknown".

Creating a new user, did not work for me.


This happend after I did a repair upgrade, and created a new user.

Everything looked good, so I installed CCleaner I downloaded the file. I did not use the file I had on the computer







CCleaner got installed correctly, and did its job for a week.

Before I saw this....

That means, every time I run CCleaner, it has the rights of the whole Win 10 system.

Which is not bad when you remove things with CCleaner. But when you enable servcies, like "trusted installer", which was not active for some reason?

You give trusted installer these accounts unknown, which puts on everything it installs. And these account unknown, has NO RIGHTS.


In my case, it led to windows update stopped getting any updates, what to ever!!

I fixed that with resetting Win updates. 1 week, after I did a repair upgrade.....


This "problem", is not a virus per say. It just gives you problems in the long run.

And not having a firewall + not getting win updates, in my case, is not accepteble.


I have removed these account unknown as much as I found them, so my firewall works and I get updates.

'But, when I was typing this post, I used paint, to cut the screenshots.....and paint.exe, had 2x account unknown"


Help?

I really dont want to do a completely new Win 10. With over 600 bookmarks and passwords.


Any suggestions are welcome! Out of the box thinking is needed!


SFC /SCANNOW = didnt fix anything

System Restore, of course didnt remove the account unknown on the files.

DISM /online and /repair-image, did not work either online, nor with an offline source I made with a USB from another computer.


Microsoft support, has asked for my logs and told me that these account unknown, is NOT the same as the harmless account unknown that pops up on some systems and does nothing.


Any ideas? Suggestions? Drinks?
No suggestion is "dumb" btw.

I dont think this can be solved by follow best practice......Because I have done just that! =


I need you users, who knows enough about systems, that you think you dont know much.

When normal solutions does not work....the solutions that I, and other powerusers knows will not work.....is what we should do.


Heeeeeeelp. Please?

Jonah, The Swedish Goth.

:)

 

Windows Firewall blocks App Store from downloading new apps

Hi,

Let's try to check if the app store you're referring to if it's really blocked by Windows Firewall. See these steps:

• Open Windows Firewall from the taskbar >
  Firewall & network protection > Allow an app through firewall.
• A new window will show up containing the list of the apps that ca be allowed through Firewall.
• Look for the app you want to be accessed, and make sure that the Domain, Private and Public are ticked. That would allow the app store to be accessed.

Let us know what happens after doing the suggestion.

 

Firewall

Hello,

It is recommended to turn on your Firewalls to prevent your computer from unauthorized access and being vulnerable. Based on your issue description, it looks like you wanted to turn off Windows Firewall. To turn off Windows Firewall, kindly follow the steps
below:

• On Start, scroll down to Windows System > Control Panel > System
  and Security > Windows Firewall.
• Select Turn Windows Firewall on or off. You might be asked for an admin password or to confirm your choice.
• Under the appropriate network setting, select Turn on Windows Firewall.
  • Note: If your PC is connected to a network, network policy settings might prevent you from completing these steps. For more info, contact your .administrator

Let us know if you need further assistance.

 

New FF - passwords


Hi:

If that setting is already enabled, then I suggest as the next troubleshooting step might be Mozilla Safe Mode (not to be confused with Windows Safe Mode)):

Troubleshoot Firefox issues using Safe Mode | Firefox Help

• Please report back and let us know the outcome, as it will dictate the next steps.
• Also: please tell us what AV/AM/firewall programs are you running on this system?

Thanks,
MM