Many systems with security features disabled

Synergy Computer Repair

Synergy Computer Repair

New Member
Reaction score
0
Location
Harlow
Mornin all

I have been seeing a lot of PCs coming through my doors with their firewalls disabled. I am struggling dealing with them.

They all seem to be similar in nature. Having Windows Defender or the Firewall disabled, some with Windows Security Center disabled too. They show no real signs of any other infection. The computer runs well, no redirects, no unexplained processes, no pop-ups.

Using FSS it is often a registry entry that has disabled the security feature.

Has anyone else noticed this?
 
I personally wouldn't worry about it because:
  • The windows firewall is often disabled by security software to prevent conflicts with their own firewalls
  • The security center notifications are sometimes disabled to get rid of the icon in the taskbar
  • Windows defender is often disabled because it's really ineffective and runs schedules scans which impede performance
 
I'm pretty sure this is a virus of some sort. They won't turn on due to access permissions. I've followed ways to turn them back on manually after resetting the registry permissions. But something just isn't sitting right with me.
 
I had one very similar this week. Windows 7 (64bit) machine. Customer stated that MSE had reported multiple 'trojens' last Sunday and that she had also had her creditcard compromised on the Saturday (someone used it to buy from Amazon) - can't be sure these are related but possible as she had recently used her card to purchase something online.

She said MSE also got disabled but that she managed to get it running again....her recount of the events were very hazy though and she says she tried multple fixes she found online.

When I looked at the machine on Wednesday, MSE was running fine (no history) and reporting the PC as clean, MBAM, SAS and TDSSKiller also ran fine and reported no problems, however the Windows FW and Security Centre were disabled and wouldn't start (missing services and access denied errors). The only hint of malware I could find was from MSE in the System Event Log which indicated it had detected a trojen on the Sunday. I tried a number of registry changes, MS-FixIts and other repair tools but nothing would reinstate the FW or the Security Centre. System Restore failed.

I read some where that this behaviour was related to a rootkit wrapped up with a Fake AV (Windows Antivirus 2012 ??) infection.

After 3 hours, I advised a backup and N&P - the machine is now working fine.
 
Last edited:
Synergy Computer Repair said:
So for all you guys wondering, what I think I have discovered is a lot of customers coming with ZeroAccess malware.
I had to reformat the systems and from reading the above article, I will have to continue doing so.
Click to expand...

We get zero access infections every day and never have to reformat. You need to check the tools you are using. ZA is easily defeated with a combination of killing active tasks, combofix, tdsskiller, etc..
 
Interesting stuff.

I have been struggling with it. When I use a combination of unhide, rkill, tdskiller, combofix, usually followed by a malwarebytes quick scan.

I'll have to check what others having been using for it.

Cheers Jimbo.
 
Looks like its a new strain going around: http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/

I think what some people fail to realize is that just because the virus has the same name doesn't mean the same tools are going to work on it. You can't just say such and such is easily defeated with certain tools. It might be easily defeated in a week or two but new variations can be a serious problem. TDSS has shown us that several times now.
 
Yea that's where I had sourced my info from too ComputerRepairTech.

The link I posted earlier was clear that this rootkit will update itself multiple times per day to keep ahead of the game. It also mentioned that it is very difficult to remove.

Sure it can be done but is a tricky little number.

John.
 
Easy peasy!

Based on the Sophos article, I wrote a removal tool for this new User Mode variant of Zero Access, attached.

Usage: Run the tool, if the new variant is detected, you will be prompted to reboot. Once rebooted, run the tool again, it will finish the removal and re-check to ensure it is gone.

I will be incorporating this as an automated check in D7 soon. EDIT: already done in v6.4

NOTE: The entire point to ZeroAccess is to download other malware to the system. This tool removes the ZeroAccess User Mode variant only, not any other malware it may have downloaded, nor does it repair any other damage it may have done to security settings, etc.

EDIT: Updated tool to take care of the infected services.exe caused by some payload from this infection.
 

Attachments

Last edited:
FoolishTech said:
Easy peasy!

Based on the Sophos article, I wrote a removal tool for this new User Mode variant of Zero Access, attached.

Usage: Run the tool, if the new variant is detected, you will be prompted to reboot. Once rebooted, run the tool again, it will finish the removal and re-check to ensure it is gone.

I will be incorporating this as an automated check in D7 soon.

NOTE: The entire point to ZeroAccess is to download other malware to the system. This tool removes the ZeroAccess User Mode variant only, not any other malware it may have downloaded, nor does it repair any other damage it may have done to security settings, etc.
Click to expand...

hmm wasnt zeroaccess the one where the older variant would lock a system down if it was improperly removed? have you had the chance to test this?
 
ComputerRepairTech said:
hmm wasnt zeroaccess the one where the older variant would lock a system down if it was improperly removed? have you had the chance to test this?
Click to expand...

Haven't experienced that...... then again I don't think I've ever improperly removed it ;)

This new tool is only for the latest user mode variants discussed above, and yes it is tested in a VM and works 100% for me.

Might as well tell you how. First it reads the appropriate registry keys and examines them for hijacked values. If found, it extracts the path and GUID used in the registry keys to determine the file system location of the malware, then renames the malware files and reboots (as the malware is active it cannot just be deleted, but renaming works.) After reboot of course the registry keys still point to the malware (which is renamed, so it won't execute) so the tool is free to write back to default values to the registry keys and delete the malware directories.
 
FoolishTech said:
Haven't experienced that...... then again I don't think I've ever improperly removed it ;)

This new tool is only for the latest user mode variants discussed above, and yes it is tested in a VM and works 100% for me.

Might as well tell you how. First it reads the appropriate registry keys and examines them for hijacked values. If found, it extracts the path and GUID used in the registry keys to determine the file system location of the malware, then renames the malware files and reboots (as the malware is active it cannot just be deleted, but renaming works.) After reboot of course the registry keys still point to the malware (which is renamed, so it won't execute) so the tool is free to write back to default values to the registry keys and delete the malware directories.
Click to expand...

Good work, I assume you will be implementing the registry check on d7 startup?
 
Just investigated this issue further.

It seems that not right away, but eventually, this newer variant of ZeroAccess (Sirefef.P dropper) will download additional payload (Sirefef.Y and Z and maybe more) and infect \Windows\System32\services.exe - the problem is that if my original removal tool or any A/V detects and attempts removal it may succeed partially, however when services.exe can't find the removed infection it will force Windows to restart after 60 seconds, which cannot be aborted by a shutdown -a

I finally was able to get the infection and learned that services.exe must be replaced with a clean copy in an offline environment, plus a few other tasks. A pic is worth a thousand words so let me show you how I ended up having to remove the infection:

EDIT: I also discovered D7's Repair Firewall function to be very ineffective at repairing the specific damage done by this variant (at least in Windows 7) so I added all the manual fixes I could to this function and it now succeeds in repairing the firewall properly after the infection is removed.
 

Attachments

  • Untitled.jpg
    Untitled.jpg
    103.6 KB · Views: 59
Last edited:
You must log in or register to reply here.

Similar threads

HCHTech
Windows 11 folder sharing problem
Replies
19
Views
3K
HCHTech
HCHTech
HCHTech
Alerts!
Replies
10
Views
1K
Sky-Knight
Sky-Knight
Rigo
Flaky browsers especially on new tabs
2
Replies
26
Views
4K
GTP
GTP
britechguy
I *really* don't know what's going on - hence this message
Replies
19
Views
4K
GTP
GTP
overburnz
[TIP] Apple Releases macOS Catalina 10.15.5 With Battery Health Management Features, Fix for Finder Freezi
Replies
0
Views
1K
overburnz
overburnz
Back
Top