Kamis, 07 Februari 2013

win32/sirefef.bc aka ZeroAccess.b!env Trojan vs Windows Firewall on Windows 8 : How to Fix

Last night i encounter a trojan called win32/sirefef.bc. It's also known as ZeroAccess.b!env by McAfee. It has been around for 4 months for now.
It happens in Windows 8 32 bit operating system, which i suppose there's a flaw in Windows 8 security.
Although i am also at fault here, since i turned off the UAC and exclude my C:\ drive from Windows Defender scan list.
Here's the symptoms:
After restart, my Internet Download Manager tells that Base Filtering Engine is disabled which then disables advanced browser integration. It also tells you that it might be caused by malware and they provide the link to their web how to restore it.
I open my Google Chrome browser to search for solution and everytime i search using the search bar (since i use https) there's a warning about my computer being infected with win32/sirefef.bc. It is wise to search from google.com rather directly using search bar.

Anyway I checked list of Services (run services.msc) and there's no Base Filtering Engine in the list.
Then i used registry file to restore BFE, i think it's the same as file provided by IDM.
The most important thing is to change the permission, since you have been infected and i don't know why but it has to be done
run regedit and browse for "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BFE\", right click, permission. Press add and type "nt service\bfe" and it will change into BFE. Tick full control and press OK.

To fix the infection, i also try to scan the PC with Windows Defender using Quick scan, and within 3 minutes it shows 2 file as the culprit, one in recycler and the other in rootkit. It will ask you for restart to disinfect the file.

Restart, and now the BFE warning is gone and i can enable the advanced browser integration. My Google Chrome also no longer redirect to the warning for https site.

However there's another problem: The Windows Firewall cannot be enabled.
It will tells you that Windows Firewall is not using recommended settings.
if you try it when you haven't fix the BFE yet, you will get error code 0x8007042c when you click use recommended settings.
After i fixed the BFE however, click on use recommended settings will bring no effect.
Also in my case, my Homegroup shared files cannot be accessed from my secondary PC (however i still able to access secondary PC shared files)
 
So i check and there's also no Windows Firewall entry in services, which is supposed to be MpsSvc in  "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\".
Then I look for another registry file, found it.
And i also change permission for "nt service\mpssvc" as full control.
However i still cannot get it working since it ended up with error code 2 everytime i try to start from services.
I also tried with exported registry from my Windows 8 64 bit with the same results.
After few hours in search of possible fix, i found tool from tweaking.com which seems able to solve the problem.
I haven't thoroughly look for the reason why win32/sirefef.bc infected my PC, but my main suspect is few file i've downloaded from the internet before the incident.
Then again i think there are many others who seems having the same problem as me, this for example might be one, and i hope this solution could work for others as well. 

Summary:
win32/sirefef.bc is a new breed of trojan, since i used windows 7 with Microsoft Security Essentials i had no single infection until now, which i had to say that Windows 8 is not so safe.
Even after the removal with Windows Defender, infected PC will lose its BFE and Windows Firewall service.
There's always a way, and Refresh/Reset Windows is the last thing to do.
Few registry and permission tweaks will get your windows firewall up and running. 


Notable Error of Windows Firewall:
Error Code 0x8007042c seems happen when BFE permission not set within Windows Firewall
Error Code 5 access denied happen when mpssvc permission not set within Services
Error Code 2 The system cannot find the file specified, within Services, need windows firewall registry entry repaired. I successfully did it with this

Tidak ada komentar:

Posting Komentar