Ransomware protection turned off - Windows defender Firewall settings

[ianburns5]

@AdvancedSetup

 

Hi Please see attched files

FSS.txt SecurityCheck.txt

[AdvancedSetup]

Both logs look good.

How is the computer running?

How is Malwarebytes running?
 

[ianburns5]

@AdvancedSetup

Hi yes all seems fine,  but still curious why Ransomware was turned off and My firewall settings  were telling me to restore them back?.. all kinda happened in the same day

still not liking Netflix was hacked... but that could be through my wifes lappy....maybe somepoint will get you guys to check it out.... she does have Malwarebytes installed

I did notice one thing... Firefox..i uninstalled it .. i think maybe a couple of months ago... but i still see it has files on my Lappy... any idea what I do with these?

was thinking of switching from Google Chrome back to firefox... 

[AdvancedSetup]

No telling what specifically caused the issue. That would take forensic type work that no one does for free.

I'll post some suggestions on how to keep the computer data safe and increase your privacy as well

Yes, when ready, please do post logs from your wife's computer and ask for me and I'll help you out. Please note though I'm going on vacation near the end of the week so I'll be gone for a couple weeks.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please attach that file to your next reply. (not compulsory)

 

 

[AdvancedSetup]

Here is some information that if you follow will make it quite difficult to get infected but even if you did, if you had good, strong, solid backups to an external USB hard drive you would be able to restore Windows or your data very quickly.

All program uninstalls leave files behind, Firefox is no different. As for privacy I think Firefox is much more considerate about your privacy than Google  Chrome. I use it on all my systems.

 

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.

   Use Password Management software

   Bitwarden
   KeePass Password Safe

   Make sure you use a strong master password
   Then set the key transformation settings (the link below helps provide information on how to choose good settings)
   https://pthree.org/2016/06/29/further-investigation-into-scrypt-and-argon2-password-hashing
   KeePass Password Manager: Full Detailed Setup (good YouTube video on setup and using Keepass but choose the Argon2 method for Key transformation)

   Password Managers Compared: LastPass vs KeePass vs Dashlane vs 1Password
    

2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software /
   Please read the information from this link
    
    
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
    
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
    
5. PLEASE READ Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
    
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

[ianburns5]

@AdvancedSetup

 

Please see attched log

 

i will get my wifes lappy and send to you in new post

 

can you also tell me , who is the best people to talk to on network connections............. I reinstalled firefox and i saw connections 127.0.0.1 , when i read about this , says it's a loopback ip address and should not be sending or recieving packets,,, but from TCPview I can see them?

 

Process	Process Id	Protocol	State	local host	local port	Remote Address	Remote Port		Module name	Sent Packets	Recv Packets	Sent Bytes	Recv Bytes
firefox.exe	716	TCP	Established	127.0.0.1	52311	127.0.0.1	52312	03/09/2023 07:51	firefox.exe		457		457
firefox.exe	716	TCP	Established	127.0.0.1	52312	127.0.0.1	52311	03/09/2023 07:51	firefox.exe	457		457
firefox.exe	14148	TCP	Established	127.0.0.1	52313	127.0.0.1	52314	03/09/2023 07:51	firefox.exe
firefox.exe	14148	TCP	Established	127.0.0.1	52314	127.0.0.1	52313	03/09/2023 07:51	firefox.exe

kprm-20230903090208.txt

[AdvancedSetup]

I can assist you with that but I need to get new logs.

I see that the KPRM tool when ran - did you not choose all the options? There were no System Restore Points created which it should have done

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

[ianburns5]

@AdvancedSetup

 

damn.. i skipped that

27 minutes ago, AdvancedSetup said:

When the tool opens, ensure all boxes under Actions are checked

sorry

 

I have downloadedFarbar... attached logs

FRST.txt Addition.txt

[AdvancedSetup]

Did you make this change manually? Nothing wrong with setting it. Just wondering it you did it.

HKLM\Software\Policies\...\system: [RunAsPPL] 2

 

 

How to enable LSA protection using Group Policy

1. Open the Group Policy Management Console (GPMC).

2. Create a new GPO that is linked at the domain level or that is linked to the organizational unit that contains your computer accounts. Or you can select a GPO that is already deployed.

3. Right-click the GPO, and then select Edit to open the Group Policy Management Editor.

4. Expand Computer Configuration, expand Preferences, and then expand Windows Settings.

5. Right-click Registry, point to New, and then select Registry Item. The New Registry Properties dialog box appears.

6. In the Hive list, select HKEY_LOCAL_MACHINE.

7. In the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa.

8. In the Value name box, type RunAsPPL.

9. In the Value type box, select REG_DWORD.

10. In the Value data box, type:

    1. 00000001 to enable LSA protection with a UEFI variable.
    2. 00000002 to enable LSA protection without a UEFI variable (only enforced on Windows 11, 22H2).

11. Select OK.

 

 

https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

 

 

 

I don't see the proper installation entries for Firefox. Please download the installer again and run that.

https://www.mozilla.org/en-US/firefox/new/

Then get me a new set of Farbar scan logs

 

 

 

 

[ianburns5]

@AdvancedSetup

 

I did nothing manully , really wouldn't know what to do.... after i installed firefox a new folder appeared on my desktop "old firefox"

I cannot locate this

11 minutes ago, AdvancedSetup said:

Open the Group Policy Management Console (GPMC).

 where does it live. tried searching on lappy.. just gives me web suggestions.. is it in control panel?

[AdvancedSetup]

Don't worry about it @ianburns5

Windows Security probably set that for you. It's supposed to be a good thing to increase security

Yes, the Firefox old folder is normal. You can remove it if you like but first check and make sure your book marks are all there and Firefox is working well.

 

Do not make all the changes here as it will lock down Firefox too much. But review and consider making some changes. It's a long read and no rush I'm going off line here in a moment anyways so I won't be around, but you can ask questions and when I'm back online I'll reply

Make a new System Restore Point first.

https://avoidthehack.com/firefox-privacy-config

 

 

[ianburns5]

@AdvancedSetup

 

I unistalled Firefox just now.. I deleted those old folders i showed earlier..... these look like they are hanging about from the last uninstall. all under Mozilla folders in Local and remote

. .... still not sure on the 127.0.0.1 sending / recieving packets are you saying this is normal?

if i reinstall  for firefax from the link you sent.. do you want me to run farbar again and send the files again?

will read through all you sent and decide what is best :)

[ianburns5]

@AdvancedSetup

 I had asked a question in bleeping computer Network  about the 127.0.01 .

One of the Bods there asked me to run speccy?,,,, then posted back that this looked odd

IGCCSVC_DB: AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAwP5ZA9hBFkKOy7nTXnxqVQQAAAACAAAAAAAQZgAAAAEAACAAAABBtpe7JadLqA83M8hiJL7RrxNqR3hQVq+MCkDZmQ2VzAAAAAAOgAAAAAIAACAAAAAt/HnAxD0V+4XEjC3vak+8hjhqLmJrNCmSIwKeq4QiaGAAAAAIY9ouaYjViGw5HhiekXxjYsTl097AxsZUgJgrgm

 

here is the link to the speccy output

http://speccy.piriform.com/results/dPvhfpL3qbjAshyWZHGlF0w

just need to be sure what this is.. do you know?

 

 

 

Edited September 3, 2023 by ianburns5

[JSntgRvr]

Being Attended at BC.

 

https://www.bleepingcomputer.com/forums/t/789314/help-needed-odd-in-speccy-igccsvc-db/
https://www.bleepingcomputer.com/forums/t/789308/firefox-send-rcv-packets-ip127001/#entry5556881

[Porthos]

4 minutes ago, JSntgRvr said:

Being Attended at BC.

Good luck @JSntgRvr

@ianburns5 You can only receive assistance in one forum.

I will close this topic now.