Windows 10: Windows attack can steal your logged-in username and password

Page 5 of 6 FirstFirst ... 3456 LastLast
  1.    09 Aug 2016 #41

    Slartybart said: View Post
    Did you forget to include Mbam in your list of scans or did I miss a Mbam mention elsewhere?

    Anyway ....

    scop8 shoulkd also run Malwarebytes (download begins when clicked), noting the setting for Rootkits you mention.
    Hello, Yes the MBAM was the first scan I did after restarting my computer when that weird site prevented me from using Chrome. And yes, I changed the 'rootkit' to 'on' in the settings so the scan checked it as well. Thanks for double-checking, Slartybart.
      My ComputerSystem Spec


  2. Posts : 3,506
    Win_8.1-Pro, Win_10.1607-Pro, Mint_17.3
       09 Aug 2016 #42

    scop8 said: View Post
    Hello, Yes the MBAM was the first scan I did after restarting my computer when that weird site prevented me from using Chrome. And yes, I changed the 'rootkit' to 'on' in the settings so the scan checked it as well. Thanks for double-checking, Slartybart.
    Thanks, I miss things from time to time.

    Bill
    .
      My ComputerSystem Spec


  3. Posts : 12,413
    W10Prox64
       09 Aug 2016 #43

    scop8 said: View Post
    Is the bold part a lark? If not, then, no, my computer was not talking to me
    I was serious. Usually they are also telling you "verbally" that your computer is infected and you need to call the number right now.

    scop8 said: View Post
    I followed all your instructions, simrick, and things seem to be clean. RKill just couldn't open and edit the Hosts file because Avira blocks that. Is this a problem or can I assume things are ok without it having been checked?
    Can you temporarily disable Avira and let RKILL look at the HOSTS file? It's kind of important to see what's in there. Or, you could just look at the HOSTS file yourself. Of course, if Avira is blocking it, then I doubt any changes were made.

    scop8 said: View Post
    Tempfile deleted what it needed to, no restart needed. JRT had 9 files deleted but these were all from Spyshelter update installations (I'm aware it sometimes reads as a false positive with some cleaners).
    Yes, anti-keyloggers are unique birds.

    scop8 said: View Post
    AdwCleaner deleted a hxxp://www.trovi.com... file in Chrome along with 'Tracing' keys and cleared Winsock settings. I do know about turning on for rootkits in Malwarebytes so that was checked before the scan, thanks.
    Yes, trovi.com is a known questionable site.
    You might want to consider putting OpenDNS server addresses in your NIC's IPv4/IPv6 settings;
    IPv4=208.67.222.222 and 208.67.220.220, IPv6=2620:0:ccc::2 and 2620:0:ccd::2


    scop8 said: View Post
    Should I be at least creating new passwords or at worst doing another clean re-install or is the latter neck deep in paranoia? This is precisely the kind of thing I'd hoped to avoid, that dreaded feeling of 'maybe something's left over and I shouldn't check anything that requires a password' with a new Win 10 installation. Yet here we are.
    I suppose, there is always the possibility that a script could have grabbed your current login cookie sessions. Unlikely, but it does happen. That's not grabbing your login credentials, just your cookie session, which could theoretically be used to pretend to be "you" in another browser. But, that's not usually what these particular guys are looking for - they want you to call, they then remote into your computer and take control, install rogue "cleaning software" which infects you, then have you pay to get it removed. If you stop mid-stream of their remote session, they are now locking systems using SysKey, so you can't even boot into Windows anymore.

    If you're really paranoid, you could change the passwords of whatever you were logged into at the time on the system. Or. you could check recent activity (i.e. gmail and yahoo allow you to do this). For a final "all clear" you can run ESET Online Scanner, checking the option to scan all drives, and scan for PUPS. (detailed instructions here)

    scop8 said: View Post
    I don't know why all the sites say cinplex.com is clean yet when I hit enter things switched to the address of that red image I posted earlier...
    Could have been a hack/redirect manipulating a security hole in an old version of Java/Flash, etc. Hard to say. Could even be an infected ad. I'm not going there to find out!

    scop8 said: View Post
    Thanks again, simrick, for a prompt and thorough response, I really appreciate it.
    You're quite welcome. Let us know how the ESET scan turns out.
      My ComputerSystem Spec

  4.    10 Aug 2016 #44

    zooburner said: View Post
    So much for windows 10 being secure, not only have they not fixed the issue, that allows a site to steal all your log on information to all your windows devices, but they have created a new additional vulnerable browser that allows it. !!
    The issue is with shared drives which mostly involved the enterprise. The threat has increased because of the use of MS account to get access to a shared drive.
      My ComputerSystem Spec

  5.    10 Aug 2016 #45

    simrick said: View Post
    I was serious. Usually they are also telling you "verbally" that your computer is infected and you need to call the number right now.



    Can you temporarily disable Avira and let RKILL look at the HOSTS file? It's kind of important to see what's in there. Or, you could just look at the HOSTS file yourself. Of course, if Avira is blocking it, then I doubt any changes were made.



    Yes, anti-keyloggers are unique birds.



    Yes, trovi.com is a known questionable site.
    You might want to consider putting OpenDNS server addresses in your NIC's IPv4/IPv6 settings;
    IPv4=208.67.222.222 and 208.67.220.220, IPv6=2620:0:ccc::2 and 2620:0:ccd::2





    I suppose, there is always the possibility that a script could have grabbed your current login cookie sessions. Unlikely, but it does happen. That's not grabbing your login credentials, just your cookie session, which could theoretically be used to pretend to be "you" in another browser. But, that's not usually what these particular guys are looking for - they want you to call, they then remote into your computer and take control, install rogue "cleaning software" which infects you, then have you pay to get it removed. If you stop mid-stream of their remote session, they are now locking systems using SysKey, so you can't even boot into Windows anymore.

    If you're really paranoid, you could change the passwords of whatever you were logged into at the time on the system. Or. you could check recent activity (i.e. gmail and yahoo allow you to do this). For a final "all clear" you can run ESET Online Scanner, checking the option to scan all drives, and scan for PUPS. (detailed instructions here)



    Could have been a hack/redirect manipulating a security hole in an old version of Java/Flash, etc. Hard to say. Could even be an infected ad. I'm not going there to find out!



    You're quite welcome. Let us know how the ESET scan turns out.
    Hi simrick,

    Thanks for the feedback Here are the results:
    - I ran RKill with Avira off and there's no issue with the Hosts file, thankfully.
    - It's a bit disconcerting that Trovi somehow got through with all the levels of security, but I made the DNS changes you suggested and hopefully it'll help. I ran a test of IPv6 on Test your IPv6., and the summary states 'Your current configuration will continue to work as web sites enable IPv6' but I'm able to browse IPv4 net only and I won't be able to reach IPv6-only sites. There were three 'bad' results with IPv6 in the 'Test Run' tab (Test with IPv6 DNS record, Test IPv6 large packet, Find IPv6 Service Provider). Is this just a service provider issue or should I be making some adjustment?
    - Following your link to the ESET instructions in SevenForums, the actual link to ESET isn't what is shown in the screenshot (it's a MAC ESET purchase page). I used this link instead: Free Virus Scan | ESET Online Scanner ESET
    It looks a bit different but I guess it's an updated version. Anyway, it found no suspicious files Huge relief! It's nice to be assured that another install is not necessary in this computer's near future. Many thanks!
      My ComputerSystem Spec


  6. Posts : 12,413
    W10Prox64
       10 Aug 2016 #46

    scop8 said: View Post
    Hi simrick,

    Thanks for the feedback Here are the results:
    - I ran RKill with Avira off and there's no issue with the Hosts file, thankfully.
    Okay good!
    scop8 said: View Post
    - It's a bit disconcerting that Trovi somehow got through with all the levels of security, but I made the DNS changes you suggested and hopefully it'll help. I ran a test of IPv6 on Test your IPv6., and the summary states 'Your current configuration will continue to work as web sites enable IPv6' but I'm able to browse IPv4 net only and I won't be able to reach IPv6-only sites. There were three 'bad' results with IPv6 in the 'Test Run' tab (Test with IPv6 DNS record, Test IPv6 large packet, Find IPv6 Service Provider). Is this just a service provider issue or should I be making some adjustment?
    I think IPv6 is too new, and these are ISP issues. I have Charter for an ISP, and I get no IPv6 yet at all.
    scop8 said: View Post
    - Following your link to the ESET instructions in SevenForums, the actual link to ESET isn't what is shown in the screenshot (it's a MAC ESET purchase page). I used this link instead: Free Virus Scan | ESET Online Scanner ESET
    It looks a bit different but I guess it's an updated version. Anyway, it found no suspicious files Huge relief! It's nice to be assured that another install is not necessary in this computer's near future. Many thanks!
    They have indeed updated their page; sorry about that. The instructions are basically the same though. Glad it didn't find anything. That's good - it's like a final "all clear".
      My ComputerSystem Spec


  7. Posts : 16,491
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu
       15 Aug 2016 #47

    Cliff S said: View Post
    I just posted a question about this Windows Credential Leak Flaw in Edge, IE, and Cortana/Windows Search in the Malwarebytes Forum.
    I asked:
    I was just curios if MBAE protects browsers and against sites set up to exploit the Windows Credential Leak Flaw in Edge, IE, and Cortana/Windows Search? I tried Malwarebytes search here in the forums, and the main sit, but I guess I either don't use the correct terms, or nothing has been written or asked already
    When and if I get an answer, if Malwarebytes Anti Exploit protects against this, I will post here it here.
    Ok, I just got my answer from pbust a moderator at Malwarebytes Forums:
    Nope, MBAE will not protect against this as it is a logic flaw within the OS. MBAE protects against remote code execution in third-party applications (browsers, java, office, flash, etc.).
    Windows Credential Leak Flaw - News, Questions and Comments - Malwarebytes Forums
      My ComputersSystem Spec


  8. Posts : 12,413
    W10Prox64
       16 Aug 2016 #48

    Cliff S said: View Post
    Ok, I just got my answer from pbust a moderator at Malwarebytes Forums:
    Windows Credential Leak Flaw - News, Questions and Comments - Malwarebytes Forums
    Thanks for following up on that Cliff.
      My ComputerSystem Spec


  9. Posts : 1,830
    Windows 10 Home x64 (Laptop), Windows 10 Pro x64 (Desktop)
       16 Aug 2016 #49

    This is another long standing security & QA issue MS to sort out.
      My ComputerSystem Spec

  10.    16 Aug 2016 #50

    Simple solution: don't have a login password - nothing to steal! ;-)

    Seriously though, I never set up my systems with a login password. Been like that ever since I used Win 95.

    I always found password protected accounts caused more problems than they prevented.

    I exercise a bit of caution (online) and keep the system secure with a well-maintained firewall and malware prevention.

    Never had any issues.

    (Disclaimer: what works for me, may not work for others!)

    Cheers,

    Mike.
      My ComputerSystem Spec


 
Page 5 of 6 FirstFirst ... 3456 LastLast

Related Threads
Username and Password textbox not showing in User Accounts and Family Safety
Hi Friends, Today my laptop upgraded to windows 10 automatically after i logged into my account if i take the sharing the username and password field is disabled and it is taking my current username and password when i not able to take the RDP it...
Wifi username and password issue in Network and Sharing
Hi, I have just bought an HP laptop running windows 10. I cannot connect to internet wirelessly as when I select my network connection it requests username and password. (Screen shot attached) I only have a network password for my connection and...
My son loaded some apps using his XBOX id and now whenever I start up or reboot my PC it wants the XBOX login in information and then list my son's XBOX id as user. There is no other user listed when I boot the system. How to I get rid of his XBOX...
I changed my username on Windows 10, and after a while I logged out. Then when I try to log back, it asks for password, but my old password doesnt work. I also tried putting blank password (not writing anything) but that doesn't work either. How...
Username or password incorrect in User Accounts and Family Safety
I've previously run netplwiz from the command prompt to disable the sign in process in Windows 10. 24001 Which worked fine in build 10049 but in 10158 & 10166 I now get this error message 23986 I don't understand how this message can...

Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 18:27.
Find Us