Windows 10: Windows attack can steal your logged-in username and password

Thanks, I see it now *Smile

It would be interesting to know if just disabling "Enable Integrated Windows Authentication" in Internet Explorer Properties Advanced Settings is sufficient?

 

Interesting info guys.

Another reason to stop using IE or Edge until they are fixed. But since the flaw was discovered in 1997, don't hold your breath!

 

Thank you dmex its disabled now

 

Very good Point and I am one of them

just saw this now *Sad

 

A word of warning from my experience. If you change policy settings, create a restore point before doing so.

After I changed the policy setting to 'Deny All', netbios stopped running in file discovery thus no NAS and network printer showing under 'Network'.

I also found that changing that setting to 'Allow All' did not fix the above problem. I had to use an earlier restore point to set all back to normal.

Note, you will also need to restart after changing this policy setting. But I am not changing it again!!

I haven't tested this with the registry setting method but have lost enthusiasm for this, now, especially as I don't use Edge or IE!

 

For anyone interested: I tested 2 different systems unchecking "Enable Integrated Windows Authentication" and still got vulnerable. (Yes I rebooted) Only success was the reg entry. Really disturbing with such a simple hack. Reason we turned off NTLM on all servers at last company I worked for.

 

Hi :

I changed my user account to a Local one and now I'm using Windows Hello authentification. Is this method safer than using a Microsoft account?. I hope it is.

Thanks in advance

 

Hello,

Not sure if this is related to the original issue, but I mistakenly went to a wrong website (cinplex.com rather than cineplex.com) and ended up with this:



I couldn't open any new tabs or close Chrome so I just restarted the computer, and when the tabs came up in Chrome again, I managed to quickly delete the one in question. Searching info about it, it seems this can be quite invasive. I've deleted history and reset settings, checked Control Panel programs list, nothing, nothing seems to be in the registry, Malwarebytes found nothing, but given this can be quite a deceptive virus, I want to make sure that simply restarting didn't in some way install this inadvertently. I read on a TenForums thread about using the Tweaking.com Windows Repair, but after installing, I keep getting this:



Not sure if this not working is related to the first issue in any way. Any insights would be appreciated. Thanks very much.

 

I don't use IE or Edge and I always sign in with a local account, can't remember the last time I signed into my M$ account.

 

Hi.
Was your computer talking to you as well? It usually does with this sort of scareware.
Tweaking.com is not a tool for this.

Run RKILL.
Then run TempFile Cleaner.
Then run JRT (Junkware Removal Tool).
Finally, run ADWCleaner.
You should be good to go after this.
p.s. When you run Malwarebytes, be sure to check the option for Rootkits, as it's not selected by default.

EDIT: Site scans clean?
https://www.virustotal.com/en/url/14...is/1470716879/

FREE Online Website Malware Scanner | Website Security Monitoring & Malware Removal | Quttera

Sucuri Security

 

Did you forget to include Mbam in your list of scans or did I miss a Mbam mention elsewhere?

Anyway ....

scop8 shoulkd also run Malwarebytes (download begins when clicked), noting the setting for Rootkits you mention.

 

Is the bold part a lark? If not, then, no, my computer was not talking to me *Smile I followed all your instructions, simrick, and things seem to be clean. RKill just couldn't open and edit the Hosts file because Avira blocks that. Is this a problem or can I assume things are ok without it having been checked? Tempfile deleted what it needed to, no restart needed. JRT had 9 files deleted but these were all from Spyshelter update installations (I'm aware it sometimes reads as a false positive with some cleaners). AdwCleaner deleted a hxxp://www.trovi.com... file in Chrome along with 'Tracing' keys and cleared Winsock settings. I do know about turning on for rootkits in Malwarebytes so that was checked before the scan, thanks.

Should I be at least creating new passwords or at worst doing another clean re-install or is the latter neck deep in paranoia? This is precisely the kind of thing I'd hoped to avoid, that dreaded feeling of 'maybe something's left over and I shouldn't check anything that requires a password' with a new Win 10 installation. Yet here we are.

I don't know why all the sites say cinplex.com is clean yet when I hit enter things switched to the address of that red image I posted earlier...

Thanks again, simrick, for a prompt and thorough response, I really appreciate it.

 

Hello, Yes the MBAM was the first scan I did after restarting my computer when that weird site prevented me from using Chrome. And yes, I changed the 'rootkit' to 'on' in the settings so the scan checked it as well. Thanks for double-checking, Slartybart.

 

Thanks, I miss things from time to time.

Bill
.

 

I was serious. Usually they are also telling you "verbally" that your computer is infected and you need to call the number right now. *chuckle

Can you temporarily disable Avira and let RKILL look at the HOSTS file? It's kind of important to see what's in there. Or, you could just look at the HOSTS file yourself. Of course, if Avira is blocking it, then I doubt any changes were made.

Yes, anti-keyloggers are unique birds.

Yes, trovi.com is a known questionable site.
You might want to consider putting OpenDNS server addresses in your NIC's IPv4/IPv6 settings;
IPv4=208.67.222.222 and 208.67.220.220, IPv6=2620:0:ccc::2 and 2620:0:ccd::2

I suppose, there is always the possibility that a script could have grabbed your current login cookie sessions. Unlikely, but it does happen. That's not grabbing your login credentials, just your cookie session, which could theoretically be used to pretend to be "you" in another browser. But, that's not usually what these particular guys are looking for - they want you to call, they then remote into your computer and take control, install rogue "cleaning software" which infects you, then have you pay to get it removed. If you stop mid-stream of their remote session, they are now locking systems using SysKey, so you can't even boot into Windows anymore.

If you're really paranoid, you could change the passwords of whatever you were logged into at the time on the system. Or. you could check recent activity (i.e. gmail and yahoo allow you to do this). For a final "all clear" you can run ESET Online Scanner, checking the option to scan all drives, and scan for PUPS. (detailed instructions here)

Could have been a hack/redirect manipulating a security hole in an old version of Java/Flash, etc. Hard to say. Could even be an infected ad. I'm not going there to find out! *Wink

You're quite welcome. Let us know how the ESET scan turns out.