Was my PC Hacked for Ransomware - Quicken password field seems "weird" ? (edit)

TTSguy

The eyeball in the password box seems to have an overlay when logging in. Do I have a hacker that just obtained my password or is this normal?

Screen Shot 2023-04-18 at 8.03.32 AM.png

[Screenshot Edited for Privacy]

[EDIT by SU] - added orig screen capture of Password box "eye" image - (hacked) ?

[EDIT by SU] - added expected Password box "eye" image -

GeoffG

I'm only seeing the background gray image, not your double vision.

Quicken Kristina

Hello @TTSguy,

Thank you for reaching out to the Community. That screenshot makes it look more like a display issue. A hacker would be more likely to create a fake website that looks like the real thing, but has a slightly different URL, then trick people into going there via phishing links in emails or by purchasing ads that allow them to get their fake site near the top of search results online. If you are worried about it, you can change your Quicken password.

Did this happen when you were logging into the Quicken website or your Quicken program? If it happened when logging into the website, which browser did you use?

Thank you.

TTSguy

@Quicken Kristina, i've been through hell and back. 6 weeks ago I was introduced to Ransomeware and a note for $40,000 in crypto to get info on my PC back in my own hands. I said no. Since then have been working with a keylogger who has disrupted everything. It's the same as someone looking over your shoulder writing down every keystroke you make. Worst thing is that the perp is still there, as amatter of fact my Quicken password was taken from me between the time I wrote my post, and before I could get back here for the answer. Am trying a VPN and maybe it's working, as the overlay was gone when I had to replace my Qkn PW. So suspect it was in fact him as he collected my pw, then corupted it to require me to replace it. Hopefully VPN is working as the overlay was gone when I entered my new P/D. So far this malware has destroyed 3 DT PC's, one only a day old, another onlt 2 weeks old, and one 2 yrs old. I've done everything possible to fix but no one can.

I've been maintaining my own PC's for over 50 years, and was always able to until now. I believe it to be Windows 11 problem. it started with incompatible software (4) of them shutting down my core isolation in windows security, then this PM I found more so it's going bad still. He has compromised my Microsoft account, and first thing he does is eliminate your ability to use thumb print or ability to use phone for verification code, so are forfed to use email which he handily see on his bot screen. I've been spending 16 hr days for 6 weeks, constantly changing all passwords on a continuing basis. PLus the other thing they do is make you pin not work nor passwords, so you are constantly changing them. I have about a hundred post-its withpass words floating around. I have not been able to log into Qkn except for community, which he promptly shut down also. You cannot even imagine this until you experience it. there is NO software to find this malware. Besides passwords, my bank accounts and all my autopays had to be changed, (glad I wasn't using QKN bill pay! I haven't gotten into Qkn to download transactions so hope bill pay from my CU is still working. I had my 10 CU accounts closed for a month, had to get new acct #'s, now have that to deal with.

In my research I found that a good password manager is a must, and I think roboform is as good as the get. Other things to look for are small anomilies in using you PC daily. Like the overlay I showed you, as that was in fact the way they work to capture passwords. the othe thing I noticed was my cursor was acting strange. Acting broken and kind of flickering at times. Also VERY good phishing pages for to use that are absolutely perfect visually. Frankley I'd stay way far away from Windows 11 for a while as I believe it has a many holes in security as a bag of oranges. I know everone has an idea to work around this stuff, but these guys are not amatuers! I have reson to believe they are in Turmenistan, from some bread crumbs they accidentily left behind. Law enforcement has no interest in assisting, neither does, Microsoft or PC manufacturers, as warrantee doen not cover anything to do with software.

Seriously consider Roboform for passwords, Malware bytes (free edition available) Malwarebytes Root kit scanner, and maybe even bit defender. I no longer trust windows defender. I set up the new Dell DT at Pro Computer shop, brought it home, plugged it in and wham the 3 PC was infected. I believe this malware to reside in BIOS…deep in BIOs, as a flash with new BIOS update actually just pushed it deeper inside. Haven't found ANYTHING tha can find or detect it. Now even wondering if it's Netflix, Ring doorbell, Alexa Echo, or even the bluetooth fan in my attic. thought about modem but Century link said no way. I wouldn't bet my bank account on that though. I haven't been able to find any info on line on what to do or how, or a warm body to talk to about this. Everyone has an idea, but every one come to an end when all you can use is email, and constantly resetting passwords, same. I would not have been able to get here tonight had I not enabled my fingerprint reader, as my log on Pin and password were both compromised. GET A SECURITY KEY and create one of those personal phrases, and 3 personal questions in Microsoft along with a primary password for windows' pasword saver if you use that. Just some suggestions as at 74 I never thought it would happen to me…Ihave no money! I'm not sure they use any of my passwords, but if they can get them they will certainly corrupt them. I even had one that they used up the 3 chances to use a password, thenjust left it where I couldn't even try to create a new one as the account was left with me locked out too! Just some Ideas I hope might find you as protected as possible, oh yes you'll need a box of Kleenex too! The guy that ran the PC shop I went to told me that the same happened to one of his customers, and one Sunday 1/2 hour before leaving for church with his family he went to a back room and ended it all…couldn't take any more! ugh!

Quicken Kristina

Thank you for your response,

I'm sorry to hear that's been going on. If the issue is being caused by malicious software on your computer, that's outside our scope to be able to assist. That's something you would need an IT specialist to help with.

I apologize that I could not be of more assistance!

Ps56k2

I just pasted the Password screen image on the orig posting…. along with a Password box prompt from my Quicken -

I just noticed that the orig Password box has more rounded corners
vs my Quicken R47.15 signin page and Password prompt… with more square corners ? changed in some Release ?

UKR

The extra icon indicates a Password Manager program running on your PC.
I'm running Norton Password Manager and it shows itself as

Now the question remains: Whose Password Manager are you running? Is your system clean now, free of the Ransomware virus or is still infected?
AFAIK, it's not advisable to copy any data from an infected PC to a fresh, clean, properly protected PC … unless you want to infect your clean PC ...

Chris_QPW

For what it is worth this is what it looks like with Roboform set to fill in passwords:

P.S. this is at Quicken.com. Roboform doesn't "see" the Quicken Id login form in Quicken itself to fill it in.

EDIT Also note that the boxes have rounded corners. This seems to be the difference in web browsers. I'm using Microsoft Edge.

Chris_QPW

I have been thinking about this since it was posted, and doing some tests. Take this with a grain of salt since I don't claim to be an expert on this. My main focus was a keylogger and a clipboard viewer, and some sideline thoughts.

• Can a keylogger see what you are typing into a password field? Yes.
• Roboform allows for injecting passwords into password fields in both web browsers, but also password fields on programs like Quicken. Can a keylogger see this? No.
• Most other password managers can't do this kind of keyboard injection, so the user ends up copying the password to the clipboard and then pasting it into Quicken. Can this be intercepted? Yes, easy, get whatever the clipboard gets. Note interesting enough, the keylogger will not see the pasted text.
• Roboform (and probably other password managers) allow for using Windows Hello instead of typing in your master password for opening Roboform. Windows Hello can be a fingerprint scanner, a special camera, or a PIN. The PIN is visible to a keyboard logger. The other two aren't "detectable". Note that Roboform forces one to type in the master password once every 30 days, and this is visible to a keylogger. I really wish they would make that optional. Note Robform doesn't have it, but I know that other password managers and some of the "encrypted folders" allow for security token, where you have a physical device that has to be inserted into the computer to allow for opening the password manager. That is another feature that would be nice to have in Roboform. But one possibilty with Roboform would be just to store the password data on a removable drive that you remove when not needing to fill in passwords and such (Roboform can fill in things like credit card information too). But note that for mobile devices it is "cloud only".
• If one they got a keylogger on your machine you can figure they most likely have access to all your files unless they are encrypted and that remains closed most of the time, and doesn't get opened with typing in a password. Given this it seems like only the really sensitive data should be in a "vault" that stays closed most of the time. For instance, your taxes or other things that might have your social security and such information. Interesting enough on that subject you might note that none of the tax programs take any steps to protect this data. After seeing this post I did end up putting my tax data into my "Personal Vault" in One Drive. This is going to be closed most of the time and can be opened with Windows Hello/my camera.
• The fact that @TTSguy 's Microsoft account seems to have been compromised got me thinking about steps I would have taken if I was in the same position, that I might have not taken before. The first would be to shutdown both my machine, and my wife's and wipe them clean. And new step would be to change the password on the microsoft account from another device like an Android or iOS device, and then revoking all access to any devices other than the one that I was on. If I find that I can't get access to the Microsoft account, then contact Microsoft to get control back, or just plain deactive/destroy it. But maybe even before that change critical passwords and maybe usernames like at the financial institutions. And not until I'm sure of the Microsoft account would I reinstall the operating system/data on those machines. EDIT: And maybe to be on the safe side I would flash the BIOS.

dsnedeker

https://community.quicken.com/discussion/comment/20355761#Comment_20355761

I've worked with tons of friends and colleagues to resolve their issues like this. I've yet to come across any I couldn't figure out or resolve. It may have taken weeks the crazy ones people had, but they did get resolved.

If you purchased a new PC and set it up without transferring data from the physical old pc then this is coming in off a different compromised device.

Whomever told you at Centurylink that their modem/router can't be flashed or bypassed with Trojan or remote access software is about 12 years behind on info. I've seen this happen several times when a customer chooses to buy their own modem/router used. It can also happen even on factory new equipment. It's happened and we'll documented. If your equipment was bought used for use on Centurylink, get rid of it. Get a brand new device from the store. If their equipment0, follow step 3.

#1 setup a brand new email account from your mobile device. Do not use this new email account on any other device until the remaining steps are completed.

#2 via your mobile phone using the above new email, buy Key Scrambler premium by QFX Software. Ask a friend to borrow their pc. Download the installer onto a thumb drive. Take it home. Disconnect the pc from internet connection and install it. Configure the settings. There is an option for a beta/hybrid mode in it if you are having keystroke issues. Do not enable that. Reboot immediately after install. I've been using this for close to 10+years. The license covers 3 devices. Turn internet access back on.

The premium version scrambles all keystrokes in most software, the OS, and internet browsers.

It works at the kernel level, and also encrypts the key strokes. So even if they capture it, it's encrypted. It gives an onscreen visual in a selected corner of the screen to alert you it is working on each stroke. If you don't see that, it has been turned off by someone.

#3 You are with CenturyLink. If you are using a router/modem combo unit, and not a second personal router, I would turn that back in and get a newer one of a completely different model. Be sure to screenshot any settings in the management interface in case you need them later to your mobile device.

#3A If you are using a Centurylink router/modem combo, in addition to a personal router. Repeat previous turn in and replacement. Do Not, connect it back up when you get home.

Physically disconnect your personal routers ethernet cords, all of them. Grab an ethernet cable, your laptop or pc, and connect the wire directly to each other into the routers management ethernet port. Log into your routers personal management software. Screen shot every screen inside of it with your phone. Once done, do a factory reset, and I mean a hard factory reset of your personal router. Do not hook personal router back up yet.

Hook up the new Centurylink device and configure it with your pc to allow internet use. Create an entirely new network name. Do not, do not use the old network name nor password from your previous setup. The password should be at a minimum least 24 characters. I like to include dashes in mine, almost like a windows os activation key.

It's going to be a pain in the butt logging in your devices into the new network, but at least it will be secured. If possible in the router, setup a separate network from your main network for all smart home devices. Make sure it can't talk to your main network devices, and is off on its own. This second network should only be used for smart doorbells, Alexa/Google home type devices, smart light switches, smart tvs etc. Your main network will be used Only for your pc's and mobile phones, tablets.

If your Centurylink router/modem isn't capable of this, buy a personal router and connect it to it and setup what I mentioned. If the Centurylink device isn't capable of this, request the device you receive from them only be a modem, and use your own router. I recommend this on any provider whose equipment is crippled like that.

I believe they are accessing you through your network devices. If not through there, then a compromised piece of software. Backup your quicken, install from the manufacturers software and import everything back in.

I used to use Lastpass, and Dashlane password managers. I now use Bitwarden. Pass on Roboform.

There are multiple free anti-rootkit, and trojan scanners which can be downloaded. Just be sure you're on a legit website getting them. Run multiple of each type to see what it finds.

Hope this helps.

Chris_QPW

@dsnedeker Good point on the router, I will have to add that to my list of "to if hacked".

Scooterlam

FWIW, yesterday I was having troubles signing-in to Quicken.com I tried different browsers from my normal Brave browser. I was surprised that MS Edge presented a similar image to the OPs. Image 1. Having already seen OPs message, I stopped and didnt press enter. I tried Edge again right now and same results. Image 2. Not running any sort of password mgr.

I noted that the odd eyeball presented itself after starting to type a PW but cleared itself if I clicked away from the PW field. That is, the eyeball went back to normal. I could recreate the odd eyeball by completely deleting the PW and starting over. I have no other strange issues that OP discusses. MS Edge Version 112.0.1722.48 (Official build) (64-bit) (latest as of Apr 19, 23).

Thinking it is some sort of incompability with Edge?

APR 18

APR 19

Chris_QPW

OK I was able to reproduce this. As shown below:

The reason I didn't see it before is because I have MS Edge's password managing turned off.

If it is on and you have this setting (in the advanced section) on you will get that "double eye".

When you click on the eye icon it reveals the password. This web page already has such an icon on it. This setting above would be for password entries that didn't have it for some reason, and it serves the same purpose, but as you can see is drawn slightly differently.

@Quicken Kristina was basically correct it is a "display issue" not any kind of virus.

P.S. after changing the setting I needed to restart MS Edge and reload the Quicken.com login page to see the change.

Quicken Kristina

Hello All,

We reached out to our team about Edge displaying that double eye image. They said that is from Edge itself: The “Reveal password" button in it is enabled by default. Users can disable in the profiles/passwords section in the Edge settings.

Thank you.

TTSguy

I wrote 2 replies this PM, about everything I know about this Frankenstein Malware. PC on Quicken Community that was doing weird things. I see now that neither of my posts were posted. Intercepted on fake Quicken Community site, then disposed of. This has also happened when I tried to file report @ icq (FBI) report site, and twice on the Lenovo help site. [Removed-Rant]. I've got no idea if I can recover my 20 yrs of Quicken documentation. I have backups of all my files, but no idea to what extent they may all be corrupted. with no way to run any kind of app to check them. I had to send back the brand new Dell DT I ordered because after receiving it and after I downloaded Microsoft Account ((in windows 11, you are required to have Win 11 Microsoft acct) the brand new one went belly up. Today this 3 month old DT now shows different letters as I log in to MS acct. . As I type in password xxxxxxyyy, open to review what I typed it shows yyyxxxxxx, instead. Read about Frankenstein Malware. I've tried brand new PC, new email address, changed as many passwords as it would let me, deleted all contacts, and Century Link has committed a new Modem for Us, but, yes but, my wife is still doing file, and she's on the same network. today there was total chaos with trying to get my printer to work. I'm tired, on the verge of giving up on computers, and my cell and just copy transactions by hand into Excel, and quit cell ph. I'm ordering a land line ph on Monday.

The PC shop that has been helping me had someone come in 2 months ago looking for ideas on similar problem. That man turned his lights out, 1/2 hr before going to church with his wife and kids one Sunday morning and you know what? …I can almost understand after having my PC started under total control by perps. It's kinda like locking your house up, leaving then coming back not really knowing what was done, what's missing, or who it was that came in and ransacked the place, then came back the next day and did the same, opening your door with some kind of magic key.

One more thing. Windows 11 has a power setting that continues to leave some power on in the PC even after doing a shut down. I noticed this after I got the PC that is now 3 months old. I noticed that after I powered down the PC and, turned the lights out that the lights on the keyboard were still on. Well, yep it's a convenience feature for gamers so they can jump right back on quickly if they need to. [Removed-Language]> Win 11 has lots of security issues. Unplug the PC every night, put it in Airplane mode, and remove the RJ cable every night, and also never use any Microsoft back up feature or apps, per per Tom's and Leo's blog sites [Edited-Readability]. This is the Covid 19 of PC malware, many will suffer and this will probably kill some also. No one has any idea what or how to intervene with this. I have probably over 300hrs in it [Edited-Readability]. I'm tired of it and I'm very angry. I'm woke and will never trust anyone ever again. My wife wouldn't believe me until I had her enter that password above, and she watched yyyxxxxx on the screen when she was typing xxxxxxyyy right before her eyes. She wasn't believing a thing I said about this malware, until she saw the PC automatically put in the wrong letters. The other really sad is the fact that you cannot contact anyone regarding a problem like this, there is no way possible, but this is the start of the way of the future with AI taking over the reins. the perps, sent me a snip of one of my transactions from 2007, and yes it was authentic. I feel I'm in nightmare, and cannot wake up. I'm sick, just sick!!!!!

TTSguy

One more thing … they wanted $40,000 in crypto. I don't have that kind of money, so why was I chosen????? I have an idea on who this is. I wouldn't put it in writing but if you read this Chris, I'd like to talk to you about it!!!

TTSguy

1 more…. Use Google Chrome as your browser, I'm seeing how it's more secure than Win 11!

Ps56k2

the Malware discussion was split and moved to the Water Cooler

https://community.quicken.com/discussion/7935055/was-my-pc-hacked-for-ransomeware-frankenstein-malware