this post was submitted on 28 Jun 2024
88 points (94.0% liked)

Privacy

31958 readers
968 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Hi all,

First off: Can't switch to Linux, Windows is a work requirement. Please spare me.

With that out of the way, here's my problem:

Since 2-3 days I've been seeing ads disguised as a minimized video player popup on my Windows 10 Login Screen image.

Initially I thought I might have been watching something on youtube and forgot to close the tab and it autoplayed in the background until reaching this stuff by chance; but that turned out not to be the case (I'm also using Firefox exclusively, which I thought wouldn't integrate with Windows, but I wasn't 100% sure on that end).

I tried to research this a bit, but the only similar case I found was in an old reddit thread saying that some Windows update installed the LinkedIn App for them, which is not the case here.

Antivirus (Bit Defender) and Malwarebytes both give me a clean report.

So I did some more digging and right click that thing with my firewall set to deny all to figure out where this is taking me, and surprise...

Image

There's a total of 100 connection attempts from Windows Search to around 10 different IP addresses, all of which belong to Microsoft.

I have not installed any updates in the last 14 days, no new software, and have not changed any system settings.

What did change is that I am currently not in China, where I normally live, but am on a business trip to Malaysia, where a bunch of services that are blocked in China might be accessible, and are now splicing in those (somewhat disguised) ads.

Does this happen to anyone else, and if so, do you have an idea how to get rid of it?

Thanks a lot in advance!

all 21 comments
sorted by: hot top controversial new old
[–] krellor@fedia.io 26 points 4 months ago (1 children)

Windows detects media being played and shows you that inlay with controls. It must be detecting that stream somewhere being played, even if it isn't obviously playing in a browser tab. You should be able to control whether it shows media controls on the lock screen.

[–] viking@infosec.pub 11 points 4 months ago (1 children)

Been poking around a bit more, and found another entry in the Firewall that comes up right on boot, which is a service called MS.Edge.Webview2, which seems to be triggered through the Teams App (that I did have on autostart). I've now completely uninstalled Teams, and after a fresh boot the ad (or "media control") seems to be gone now. Guess I'll be using Teams from my phone or via browser in the future. No idea how that happened though, I never played any video through Teams.

[–] krellor@fedia.io 3 points 4 months ago (1 children)

Glad you got it sorted. Weird about teams though. Have a good one!

[–] viking@infosec.pub 1 points 4 months ago

Yeah it's very weird, no idea what happened there. Maybe someone had somehow sent me a link and it was looping in the background? No clue. I gave up trying how teams and teams groups work a long time ago, the implementation is a major shitshow.

[–] nickhammes@lemmy.world 6 points 4 months ago (1 children)

I haven't had this happen personally, but are you allowed to edit your hosts file? I'm assuming those IP addresses are coming from DNS resolution, and if you hardcode those DNS entries to resolve to 127.0.0.1, it'll stop the ads.

nslookup <ip address> should give you the domain names, if not there's DNS logs in Event Viewer that should tell you.

[–] viking@infosec.pub 6 points 4 months ago (1 children)

Yep I can access the hosts file, that's a great idea. Will give it a shot. I just hope those aren't IPs that MS is using for genuine requests of applications I have to use such as Teams or Outlook... But will give it a try, at least if anything else breaks, I know what to do to resolve that. Thanks for the tip!

[–] jjlinux@lemmy.ml 1 points 4 months ago

I use the whole 365 suite, including cloud pc, provided by my work, on Fedora. I block a whole lot of stuff, and everything works, minus the annoying ads and pushy up sales.

YMMV, but I strongly suggest you start blocking crap at the hosts level, if something breaks, start unblocking.

[–] uzi@lemmy.ca 0 points 4 months ago

Ads on a login screen? That's disturbing.

For people automatically saying to switch to Linux, it's because they have never had a job in tech to know it doesn't work that way, and have never worked in production. There are several industries where if you don't run Windows you can't have a job because all of the software is only designed to run on Windows in their industry.