Hey, I know your password is: (Password)

Status
Not open for further replies.

Cyclone3211

New Member
Thread author
Nov 25, 2019
10
"Hey, I know your password is: (Password)
Your computer was infected with my malware, RAT (Remote Administration Tool), your browser wasn't updated / patched, in such case it's enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more - Google: "Drive-by exploit".

My wife received this in her email today. Did the full Malware scan and used Hitman Pro with no results since nothing was found in either scan
What to do next?
 

notabot

Level 15
Verified
Oct 31, 2018
703
"Hey, I know your password is: (Password)
Your computer was infected with my malware, RAT (Remote Administration Tool), your browser wasn't updated / patched, in such case it's enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more - Google: "Drive-by exploit".

My wife received this in her email today. Did the full Malware scan and used Hitman Pro with no results since nothing was found in either scan
What to do next?

has she used that password as her online credentials at some point in time ? more likely it's the result of a data breach in some online service - she should change all her passwords.

Just-in-case get a second scan opinion from Emsisoft Emergency Kit and ESET Online Scanner
 

Cyclone3211

New Member
Thread author
Nov 25, 2019
10
Thank you notabot for the reply and I tried the EEKE. It did find a Outlook trogan that neighter of the other two found. I put it in quarrantien. Not sure that this is the answer. To bad I can't upload the log for comment
 
  • Like
Reactions: notabot

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

It's probably just a Phishing email.

Check if you E-mail address has been compromised.

===

If you have issues with this computer run this program.

[/b][/b]Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Attach Files.
Navigate to the location of the File.
Click the file. It will appear in the reply section.
Click the Post Reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions
 

Cyclone3211

New Member
Thread author
Nov 25, 2019
10
Thak you, I am running the software now.
Added Comment: The password that was indicated in her email was not for a email, but a password use for shopping, Microsoft, and a few other items. Yet, the persons involved were able to sent it to her main email address. Just because this was a "retail" password, does this also mean that it could have penetrated our computer or is this just a bluff??
 

Attachments

  • Addition.txt
    47.4 KB · Views: 1
  • FRST.txt
    226.7 KB · Views: 1

Cyclone3211

New Member
Thread author
Nov 25, 2019
10
Thak you, I am running the software now.
Added Comment: The password that was indicated in her email was not for a email, but a password use for shopping, Microsoft, and a few other items. Yet, the persons involved were able to sent it to her main email address. Just because this was a "retail" password, does this also mean that it could have penetrated our computer or is this just a bluff??
 

Attachments

  • Addition.txt
    47.4 KB · Views: 0
  • FRST.txt
    226.7 KB · Views: 1

Cyclone3211

New Member
Thread author
Nov 25, 2019
10
This was the message that was attached to the "I got your password"
Hope you can make this out
 

Attachments

  • Attachment.jpg
    Attachment.jpg
    495.8 KB · Views: 9

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hi,

The text message did not help mel.
It's the spam message that is all.
You should ignore it.
===

After reviewing your logs I suggest this fix.

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
App Explorer (HKU\S-1-5-21-3406098139-1311140418-3988612877-1001\...\Host App Service) (Version: 0.273.1.711 - SweetLabs)
Driver Booster 7 (HKLM-x32\...\Driver Booster_is1) (Version: 7.1.0 - IObit)
<<<>>>

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

p.s.
For your attention:

Check if you have an account that has been compromised in a data breach

Was your passwords previously exposed in data breaches

How to Create a Strong Password (and Remember It). On all sites you deal with.

Have you received any other such e-mail?
 

Cyclone3211

New Member
Thread author
Nov 25, 2019
10
Yes, I am still with you.

Trying to find the attached Fixlist.txt file . Did not find it as an attachment. If I did find it, how can I use it since it is a text file?

I ran the https://haveibeenpwned.com/ and got a few of these: "Compromised data: Email addresses, Passwords" Does this mean that my address was found in these places?
 

notabot

Level 15
Verified
Oct 31, 2018
703
Yes, I am still with you.

Trying to find the attached Fixlist.txt file . Did not find it as an attachment. If I did find it, how can I use it since it is a text file?

I ran the https://haveibeenpwned.com/ and got a few of these: "Compromised data: Email addresses, Passwords" Does this mean that my address was found in these places?

your address and password.
The password that's shown in the email you attached is very weak, it the sort of password that was good 20 years ago but very weak today. The most common source of emails like the one you got is a data breach, your password is cracked, you reuse your password so the email sounds scary.

I'd suggest to use a password manager to create long complex and random passwords.
 

Cyclone3211

New Member
Thread author
Nov 25, 2019
10
your address and password.
The password that's shown in the email you attached is very weak, it the sort of password that was good 20 years ago but very weak today. The most common source of emails like the one you got is a data breach, your password is cracked, you reuse your password so the email sounds scary.

I'd suggest to use a password manager to create long complex and random passwords.
I do use a password manager to remember login and passwords. Will address the changes in those. Thanks
 

notabot

Level 15
Verified
Oct 31, 2018
703
I do use a password manager to remember login and passwords. Will address the changes in those. Thanks

Then no need to use short passwords, 6 chars is super short, use 15+ long passwords.
If it's something that you share and need it to be easy to type, eg netflix account, the for these instead of a password, use passphrase that's e.g. 6 words long


most password managers can generate passphrases for you
 

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hi,

Just make sure that these programs are removed.

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
App Explorer (HKU\S-1-5-21-3406098139-1311140418-3988612877-1001\...\Host App Service) (Version: 0.273.1.711 - SweetLabs)
Driver Booster 7 (HKLM-x32\...\Driver Booster_is1) (Version: 7.1.0 - IObit)
<<<>>>

I ran the https://haveibeenpwned.com/ and got a few of these: "Compromised data: Email addresses, Passwords" Does this mean that my address was found in these places?

Yes these were probably used when you have visited sites that were you need a password to enter.
If the site is compromised then possibly your password and or e-mall address is compromised.
Possibly the reason you got this fake message.

You should change your password to the important sites you use.
Use a different one for each site.

p.s.
If you use the same E-mail address make sure you know who is sending you a message before opening the mail.
Delete anything not known to you.

Any remaining issues?
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top