Is There A Keylogger Installed...

Is there a keylogger installed... on one of my computers? I got this threat in email today (14 Feb 2019) (see below), and it does in fact have the password to that email account - I've had a problem in the past having the account used to spew spam, but cured it a few months ago with a new password (and deletion of 75,000 )*@#$ messages from mail servers) ... which, of course, I just changed again.

My main question here is, what (else) should I do about the (presumed) keylogger? Here's the email that was sent.

I am aware <xxxxxxx> is your pass words. Lets get right to purpose. No person has paid me to check about you. You don't know me and you are most likely thinking why you're getting this e-mail? actually, i installed a software on the 18+ vids (sexually graphic) web-site and do you know what, you visited this web site to have fun (you know what i mean). When you were watching videos, your internet browser started out working as a Remote control Desktop having a keylogger which provided me accessibility to your display screen as well as web camera. after that, my software program obtained every one of your contacts from your Messenger, Facebook, and emailaccount. Next i made a video. First part displays the video you were viewing (you've got a fine taste haha . . .), and 2nd part displays the view of your webcam, & it is you.


There are just two alternatives. We will study each one of these possibilities in particulars: Very first solution is to disregard this email message. Then, i am going to send out your videotape to all your your personal contacts and also you can easily imagine about the awkwardness that you receive. Furthermore in case you are in a romance, just how it will affect? Number two option would be to pay me USD 998. i will name it as a donation. as a consequence, i most certainly will asap erase your video recording. You could keep going on everyday life like this never occurred and you would never hear back again from me. You will make the payment through Bi‌tco‌in (if you don't know this, search 'how to buy b‌itcoi‌n' in Google). B‌T‌C‌ ad‌dre‌ss: 18z5c6TjLUosqPTEnm6q7Q2EVNgbCy16Td [CaSe sensitive copy & paste it] if you may be making plans for going to the authorities, very well, this e-mail can not be traced back to me. I have dealt with my actions. i am just not attempting to charge you very much, i would like to be paid. email message%}. You now hav if i don't get the ‌bi‌tco‌in‌, i will certainly send your video recording to all of your contacts including friends and family, colleagues, and so on. Having said that, if i receive the payment, i'll destroy the video right away. If you really want evidence, reply with Yup then i will certainly send out your video recording to your 5 friends. it's a non-negotiable offer, and so please do not waste my personal time and yours by replying to this message.


​

 

The original message was posted from a different computer than the one I was worried about, but I just ran MB on both of them, and no threats were detected. FWIW.

 

I haven't found anything amiss yet, but it concerns me that he had the password to that account...

 

Thats most likely how they found your email domain using dns scanning and search engine scraping, software scripts.
If your domain can resolve, then most likely a weak password will too,
using a customized wordlists.txt file for bruteforce.

You should re-set your password at the first opportunity and make it a strong one (pref characters, capitals etc, with length)

Ignore their threats and delete offending mail.

 

If you suspect a keylogger, check in Task Manager @ your processes running and also services!
Look for suspicious activity.
I would also run some scans with Hitman Pro
after running RKILL

 

I received the same message a few days ago too, and a friend got it a few weeks ago.

We have several PCs. On one of them, in Settings | Passwords there's an option "Create a password reset disk". Then below that, in "PC Settings", there's an option for "Change your password". Is it in "PC settings" where the password needs changing to help combat the spam message in question?

If my description isn't clear, I can upload a jpg/snip.

Thanks.

 

To do that, my guess is you'd login on a different computer (Computer B) to the one where the spam email was received (Computer A), then edit the password for the email account while using Computer B. Does that sound right? Many thanks.

 

It's possible to access it on other computers via a secure login, but I don't know if it's possible to change the password there. It's Mozilla Thunderbird.

 

See here!

 

Very helpful link, many thanks! Do you think it would be helpful to change network credentials too and if so, is there a way to view passwords there?

 

When you log to webmail, you are using a web server outside your gateway (ie the internet) so anyone with credentials can log in.

If you mean changing your LAN SSID and password (network credentials) then no, this wont help, but it will help if you also change your passwords to all accounts connected to your email account.
If you feel it has been compromised that is, but I agree with the others.....it looks like a simple spam mail and your addy was unfortunately on a standard email address harvest list (no access to passwords).

 

Thank you! Appreciate your help!

 

Sorry to be back and hope it's okay to mention this in this thread. This week I started to receive spam from financial companies (jpg of a few attached). I had recently signed up with an online bank and assumed they were responsible but just spoke with them and they deny this.

Each email has an Unsubscribe option that seems suspicious because it requires you to type in your email address, in addition to giving reasons for unsubscribing. The addressee "To" line of each email reads: To: Our Friend <sleighed@marianne>. Has anyone here heard of "sleighed" or <newsletter@snap-cad.com>? Thanks.

 

Hi Laurie, its ok and glad you posted this.

Any unsolicited mail you receive is spam.
Dont entertain them in anyway including, unsubscribing from any links they supply.
Just delete them.

Its possible that during your searches for an online banking institution, you may have supplied your email to certain sites in an attempt to gain the info you wanted, or to further check-out their online presence as a suitable candidate.

Always be mindful of who you supply your email addy too.
Its just a fact of life to receive spam today for anyone who creates an online presence with mail.

Remember, they cant hurt you in anyway if you just delete them......its once you start clicking on links and opening their attachments that the real damage occurs!

Good Luck

 

Create a gmail address for your spam content......keep your main domain safe (ie your ISP driven addy), when signing up to anything online

Make it something like laurie33@gmail.com and use this address on sign up and login for sites you want to explore more.

Use this as your 'bomb' account, knowing that anything received in your inbox could be spam related and potentially malicious.

Helps to keep the sh*t out of your main domain.

You can configure rules for unwanted mail and URL's given in your mail client, but Im not a fan of doing this as sometimes the good gets mixed in with the bad.

 

Thanks. Interesting what you wrote. Coincidentally, it was the first time I used my ISP email address for signing up with a new place (the online bank) last week. I already have a gmail account and have used it for nearly all other sign-ups. Yesterday I changed the email address with the online bank to the gmail address.

 

Unfortunately, I unsubscribed to a few of the emails earlier this week. Haven't done that in ages and now regret it. From now on, I'll just delete all unsolicited emails (which is what I had done until this week). Many thanks for your helpful comments!

 

I will give this a try too as I am having similar keylogger mail scams despite changing my password(s) at least twice to include one with a security rating of 100/100.

 

Yes.....you would also need to clean the suspected system before you login into any accounts with a newly changed password, from it.

 

Got the below from RKill.
Would any of it make sense to you techs?
The ones that concern me are the 127.0.0.1
Here below...........
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions Fixed. Administrators can now edit the HOSTS file.

* HOSTS file entries found:

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com

20 out of 15629 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 04/08/2019 12:44:05 PM
Execution time: 0 hours(s), 1 minute(s), and 23 seconds(s)

 

Reset the Hosts file to default.
https://support.microsoft.com/en-za/help/972034/how-to-reset-the-hosts-file-back-to-the-default

 

this is my first reply, thank you for adding me ..

you are not alone.

The entire reason for asking to join, there is something going on with someone reading everything i type, websites visited including online banking and income tax being sent out .. and all messages being sent to me, even if i delete directly after i read everything, they are still read by someone. (i know who)

I want to know a few things, how to detect the program used, or browser hijack .. and it is my idea to create a sticky for anyone to follow.

I am not computer illiterate, in fact I was tech support at one time. I do understand how things work.
I have tried to find what programs are being used, but even with my skills, i cannot find them or the 'nags' that appear at 'random'

I will post everything that is going on, after I do much reading here.
I will find a solution for us both Shorttex

 

sorry for taking my time ...
I have tried all that I have read here, the first solution I found was using mru-blaster, and install and uninstall of different browsers .. yet i have failed to elude.

I dislike admitting I need help.

I need help finding how to block the one who is getting info from my computer, or how to catch the program I cannot find

 

You should check what background processes are running and if they are indeed safe.

Open Task Manager to access all processes running, and then you could use software such as Neuber to identify them in Neubers Security Task Manager or Network Task Manager.
Its not freeware, but should give you a 30 day free trial.

Ofcourse, if you suspect malicious software infiltration on your system, the best thing you can do is to get it checked out by our resident pro's.
Use our Read & Run Me First Malware Removal Process and follow all instructions to the letter.
They will remove anything running on your system that shouldn't be!

 

I had a family member come up with this problem, and I got lucky to find thee program and get rid of it.
Programs VNC, RealVNC, TightVNC, UltraVNC, LogMeIn, GoToMyPC can be some.
I did find hers through an on-line search of a program, but I cannot remember which one, now, s it was about a year ago. I believe there are two main ones that jealous partners use to follow everything .
If I can find the one I used I will come back, but, at present I cannot.