Save Yourself Email Virus

[Bingo321]

My PC is infected with the Save Yourself email virus despite Malware Bytes showing repeated clean scans.  I need help removing it, it has already recorded and emailed me confirmation it knows one of my passwords.  I thought Malware Bytes would have protected me from this, but apparently it still got through.

[David H. Lipman]

You indicated... "...and emailed me confirmation it knows one of my passwords ..."

Please read the following thread and example emails.  is your email similar to those in this thread...  FYI: Email Ransom Scam still current

 

[Bingo321]

I have also read site that list REMOVAL INSTRUCTIONS for this virus.

  https://howtoremove.guide/remove-save-you-email/

So this leads me to believe there may indeed be something on my PC, and the password it found was one that I had saved in a cookie in Firefox.

I'm attaching the FBAR files and hoping someone can help me.

 

Addition.txt FRST.txt

Edited July 21, 2019 by tetonbob
obfuscate link

[David H. Lipman]

You did not answer my question. 

Is your email similar to those in this thread...  FYI: Email Ransom Scam still current

howtoremove.guide is s shill site. 

The Internet is chock full of shill sites such as the above.  In this case it is designed to give limited or misinformation and is created for the purpose of referring people to Enigma software and obtain affiliate revenue.

This is purely a scam and they send those emails out en masse hoping one or two bite at the bait.  

Just delete the email and then change your email password to a new Strong Password just to make sure.

Additionally, you can enter your email address(es) in the following site and it will check to see if that email address was part of a known breach.  Being a part of a breach is how they obtain people's passwords and use them to lend credulity to the scam.

https://haveibeenpwned.com/

Please reference:
-----------------
US FBI PSA - Extortionists Increasingly Using Recipients' Personal Information To Intimidate Victims
US FTC Consumer Information - How to avoid a Bitcoin blackmail scam
MyOnlinesecurity - attempted-blackmail-scam-watching-porn
BleepingComputer - Beware of Extortion Scams Stating They Have Video of You on Adult Sites
Malwarebytes' Blog - Sextortion emails: They’re probably not watching you
Malwarebytes Forum sample thread - Got strange threating email.
Malwarebytes Forum FYI thread - FYI: Email Ransom Scam still current

 

 

Edited July 21, 2019 by David H. Lipman
Edited for content, clarity, spelling and grammar

[Bingo321]

No, the email I received is different from those posted.

Also, about two weeks ago I got a spam email and when I opened it in Outlook, a command window opened in the background and ran a script and closed before I could do anything. Right after that I notices some of the view settings in MS Outlook had been changed.  This week I logged into a site and used this password and selected "save password" in Firefox. Today I got an email with this password in it and saying they know my passwords.  It all happened in sequence, and I do believe this PC is indeed infected with something that is looking at my cookies.  This was not an email account password, and it was not a password that has ever been compromised in a data breach.   Malware bytes scans came up clean afterwards.  I'm at the point where I guess I'm going to have to nuke the PC and start all over, but I had hoped someone on here could help before I have to do that.  Please don't brush this off as an email scam, I do believe this machine is indeed infected, and I'm hoping someone here will take this threat seriously.

[David H. Lipman]

If you still think you may be infected then please read;  I'm infected - What do I do now? and create a new post in;    Windows Malware Removal Help & Support  and request that you would like to have to have your PC checked out for assurance.

 

[Bingo321]

1 hour ago, David H. Lipman said:

If you still think you may be infected then please read;  I'm infected - What do I do now? and create a new post in;    Windows Malware Removal Help & Support  and request that you would like to have to have your PC checked out for assurance.

 

This is exactly what I did above.  I attached the files in the second post and I made a post in this very section asking for help.  I'm confused, do I need to ask for help again?

 

[David H. Lipman]

Yes.  I do not interpret LOGs as I am more of a researcher than a Forum malware removal helper.  By creating a new post, a Forum Helper will pop the unanswered post off the queue and help you along the process.

 

[Bingo321]

Just want to let you know that a key logger has been installed on my computer by a program that originated from China called Wundershare that MalWare bytes did not detect, and it appears this is the source of the password compromise and subsequent emails.  I think you are making a very dangerous assumption telling folks that these types of emails are harmless and come from data breaches or other sources. Password compromise via key loggers is probably the single most dangerous type of virus/malware out there, and has the potential do real damage to people in numerous ways.  Consider electronic banking for just one example. This should be taken more seriously.

[Bingo321]

Spelling error in post above.  Program should be spelled Wondershare.  Look for Wondershare Application Framework as a running process or WsAppService.exe   

Malware Bytes does NOT detect or remove it.

[Coco99]

I have the same email with a password of mine stated in the body of the message however I only use my iPhone to search the web, check emails etc and haven’t used a personal computer for atleast a year now. How is this possible, as I thought iPhones security software was pretty solid

[Gukki3112]

Hello Bingo321,

I got the same email and am kinda nervous now. I looked through the running processes now but couldn't find the two programs you wrote about. Is there any other way of finding the source of the malware and deleting it? How would you delete it anyways? 

 

[coffeecream]

I am pretty sure this email is not a virus or malware.

I received the exact same email but it was a password for something from a super old account. I don't even have a webcam.

Almost every email has been compromised at one point or another, depending on how many websites you sign up for or places you shop online. Sometimes your passwords get spread around on the internet. These email scams use that old information to scare you into thinking you're actually infected and try to blackmail you.

Here's a website with information on companies / websites that have been breached and if your email has been affected:https://haveibeenpwned.com/

If you've received the exact same email, it would have been tied to the same Bitcoin address (but perhaps there are variations).

Here's a link to Bitcoin Abuse database that shows the scammer has tried this scam multiple times: https://www.bitcoinabuse.com/reports/1GAdm1HyyN9mAdx7j9WzfJyFtiiWbHNirF

I wouldn't worry about it, but it's always good to make sure you run a scan on your PC every once in a while.

 

[coffeecream]

Also, I would change all of your passwords that use that password to be safe.

[John L. Galt]

Please note:

This forum is titled General Chat because it is meant for just that - general chat.  This forum is NOT where you need to post if you have concerns that you might be infected - there is a separate forum for that.

Please read the following post, which @David H. Lipman posted above, in its entirety, and follow the instructions explicitly to get malware removal help.

Again, Malware removal help is not performed outside of the Windows Malware Removal and Help forum, in which the above post is located.

[exile360]

As mentioned above, anyone who believes they may be infected needs to read and follow the instructions in this topic and then create a new topic in the malware removal area by clicking here and one of our malware removal specialists will assist you in checking and clearing your system of any threats as soon as one is available.

Please do not post your logs here; we do NOT work on malware removal in this area of the forums, and each user must be helped separately; no matter how similar a threat/infection/attack may seem, they are almost always very different and will require unique steps to check and clean each system so each person is helped 1-on-1, never in groups.

Thank you

[Randal]

I discovered this in my junk mail about five times at first glance. It referred to two passwords which I haven't used in many years to sites I've probably long since disused. My passwords are much stronger these days. They claim to have put malware on my computer and then removed it. The laughable part is the webcam recording. I'm a terminal cancer patient and sex is the furthest thing from my mind and body. The only thing they may be catching a video of is me vomiting into a pail next to my bed. LOL!!!

I'm not going to worry too much about it as any information they may have gotten with those old passwords are most likely obsolete.

[Dodge71859]

I made an account to say this.Ive gotten these before over the years, as well as this same one.Its  scary at first, but I wouldnt worry, unless you use that pass alot.In which case you should stop using it and change those

[Randal]

I'm not worried. I don't even know what two those passwords belong to so they may be from some website that still exists but aren't maintained. I remember them but have long since moved on to 12 and 16 character passwords with a mixture of all sorts of stuff.

[Dodge71859]

9 minutes ago, Randal said:

I'm not worried. I don't even know what two those passwords belong to so they may be from some website that still exists but aren't maintained. I remember them but have long since moved on to 12 and 16 character passwords with a mixture of all sorts of stuff.

Me too, it was a basic pass from years ago.I just wonder how these pos sleep at night?.

My dad and grandpa had cancer btw.I'm sorry to hear that, honestly

[Randal]

My father did too. For the past three or four years I've on chemotherapy. The first round a while back had radiotherapy as well which caused my airway to swell and my vocal chords to thicken and paralyze. Cancer is a disease I don't recommend to anyone.

[Dazzy]

I also received a 'Save Yourself' email followed by an old password two days ago. Someone near China subsequently tried to login to my Google email account using this same password, but thankfully Google blocked the attempt. I wonder whether anyone else suspects that this scam is a result of the recent TripAdvisor security breach where email addresses and passwords were leaked? I was advised that I was a victim of this breach and the details match, however it has not been logged against my email address when I enter it into the Have I Been PWNed website...

[maxley898]

On 7/22/2019 at 1:56 PM, Bingo321 said:

Spelling error in post above.  Program should be spelled Wondershare.  Look for Wondershare Application Framework as a running process or WsAppService.exe   

Malware Bytes does NOT detect or remove it.

Why ask for advice, then disregard the advice given to you?

David is right. It's just a spam email. There is no malware on your PC, and no videos of you.

I've had multiple versions of these emails, and its all nonsense. We only really watch porn on our main TV and we don't have a webcam on there. Plus the password they have is years old and only used on random forums/sites that i never use.