Jump to content

Unrequested password reset emails


Recommended Posts

The problem seemed to have stopped for now. But, I am not fully convinced. The last 3 weeks or so, I have experienced unusual activities on my iPhone and my email. I've been receiving unrequested password reset email attempts and I have been constantly changing my passwords for several sites and services. I am sure it is a virus. It could be malware or another kind of virus that I am not aware of. For security purposes, I am using my backup email address to write this thread. The hacker has successfully changed my passwords on services such as Epic Games Launcher, EA Games Launcher and I think Outlook email. Luckily, I have been able to change passwords from Outlook and EGL, but not EAGL. I have also implemented 2-step verification for my email, which is very important. Within that 3 week timeframe, I have received an email from the hacker saying they have my information and can expose me. I looked it up online (the nature of the email) and it seems to be common for people to receive that as it is a scare tactic. Talking about how they think I watch adult content and have my information. What creeped me out is that they wrote my password on that email, but it was a former password. It seems to be common in those emails. I also noticed that the hacker has sent spam email to many contacts from my OWN email address. I don't even know how that is possible. 

I am using Windows 10 on my laptop. I have not yet upgraded my OS. I just read that I definitely should update it as malware tends to infiltrate in computers that have outdated OS. 

I am using the latest OS on my iPhone 8 and I am using the Outlook app on my iPhone. For my laptop, I am using the Inbox Live program (which is Outlook). 

Overall, should I do a full backup of my files and reset my laptop completely? Should I upgrade to the latest OS of Windows 11? What should I do?

PS: I have scanned my laptop several times with Malwarebytes and it hasn't detected any malware or unusual activity. 

Thank you

Link to post
Share on other sites

  • Root Admin

Hello @007nice1

Often it's simply due to some website you joined in the past that was compromised, not you. They then have your email and password for that site is all (unless you used the same password on more than one site). As far as sending email as you it's very easy today to pretend you're sending email as someone else. You need to check the headers to see where it really came from.

You can check if your email address was part of some breach in the past from this website:  https://haveibeenpwned.com/

 

Let's go ahead though and scan your Windows 10 system and see what we can find.

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

Thank you for the clarification. Ok, so here are the steps I have done so far. Before your reply, I had updated my OS to Windows 11 two days ago and I have decided to roll back to Windows 10 today, just now. I have then scanned with Malwarebytes, exported the txt results, ran AdwCleaner and quarantined some unknown registries (or programs, not sure), quarantined some pre-installed software (I can always restore them later, if anything), exported the txt file and I have restarted my laptop. Then, for step 3, I did everything as mentioned with Farbar Recovery Scan Tool and I have those 2 txt files. Here are all the files you're needing. 

Addition.txt AdwCleaner[C01].txt FRST.txt Malwarebytes results.txt

Link to post
Share on other sites

  • Root Admin

That's a huge change.

Please do the following. Restart the computer one more time. Then run the following scan and post back the logs. Please don't install or uninstall or make other changes until we're done checking out the computer.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites

Okay, so I have followed the steps as you mentioned. I have scanned with ESET Online Scanner and I got 7 unwanted files, which I quarantined some of them. Then, I did, in the correct order, the steps to scan with Malwarebytes and FRST. Here are all the files

ESET Online Scanner.txt FRST.txt Malwarebytes results.txt Addition.txt AdwCleaner[C01].txt

Link to post
Share on other sites

  • Root Admin

Please note that this folder is an indication of a potentially failing hard drive

D:\found.000

 

Please uninstall the following via the Control Panel

Bonjour
 

 

 

Then exit out of Malwarebytes and close all browsers and applications and run the following fix

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Before proceeding, I have a few questions. Bonjour is a zero-configuration network by Apple to facilitate network connection between different devices. Why is it that I would need to uninstall that? What would be the consequences? As for the D: drive, what should I do to prevent the hard drive to fail? It's my 2nd internal hard drive and I cannot permit that to fail or I'll lose A LOT of important information. 

After clarifying those concerns, when disabling any real-time antivirus and security software, that means that I will have to disable Malwarebytes and Windows Security completely?

Also, which password manager would you recommend me the most? I'm seeing that some people are not happy with the new update of Dashlane.

Link to post
Share on other sites

  • Root Admin

Bonjour is not needed on Windows. Windows has it's own way of locating devices. Bonjour is probably about the noisiest, chatty program on your computer.

About the only possible reason you might need it is if you have an Apple TV you're trying to connect to your computer. Though I seriously believe you could still connect it on Windows without Bonjour.

There are thousands of logs with all kinds of connections errors, faults, etc. I've seen over the years. Removing Bonjour corrects that.

I seriously doubt you'd notice any consequences of uninstalling Bonjour. Even if you did you can reinstall it within moments if wanted.

 

The D: drive.
Get another external USB drive and copy ALL the data you want to keep onto it. Then do a drive diagnostics on that drive and I bet you probably find something wrong.
There is no proven way to tell for sure when it will fail. It could be days, it could be years before a complete failure but if you don't have your data backed up then you're looking for a disaster sooner or later.

I myself have multiple backup drives. What if the backup drive fails three days later after you replace the main drive? Then you've lost everything.

Backup Software
https://forums.malwarebytes.org/index.php?/topic/136226-backup-software

 

 

 

Just exit out of Malwarebytes. Though you can probably keep it running it's best to exit out. You're not browsing the web or doing anything else so there should be very little exposure to any additional threats.

 

If you don't want to pay for a Password Manager then one of these

https://bitwarden.com/

https://keepass.info/

https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/

 

 

 

Edited by AdvancedSetup
Updated info
Link to post
Share on other sites

Okay, I see. Useful information, thanks. Just so I understand correctly, this fix txt file will basically verify and attempt to fix any corrupted file? If so, then the D: drive should be able to be fixed with that? I am trying to understand the root cause of potential damage of the drive. It is the second internal drive of my laptop, and I can't recall a time where I have done something to disrupt any sort of update, software installation or any of that nature as it is an internal and not external (USB) drive. This is not the first time I have a drive that will (or could) fail. I've had other drives in a desktop computer that have failed and were unable to recover any sort of file as everything got corrupted and lost. Should I right click on D: drive and go on Properties>Tools? click Check on Error Checking? How can I prevent any potential damage on a drive in the future?

Link to post
Share on other sites

10 minutes ago, 007nice1 said:

Should I right click on D: drive and go on Properties>Tools? click Check on Error Checking? How can I prevent any potential damage on a drive in the future?

I am going to hop in and make a suggestion. Back up the data to an external drive before you do the above.

A check disk has to potential to push a failing drive "over the edge" Better safe than sorry.

As for future prevention. Standard drives do not like physical shock. I would replace it with an SSD if this computer is mobile.

No drive is 100% safe either way. Timely backups/images are crucial for any drive made.

 

Link to post
Share on other sites

  • Root Admin

The D: drive in this case is a stand alone drive and I'm not issuing a scan on it in the fix. But I get your point @Porthos and agree that if a drive is potentially failing you need to get the data backed up FIRST before doing other things or you can easily lose that data.

Drive c: (Windows) (Fixed) (Total:237.29 GB) (Free:12.06 GB) NTFS
Drive d: (DATA) (Fixed) (Total:931.51 GB) (Free:287.18 GB) NTFS

 

Link to post
Share on other sites

  • Root Admin

You can run DEVICE MANAGER from Start / Search

Under Disk Drives you can locate the model number at least and in some cases the name. That model number can be searched online to find the name.

Then we can suggest the proper tool to run to do a Diagnostic Test on the drive. Again, backups should be done first.

 

Link to post
Share on other sites

Okay, thanks the both of you. I currently have only 1 external hard drive in which I could store the backup of my D: (internal) drive in it. However, in the links you've provided concerning the Backup Software thread you've posted (@AdvancedSteup), it is not recommended to leave whichever backup drive always connected, but only connect it when restoring/backing up data. That said, my external hard drive (F:) is often connected as I access files daily (steam games library, software, etc.). In this case, what should I do? Should I just purchase an additional external hard drive solely for backups/restore?

The reason I am asking that is because I want to proceed for the next steps in terms of the fix.txt file, but I am afraid it would damage the internal drive (D:) or any files within. 

Thank you for the info concerning the search of the names and models of the drives. Although it is not precise to me, there is only my external hard drive that I can recognize by its name which is identified (on Device Manager) as WD Game Drive USB device. I believe that the first drive name that appears on the list would be the C: drive under the name of HGST HTS721010A9E630; D: drive under the name of INTEL SSDPEMKF256G8H. I have attached a screenshot when trying to identify the D: drive just so you can double check with me if I have the names correct for each drive. 

drives.PNG

drives 2.PNG

Link to post
Share on other sites

  • Root Admin

Please see if you can do the following.

Open an elevated admin command prompt. Click on Start / Search and type in CMD.EXE and when it shows on the menu right-click and choose "Run as administrator"

Then type in or copy and paste the following and press the Enter key. Then post back the results

wmic diskdrive get model,serialNumber,size,mediaType

Thanks @007nice1

 

Link to post
Share on other sites

  • Root Admin

We are not targeting the D: drive. So there should not be an issue running the fix. We only do a disk check on the C: volume which is your SSD

I would recommend you look at getting a replacement drive for your D: drive. As well as getting an external USB drive to back up your data to so that in the future if you were to have a failure you could recover your data. Today, a 5TB USB external drive is around $100 but would give you room to do back ups for a long period of time.

 

Link to post
Share on other sites

Okay. I thought the C: drive was considered to be the hard drive; the main, internal hard drive. And that the D: drive was the SSD. 

Today, once again, after 2-3 weeks, another attempt was done on my email trying to access it, so I had to change my password. It is extremely frustrating.

I will run the fix now and will give you updates. 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.