Logs - Exploited? - Data Security Breach Information

Greetings Geeksters,

TIA.

I believe I've been exploited. Perhaps it was a pop-up disguised as a Silverlight update; something I'd long ago decided I didn't want, then installed, so, I hurriedly supposed I wanted the update. Silly me.

Now I have to say this one is cool (the bad kind of cool), it's artful in its nastiness. It's not a constant inconvenience, just an occasional one. Sly. As I surf, I occasionally get either >>an offer<< within a new smaller window, or a "Data Security Breach Information" with a paragraph and an opportunity to get all three major credit reports for FREE!, also in a smaller new window. (I thought they had to supply one for free anyway?!?). I didn't follow/click that path, but I bet they'd be asking for a SSN - for all the good that'd do them - lol. The rest of the message reads like this:

Attention ICANN Visitor,

Data Security Breach Information

We want to make you aware of a significant incident that has occurred. There was a massive system breach at Global Payments, a company that processes credit card transactions for a number of companies, including Visa, Mastercard, American express, Discover and other major credit card brands. Files containing personal credit card information were compromised. We are urging you to check your credit profile for any activity that you did not authorize.​

I've got something they can check...besides, I am a Dear Carl, not a Dear Visitor...

ANYway, I have follow the READ & RUN ME FIRST instructions. I'll attach the logs. I can't really say whether or not I am "still having problems" yet I do know that one of the scans, HitmanPro I think, found a bunch of malware. I really wanted to tick the fix it button, but I followed instructions and did not, so, I assume the baddies are still there.

At first, I opened but did not run TDSSKiller. I believe it made a log anyway, so, it's attached here, then TDSS #2 (after I ran it), then HitmanPro...and, therefore, I hit my maximum and the MGLog will be in the next post.

Please advise. Like everyone, I wanna be clean.

Thank you for all you have done, do, and continue to do.

You help the net be a safer and better place.

Best,

~drcarl

 

The 6th file....MGLogs zip attached

 

.
I am adding this well-written description that another user posted elsewhere on the forum. Rather than following the instruction provided for him, I await your leadership... patiently... lol

 

TimW,

Thank you for your reply and direction. I followed the steps and things are looking good, yet, I am hesitant to claim being in the clear until after more time has passed. This exploit was (I hope it's a "was") a real smooth one...not "in your face" like most of them...just a little ad here, and a little redirect there... (A$$H0L3 TIME WASTERS)

Log attached. I'll repost here if any problems rear their ugly heads.

Thank you agin TimW and any and all MGeeksters!

Best,

~drcarl

 

Oh no. Another pop-up ad that was not asked for and appears in smaller new window. (BTW, I have AdBlockPlus running on Chrome) Also noticed more of the same...small square ad in lower right. Nutz! At least now the ad video or text is absent and just the box appears.

I re-ran JRT and it removed "pc speed up" :

"Successfully deleted: [Folder] "C:\Program Files (x86)\pc speed up"​

...which on review of the first JRT log, it "failed to remove"

I ran CCleaner's Cleaner and Registry tool. Rebooted. Ran JRT again (as administrator). Nothing found. Attached JRT logs 02 and 03. Ran Hitman Pro (as admin): -0- threats. Ran MGTools and attached log. Ran analyse.exe and attached log.

I notice that programs (CaptureWiz, DSClock) previously set to launch on startup no longer do, and the start with Windows tick box is clear - So, I am re-checking/ticking them as I notice I'm missing things.

Now what? *sigh*

(Thanks for your help)


PS - I started keeping a list of malware notices/pop-ups in case that matters at all; most current at the top.

Pop-up sites:

----------before (and during) the SECOND cleanup - boo hoo------------------

http://www.cbs.com/shows/star_trek_deep_space_9/?ttag=mktg_ntp_SD_vid_0601_fa
(appeared while browsing MG in Chrome)
http://www.cbs.com/shows/the_twilight_zone/?ttag=mktg_ntp_CTZ_vid_0712_fa
(opend while viewing HowToGeek)
http://winnervisitors.com/a/cs/top/3.php?target=Revouninstaller.com
(the pop-up above appeared after I started Revo Uninstaller)
http://www.cbs.com/shows/elementary/video/?ttag=mktg_ntp_E_vid_0125_fa
http://www.match.com/en-us/landing/...36_10189437_1112204_10189447_1x1&CPV2=okcupid

----------before the FIRST cleanup------------------

http://www.pogo.com/?sourceid=camEGP_Gamevance_LandingPageLoad_RON_FreePogo_Homepage_Landingpageload
http://lifestyleinsights.org/score/notice-r.php?keyword=Ww.amazon.c
http://www.beautyriot.com/celebriti...&utm_source=trafficvance&utm_term=Okcupid.com
http://winnervisitors.com/a/cs/top/8.php?target=Icann.org
http://www.folica.com/?s_sku=cj_&s_...utm_medium=affiliate&utm_campaign=paff3087676

 

I am still troubled with this pest.

 

Still troubled, adding to list of pop-up ads.

OMG! Since the problem kinda feels like an extension in that it seems to be browser-related, I re-reviewed what extensions I have enabled in chrome. I found something [damn; forgot the name. I think it was "TopArcadeHits"] that offered 2000? of the best arcade hits. I didn't want that. Goodbye extension!

We'll see.... maybe fixed.

QUESTION: I ran RogueKiller and it found some entries noted under the Registry tab. I want to hit "delete" yet am wary of reg edits without someone telling me to go for it. So, pleaSe see attached report...is it safe to delete these?

Thanks,

~drcarl

Continuing list of pop-up destinations, new on top:

http://www.basictalk.com/?CMP=ONB-FLS-OTHER-FUTAD-2013-BASICTALK-VER1-PHONE

----------before (and during) the SECOND cleanup - boo hoo------------------
http://www.cbs.com/shows/star_trek_deep_space_9/?ttag=mktg_ntp_SD_vid_0601_fa
(appeared while browsing MG in Chrome)
http://www.cbs.com/shows/the_twilight_zone/?ttag=mktg_ntp_CTZ_vid_0712_fa
(opend while viewing HowToGeek)
http://winnervisitors.com/a/cs/top/3.php?target=Revouninstaller.com
(the pop-up above appeared after I started Revo Uninstaller)
http://www.cbs.com/shows/elementary/video/?ttag=mktg_ntp_E_vid_0125_fa
http://www.match.com/en-us/landing/...36_10189437_1112204_10189447_1x1&CPV2=okcupid

----------before the FIRST cleanup------------------
http://www.pogo.com/?sourceid=camEGP_Gamevance_LandingPageLoad_RON_FreePogo_Homepage_Landingpageload
http://lifestyleinsights.org/score/notice-r.php?keyword=Ww.amazon.c
http://www.beautyriot.com/celebriti...&utm_source=trafficvance&utm_term=Okcupid.com
http://winnervisitors.com/a/cs/top/8.php?target=Icann.org
http://www.folica.com/?s_sku=cj_&s_...utm_medium=affiliate&utm_campaign=paff3087676

 

Thanks TimW - here it is

 

I might be OK since I trashed the "TopArcadeHits" extension in Chrome. I think it might take some time to tell.

Meanwhile, I'd love to delete what RogueKiller found. Log with Post #8. I wonder if it's safe to press the delete button within RK?

And, thanks for your consideration here....

 

OK, got it. Right-click to delete logs.

Now, please view the attached screenshot.

These look more like "entries" or "items" than a "log."

What I am asking about (I believe in posts #8, #12 and now #14) is this: Inside the RogueKiller software application, after a scan, under the "Registry" tab, there are about 8 pre-checked entries which appear to be candidates for deletion. Is it safe to delete them?

There is also an IP address listed under the "Hosts" tab. Is there something to be done with that?

I'll carry-on with the other instructions.

Thanks you,

~drcarl

 

Thanx TimW