151 replies to this topic

[jeffce]

Sounds like a good plan Patti. When you return I want to look at one more thing (nothing to be worried about) and then we will remove our tools.

[PattiChati]

ok, I am ready to get rid of the stuff on my desktop and hopefully find out why some things are in the wrong places. What thing were you questioning

[jeffce]

Hi Patti,

Let's get a look really quick for a certain folder and then I think we will be good to go.

• Right-click and Run as Administrator SystemLook.exe to run it.
• Copy the content within the following codebox into the main textfield:
  

  :folderfind
  *PARETOLOGIC*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[PattiChati]

Funny you should mention Paretologic. For the first time this morning, I had the message of xoftspy and Paretologic wanting to install it. I didn't have this the whole time working with Lee.. I see your post above and I will do that as soon as I can. This is just too ironic. Is there a way to block or spam Paretogic?

[jeffce]

Once you get that information for me I am going to remove it.

[PattiChati]

SystemLook 30.07.11 by jpshortstuff Log created at 11:38 on 13/09/2012 by Patty Administrator - Elevation successful ========== folderfind ========== Searching for "*PARETOLOGIC*" C:\Program Files\Common Files\ParetoLogic d------ [20:46 12/10/2011] C:\ProgramData\ParetoLogic d------ [20:46 12/10/2011] C:\Users\All Users\ParetoLogic d------ [20:46 12/10/2011] C:\Users\Patty\AppData\Roaming\ParetoLogic d------ [21:43 19/06/2012] C:\_OTL\MovedFiles\09062012_161253\C_ProgramData\ParetoLogic d------ [20:12 06/09/2012] -= EOF =-

[jeffce]

Hi Patti,

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

  :Services
  
  :Files
  C:\Program Files\Common Files\ParetoLogic
  C:\ProgramData\ParetoLogic
  C:\Users\All Users\ParetoLogic
  C:\Users\Patty\AppData\Roaming\ParetoLogic
  ipconfig /flushdns /c
  
  :Commands
  [emptytemp]
  [resethosts]
  [clearallrestorepoints]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Post the new OTL log that is created and let me know how your system is running.

[PattiChati]

All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
C:\Program Files\Common Files\ParetoLogic\UUS3\Images folder moved successfully.
C:\Program Files\Common Files\ParetoLogic\UUS3 folder moved successfully.
C:\Program Files\Common Files\ParetoLogic folder moved successfully.
C:\ProgramData\ParetoLogic\UUS3\PCHA folder moved successfully.
C:\ProgramData\ParetoLogic\UUS3 folder moved successfully.
C:\ProgramData\ParetoLogic\PC Health Advisor folder moved successfully.
C:\ProgramData\ParetoLogic folder moved successfully.
File\Folder C:\Users\All Users\ParetoLogic not found.
C:\Users\Patty\AppData\Roaming\ParetoLogic\PC Health Advisor folder moved successfully.
C:\Users\Patty\AppData\Roaming\ParetoLogic folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Patty\Downloads\cmd.bat deleted successfully.
C:\Users\Patty\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Patti's New Account
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: Patti-PC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: Patty
->Temp folder emptied: 403807695 bytes
->Temporary Internet Files folder emptied: 2233817 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 75106217 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 4057 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 711240 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 108692 bytes
RecycleBin emptied: 47009280250 bytes

Total Files Cleaned = 45,291.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.59.1 log created on 09132012_140944

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[PattiChati]

SystemLook 30.07.11 by jpshortstuff Log created at 14:16 on 13/09/2012 by Patty Administrator - Elevation successful ========== folderfind ========== Searching for "*PARETOLOGIC*" C:\_OTL\MovedFiles\09062012_161253\C_ProgramData\ParetoLogic d------ [20:12 06/09/2012] C:\_OTL\MovedFiles\09132012_140944\C_Program Files\Common Files\ParetoLogic d------ [20:46 12/10/2011] C:\_OTL\MovedFiles\09132012_140944\C_ProgramData\ParetoLogic d------ [20:46 12/10/2011] C:\_OTL\MovedFiles\09132012_140944\C_Users\Patty\AppData\Roaming\ParetoLogic d------ [21:43 19/06/2012] -= EOF =-

[jeffce]

Good. How is your system running?

[PattiChati]

It's running good. Did you get rid of paretologic?

[jeffce]

It's running good. Did you get rid of paretologic?

Yes I believe that we did.

Providing there are no other malware related problems...

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!!

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)


----------

Clean up with OTL:

• Right-click and Run as Administrator OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:

• Open Internet Explorer
• Click on Tools > Internet Options
• Press Security tab
• Select Internet zone then place check next to Enable Protected Mode if not already done
• Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
• Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. **There are many firewalls that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7. Finally, I strongly recommend that you read Miekiemoes' great advice How to prevent malware.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

[PattiChati]

I have Firefox, if that makes a difference in your directions above. Also, I have a few more questions to ask, then we were going to get rid of all the programs we installed

[PattiChati]

You mean change ALL of my passwords on ALL of my websites. Do you do that? How am I supposed to remember them all or can use the same one for all of them just so I change it every 3 months or so

[jeffce]

Hi Patti,

Since you use Firefox I would recommend using these add-ons.
No Script
AdBlock Plus

These will help make your Firefox browser more secure.
------

You mean change ALL of my passwords on ALL of my websites.

This is more of a suggestion but not something that you HAVE to do.