[Jim Dearden]

Further, re-ran system look, and it's back...

 

SystemLook 30.07.11 by jpshortstuff

 

Log created at 13:16 on 25/05/2014 by Joyce McEachern 2

Administrator - Elevation successful

WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

 

========== filefind ==========

 

Searching for "*yaimo*"

C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\D1PXRN90\yaimov1[1].js --a---- 2127 bytes [17:11 25/05/2014] [17:11 25/05/2014] 62B79A4183E2D78568824974AED51D0E

C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\UOXU0LRO\yaimosearch[1].css --a---- 13023 bytes [17:11 25/05/2014] [17:11 25/05/2014] B87F0AD49B70920F9F45E856E80E4174

C:\Users\Joyce McEachern\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\JBYMNSMO\www.yaimo[2].xml --a---- 13 bytes [17:11 25/05/2014] [17:11 25/05/2014] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5

 

-= EOF =-

 

Jim

[Advertisements]

http://jpshortstuff....temLook_x64.exe

Use the link above and redownload system look.

Then in systemlook search the registry.
 

:regfind
yaimo

I want to see what shows.

I'm at work today so time is short.....

[zep516]

http://jpshortstuff....temLook_x64.exe

Use the link above and redownload system look.

Then in systemlook search the registry.
 

:regfind
yaimo

I want to see what shows.

I'm at work today so time is short.....

[Jim Dearden]

Hi Joe

 

Here you go...

 

SystemLook 30.07.11 by jpshortstuff

Log created at 09:16 on 26/05/2014 by Joyce McEachern 2

Administrator - Elevation successful

 

========== regfind ==========

 

Searching for "*yaimo*"

No data found.

 

-= EOF =-

 

 

Doing a :filefind gets:

 

SystemLook 30.07.11 by jpshortstuff

Log created at 09:19 on 26/05/2014 by Joyce McEachern 2

Administrator - Elevation successful

 

========== filefind ==========

 

Searching for "*yaimo*"

C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\E59RAFXT\yaimosearch[1].css --a---- 13023 bytes [22:37 25/05/2014] [22:37 25/05/2014] B87F0AD49B70920F9F45E856E80E4174

C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\UOXU0LRO\yaimov1[1].js --a---- 2127 bytes [22:37 25/05/2014] [22:37 25/05/2014] 62B79A4183E2D78568824974AED51D0E

C:\Users\Joyce McEachern\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\JBYMNSMO\www.yaimo[2].xml --a---- 13 bytes [22:37 25/05/2014] [22:37 25/05/2014] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5

 

-= EOF =-

 

Work? Isn't that the thing we use to separate weekends? :-)

 

Jim

[zep516]

Reset Internet explorer one more time, see Here

Then

Clean out your temporary internet files and temp files.


Download TFC by OldTimer http://oldtimer.geekstogo.com/TFC.exe to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator.
TFC will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the cleaning process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
Please let TFC run uninterrupted until it is finished.
Once TFC is finished itshould restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

[Jim Dearden]

Hi again Joe,

 

Didn't work. I've done the process a couple of times, ensured I was running as administrator, and the sucker keeps coming back.

 

Just for giggles, I used the F12 developer options, and used the Dom explorer to look at the search page. It looks like it's being loaded through java from the IE search engine.

 

I couldn't find a way to save the page source to show you though.

 

Jim

[zep516]

OK.

I have come across the f12 and Dom explorer but have never used it. Lets get rid of Java anyway.

Remove these programs from the Programs an Features list.

1-Java 7 Update 55 <-----If she needs this then Java can be reinstalled at a later time. Also see Note below concerning Java.

2-Java Auto Updater.

Then Clear Java cache as shown below.

http://www.java.com/...lugin_cache.xml

Check the Internet Explorer Java plug-ins , extensions, add ons too. Disable them.

Then

Download and run JavaRa from Here. Use it to remove old versions of Java that's all.

JavaRa is a simple tool that does a simple job: it removes old and redundant versions of the Java Runtime Environment (JRE).

Reboot windows 8.

Note
Due to multiple security problems with Java we are now recommending that it not be installed anyway unless you absolutely know you need it.

Joe

[Jim Dearden]

Hi Joe,

 

I've done all the above, but no go. I ran into one snag, if I remove Java, then the control panel for java no longer exists, and you can't clear the cache. I did all the rest. 

 

Upon reboot, I did a system look, and no yaimo files were found. I opened IE, and the search page was there. A system look then finds the yaimo files again.

 

I cleaned up the yaimo files, reset explorer. I then installed the latest Java, used the java control panel to remove all cache files, and turned off java keeping files in a temp folder. I then uninstalled java, reset explorer again. A systemlook found no yaimo files.

 

Rebooted, did a system look. No files. Started IE, page is back. New system look, files are back.

 

--------------------

 

SystemLook 30.07.11 by jpshortstuff

Log created at 10:24 on 28/05/2014 by Joyce McEachern 2

Administrator - Elevation successful

 

========== filefind ==========

 

Searching for "*yaimo*"

C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\AIEJ0OXB\yaimosearch[1].css --a---- 13023 bytes [14:24 28/05/2014] [14:24 28/05/2014] B87F0AD49B70920F9F45E856E80E4174

C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\Z6LEDZ7W\yaimov1[1].js --a---- 2127 bytes [14:24 28/05/2014] [14:24 28/05/2014] 62B79A4183E2D78568824974AED51D0E

C:\Users\Joyce McEachern\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\JBYMNSMO\www.yaimo[1].xml --a---- 13 bytes [14:24 28/05/2014] [14:24 28/05/2014] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5

 

-= EOF =-

 

----------------

 

When using JavaRa, I get the following:

 

JavaRa 1.16 Removal Log.

 

Report follows after line.

 

------------------------------------

 

The JavaRa removal process was started on Wed May 28 10:46:07 2014

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0001-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0002-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0003-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0004-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0005-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0006-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0007-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0008-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0009-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0010-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0011-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0012-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0013-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0014-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0015-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0016-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0017-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0018-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0019-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0020-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0021-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0022-ABCDEFFDCBA}. The error returned was 124.

 

------------------------------------

 

Finished reporting.

 

 

This seems to be because the directories don't exist. Also, Firefox doesn't appear in the programs and features list for an unistall, and doesn't seem to actually be on the system. These might be leftovers from an unistall.

 

Don't know if any of this helps, but that's what I've got so far.

 

Jim

Edited by Jim Dearden, 28 May 2014 - 08:46 AM.

[Jim Dearden]

Hi Joe,

 

Found it!

 

I did some Google searches and found a hint on a spanish website.

 

What ever malware did this, it changed the IE shortcut to read: 

 

"C:\Program Files\Internet Explorer\iexplore.exe" http://www(dot)yaimo(dot)com

 

So that's what was overriding the homepage. I fixed the shortcut, and no more redirect. This has survived a few reboots, and runs of IE. Systemlook didn't find anything, either.

 

In the interests of research, I visited the Yaimo page manually. Sure enough, the entries in the IE temp files showed up! So the redirect was making the entries happen on visit. Interestingly, I still don't have Java installed.

 

I cleaned up the entries again, did the reboot/run tests again, and it's still fine.

 

So I think that's the last of it! I guess it's on to whatever final checks and cleanup that you want me to do, and then I can quit bothering you! :-)

 

Jim

Edited by Jim Dearden, 29 May 2014 - 05:39 AM.

[zep516]

Jim,

I did some Google searches and found a hint on a spanish website.

Do you have that link for the website, I kept getting dead ends an no real hints.

There was no bother, this was a great experience working with you. I would not have located the issue without you, so now I can add to my toolbox.

http://www.bleepingc...ortcut-cleaner/
Just for interest above link is a tool we sometimes use, called short cut cleaner.

I'll give you some instructions a bit later so we can remove the tools we used, an close the thread.

Thanks
Joe

[Jim Dearden]

Jim,
 

I did some Google searches and found a hint on a spanish website.

Do you have that link for the website, I kept getting dead ends an no real hints.

There was no bother, this was a great experience working with you. I would not have located the issue without you, so now I can add to my toolbox.

http://www.bleepingc...ortcut-cleaner/
Just for interest above link is a tool we sometimes use, called short cut cleaner.

I'll give you some instructions a bit later so we can remove the tools we used, an close the thread.

Thanks
Joe

 

 

Hi Joe, it was a great learning experience for me as well. I'm thinking of registering for training once the ticket is closed. It would be great to do this on my own, as well as help others on the site.

 

here is the Spanish page, through Google translate:

 

http://translate.goo...tXQ#post2215228

 

long one, hope it works!

 

Do you thing it would be worth running the shortcut cleaner as well?

 

Jim

Edited by Jim Dearden, 29 May 2014 - 06:53 PM.

[zep516]

No don't run any more tools, as long as it's fixed there no need to run tools for the sake of running them...

I was going to ask you about joining the team I think you would be good at it.


Next

Since your log reports are clean and free of malware, lets clean up after ourselves.


OTL Clean-Up

Right click on the icon on your desktop and choose Run as administrator to open the main window.

Next click on the button.

Once clean up is complete you will be prompted to reboot your computer. Please do so.

This will remove most of the programs we have used including itself.


Next

Double-click on AdwCleaner.exe to run the tool again.

• Click on the Uninstall button.
• Click Yes when asked are you sure you want to uninstall.
• Both AdwCleaner.exe, its folder and all logs will be removed.

Right click on the JRT Icon and select delete.
If there are any left over tools or logs on your computer please delete them now.

Next

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button



You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

Safe Computing Practices please read Here

Thanks
Joe

[Jim Dearden]

Hi Joe,

 

all the cleanups are done, everything is still working fine. I'm going to take the safe practices link above, and print it up for the lady who owns the computer. Hopefully that will keep it clean for a while...

 

Thanks for all the help!

 

Jim

[zep516]

Great!

 

She needs to read that. Watch what she downloads and where from. I'll leave the thread open for a while just in case.

 

Jim Great working with you.

 

Joe