Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need Sanity check: Did I clean everything?


  • Please log in to reply

#46
Jim Dearden

Jim Dearden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Further, re-ran system look, and it's back...

 

SystemLook 30.07.11 by jpshortstuff
 
Log created at 13:16 on 25/05/2014 by Joyce McEachern 2
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.
 
========== filefind ==========
 
Searching for "*yaimo*"
C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\D1PXRN90\yaimov1[1].js --a---- 2127 bytes [17:11 25/05/2014] [17:11 25/05/2014] 62B79A4183E2D78568824974AED51D0E
C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\UOXU0LRO\yaimosearch[1].css --a---- 13023 bytes [17:11 25/05/2014] [17:11 25/05/2014] B87F0AD49B70920F9F45E856E80E4174
C:\Users\Joyce McEachern\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\JBYMNSMO\www.yaimo[2].xml --a---- 13 bytes [17:11 25/05/2014] [17:11 25/05/2014] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
 
-= EOF =-
 
Jim

  • 0

Advertisements


#47
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
http://jpshortstuff....temLook_x64.exe

Use the link above and redownload system look.

Then in systemlook search the registry.
 
:regfind
yaimo
I want to see what shows.

I'm at work today so time is short.....
  • 0

#48
Jim Dearden

Jim Dearden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Hi Joe

 

Here you go...

 

SystemLook 30.07.11 by jpshortstuff
Log created at 09:16 on 26/05/2014 by Joyce McEachern 2
Administrator - Elevation successful
 
========== regfind ==========
 
Searching for "*yaimo*"
No data found.
 
-= EOF =-
 
 
Doing a :filefind gets:
 
SystemLook 30.07.11 by jpshortstuff
Log created at 09:19 on 26/05/2014 by Joyce McEachern 2
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "*yaimo*"
C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\E59RAFXT\yaimosearch[1].css --a---- 13023 bytes [22:37 25/05/2014] [22:37 25/05/2014] B87F0AD49B70920F9F45E856E80E4174
C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\UOXU0LRO\yaimov1[1].js --a---- 2127 bytes [22:37 25/05/2014] [22:37 25/05/2014] 62B79A4183E2D78568824974AED51D0E
C:\Users\Joyce McEachern\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\JBYMNSMO\www.yaimo[2].xml --a---- 13 bytes [22:37 25/05/2014] [22:37 25/05/2014] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
 
-= EOF =-
 
Work? Isn't that the thing we use to separate weekends? :-)
 
Jim

  • 0

#49
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
Reset Internet explorer one more time, see Here

Then

Clean out your temporary internet files and temp files.


Download TFC by OldTimer http://oldtimer.geekstogo.com/TFC.exe to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator.
TFC will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the cleaning process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
Please let TFC run uninterrupted until it is finished.
Once TFC is finished itshould restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
  • 0

#50
Jim Dearden

Jim Dearden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Hi again Joe,

 

Didn't work. I've done the process a couple of times, ensured I was running as administrator, and the sucker keeps coming back.

 

Just for giggles, I used the F12 developer options, and used the Dom explorer to look at the search page. It looks like it's being loaded through java from the IE search engine.

 

I couldn't find a way to save the page source to show you though.

 

Jim


  • 0

#51
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
OK.

I have come across the f12 and Dom explorer but have never used it. Lets get rid of Java anyway.

Remove these programs from the Programs an Features list.

1-Java 7 Update 55 <-----If she needs this then Java can be reinstalled at a later time. Also see Note below concerning Java.

2-Java Auto Updater.

Then Clear Java cache as shown below.

http://www.java.com/...lugin_cache.xml

Check the Internet Explorer Java plug-ins , extensions, add ons too. Disable them.

Then

Download and run JavaRa from Here. Use it to remove old versions of Java that's all.

JavaRa is a simple tool that does a simple job: it removes old and redundant versions of the Java Runtime Environment (JRE).

Reboot windows 8.

Note
Due to multiple security problems with Java we are now recommending that it not be installed anyway unless you absolutely know you need it.

Joe
  • 0

#52
Jim Dearden

Jim Dearden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Hi Joe,

 

I've done all the above, but no go. I ran into one snag, if I remove Java, then the control panel for java no longer exists, and you can't clear the cache. I did all the rest. 

 

Upon reboot, I did a system look, and no yaimo files were found. I opened IE, and the search page was there. A system look then finds the yaimo files again.

 

I cleaned up the yaimo files, reset explorer. I then installed the latest Java, used the java control panel to remove all cache files, and turned off java keeping files in a temp folder. I then uninstalled java, reset explorer again. A systemlook found no yaimo files.

 

Rebooted, did a system look. No files. Started IE, page is back. New system look, files are back.

 

--------------------

 

SystemLook 30.07.11 by jpshortstuff
Log created at 10:24 on 28/05/2014 by Joyce McEachern 2
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "*yaimo*"
C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\AIEJ0OXB\yaimosearch[1].css --a---- 13023 bytes [14:24 28/05/2014] [14:24 28/05/2014] B87F0AD49B70920F9F45E856E80E4174
C:\Users\Joyce McEachern\AppData\Local\Microsoft\Windows\INetCache\Low\IE\Z6LEDZ7W\yaimov1[1].js --a---- 2127 bytes [14:24 28/05/2014] [14:24 28/05/2014] 62B79A4183E2D78568824974AED51D0E
C:\Users\Joyce McEachern\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\JBYMNSMO\www.yaimo[1].xml --a---- 13 bytes [14:24 28/05/2014] [14:24 28/05/2014] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
 
-= EOF =-
 
----------------
 
When using JavaRa, I get the following:
 
JavaRa 1.16 Removal Log.
 
Report follows after line.
 
------------------------------------
 
The JavaRa removal process was started on Wed May 28 10:46:07 2014
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0001-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0002-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0003-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0004-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0005-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0006-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0007-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0008-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0009-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0010-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0011-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0012-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0013-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0014-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0015-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0016-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0017-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0018-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0019-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0020-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0021-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0022-ABCDEFFDCBA}. The error returned was 124.
 
------------------------------------
 
Finished reporting.
 
 
This seems to be because the directories don't exist. Also, Firefox doesn't appear in the programs and features list for an unistall, and doesn't seem to actually be on the system. These might be leftovers from an unistall.
 
Don't know if any of this helps, but that's what I've got so far.
 
Jim

Edited by Jim Dearden, 28 May 2014 - 08:46 AM.

  • 1

#53
Jim Dearden

Jim Dearden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Hi Joe,

 

Found it!

 

I did some Google searches and found a hint on a spanish website.

 

What ever malware did this, it changed the IE shortcut to read: 

 

"C:\Program Files\Internet Explorer\iexplore.exe" http://www(dot)yaimo(dot)com

 

So that's what was overriding the homepage. I fixed the shortcut, and no more redirect. This has survived a few reboots, and runs of IE. Systemlook didn't find anything, either.

 

In the interests of research, I visited the Yaimo page manually. Sure enough, the entries in the IE temp files showed up! So the redirect was making the entries happen on visit. Interestingly, I still don't have Java installed.

 

I cleaned up the entries again, did the reboot/run tests again, and it's still fine.

 

So I think that's the last of it! I guess it's on to whatever final checks and cleanup that you want me to do, and then I can quit bothering you! :-)

 

Jim


Edited by Jim Dearden, 29 May 2014 - 05:39 AM.

  • 0

#54
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
Jim,

I did some Google searches and found a hint on a spanish website.

Do you have that link for the website, I kept getting dead ends an no real hints.

There was no bother, this was a great experience working with you. I would not have located the issue without you, so now I can add to my toolbox.

http://www.bleepingc...ortcut-cleaner/
Just for interest above link is a tool we sometimes use, called short cut cleaner.

I'll give you some instructions a bit later so we can remove the tools we used, an close the thread.

Thanks
Joe
  • 0

#55
Jim Dearden

Jim Dearden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Jim,
 

I did some Google searches and found a hint on a spanish website.

Do you have that link for the website, I kept getting dead ends an no real hints.

There was no bother, this was a great experience working with you. I would not have located the issue without you, so now I can add to my toolbox.

http://www.bleepingc...ortcut-cleaner/
Just for interest above link is a tool we sometimes use, called short cut cleaner.

I'll give you some instructions a bit later so we can remove the tools we used, an close the thread.

Thanks
Joe

 

 

Hi Joe, it was a great learning experience for me as well. I'm thinking of registering for training once the ticket is closed. It would be great to do this on my own, as well as help others on the site.

 

here is the Spanish page, through Google translate:

 

http://translate.goo...tXQ#post2215228

 

long one, hope it works!

 

Do you thing it would be worth running the shortcut cleaner as well?

 

Jim


Edited by Jim Dearden, 29 May 2014 - 06:53 PM.

  • 0

Advertisements


#56
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
No don't run any more tools, as long as it's fixed there no need to run tools for the sake of running them...

I was going to ask you about joining the team I think you would be good at it.


Next

Since your log reports are clean and free of malware, lets clean up after ourselves.


OTL Clean-Up

Right click on the OTLicon.jpg icon on your desktop and choose Run as administrator to open the main window.

Next click on the CleanUpButtonOTL.jpg button.

Once clean up is complete you will be prompted to reboot your computer. Please do so.

This will remove most of the programs we have used including itself.


Next

Double-click on AdwCleaner.exe to run the tool again.
  • Click on the Uninstall button.
  • Click Yes when asked are you sure you want to uninstall.
  • Both AdwCleaner.exe, its folder and all logs will be removed.
Right click on the JRT Icon and select delete.
If there are any left over tools or logs on your computer please delete them now.

Next

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button
disc%20clean.JPG


You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

Safe Computing Practices please read Here

Thanks
Joe :)
  • 0

#57
Jim Dearden

Jim Dearden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts

Hi Joe,

 

all the cleanups are done, everything is still working fine. I'm going to take the safe practices link above, and print it up for the lady who owns the computer. Hopefully that will keep it clean for a while...

 

Thanks for all the help!

 

Jim


  • 0

#58
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts

Great!

 

She needs to read that. Watch what she downloads and where from. I'll leave the thread open for a while just in case.

 

Jim Great working with you.

 

Joe :)


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP