Follow my malware removal instructions in this thread and post all the logs I ask for.



http://malwaremedic.suddenlaunch3.com/index.cgi?board=Logs&action=display&num=1135140266





Best regards,



Windsor

I have an update for you all from Brian on this web site.



***************** ORIGINAL POST ******************

DUH! I am having the same issues. Anytime I launch any program that touches or is touched by IE I get the [yay] window ....one about every 2 seconds or 3 seconds. My bottle of Scotch is getting low so help is needed pronto.



I tried the Prevx1 approach....that failed in a grand and glorious way.All Prevx1 did was give me the path to where the culprit lay...C:\Program Files\SiteAdvisor. I deleted EVERYTHING out of there except two files where access was denied....SAService.exe and SiteAdv.dll.....cannot delete those two files. Currently the [yay] issue is being held at bay, but I fear it is only a matter of time before [yay] reares its ugly, Scotch-requiring head once again.

***************** END ORIGINAL POST **********************



What Brian said to do, which I did (and it works) is this:

************* BRIAN'S POST******************



I work in IT and had a coworker come to me with this same problem. So far, Norton and McAffee aren't picking it up, so I can't say for sure that what I did to fix this solved everything, but here's what I do know :



This virus/malware seems to go after programs that are loaded up on startup (via the registry). It seeks out an exe file, makes a copy of it in a subdirectory called "bak", and replaces it with a 37kb file that pops up a window that says "yay". This is why nothing that is running in your task manager looks suspicious - they are all filenames that are normally running on your system, just replaced with this bogus file.



To remove these files and disable the popup windows, I did a search (Start Menu -> Search -> For Files and Folders). In the file name field I typed "bak", and under More Advanced Options I chose "Folder" from the "Type of File" drop down list.



Every result you find should be a folder named "bak", in my case there were roughly 20 or 30 of them. Each of those holds the original copy of the exe that was infected - simply move that file to the parent directory, overwriting the 37kb file of the same name (for example, if c:\google\bak has a file called googletalk.exe in it, move it to c:\google overwriting the googletalk.exe in that directory)



I did this for each bak file, and after about a half dozen reboots, things still seem clean. I can't promise that there isn't some other process I haven't found yet that was creating these files in the first place, but until the AV companies add this to their definition updates, it's the best I can do. Hope this helps!

**************** END BRIAN'S POST ************************

UPDATE FRI 1/12/07: I SOLVED IT! READ BELOW!



ORIGINAL MESSAGE: I'm having the same problem when I open various windows, including Internet Explorer and others. I see a couple of answers have already been given but I'm not sure who's malware removal program to trust. Is there some reliable mainstream software that will remove this?



UPDATE FRI. 1/12/07:



I'm so excited: I solved it! Here's how I did it. I have Windows XP. I went to "Start," then clicked on "Search" and clicked on "Advanced Search Options." In the box for "A word or phrase in the file" I put in one word: yay I figured that whatever this thing is, it has to have the word yay in its program somewhere.



I had to do several searches -- not sure why -- I searched both hard drives, came up with nothing other than some old documents I'd written. I also told it (in the "more advanced options" area to search for hidden files and folders and to search all subfolders).



The first few times I tried it, nothing promising. It even seized up one time and I had to reboot. But after you do each search, it give you an option to do the same search in another place. I just kept choosing additional places ("My Documents," "Program Files" etc.) and finally I found it!



Finally I found several temporary internet files, one of which seemed to have yay in it. I deleted it last night (I figured there couldn't be any harm from deleting a termporary internet file) and I haven't seen another Yay popup today! I also deleted another category of files that seemed useless - I forget what it was called. Something temporary and internet-related. Should have written it down.



Anyway, SUCCESS!! And I'm not a programmer. Just a lawyer who uses my computer a whole lot.



Try it and see if it works. But even I know this -- don't delete anything that might be essential to your operating system or programs you use! I think it's just a temporary internet file you're aiming for. Now that we know what the problem seems to be, maybe you can even find and delete the offending file using that menu at the top of your Internet Explorer screen -- click Tools -- then Internet Options -- then Temporary Internet Files -- then Delete. Let people know if it works!



FURTHER UPDATE: I just remembered the other thing I deleted, besides a Temporary Internet File that seemed to have the word "yay" -- I also deleted a few cookies. But I don't know if they had anything to do with the yay problem. They just came up when I did the search for the word "yay" in my whole computer.



Again, you might be able to resolve the problem more easiily just by using the menu at the top of your internet explorer winidow -- "Tools," then "Internet Options" then under Temporary Internet Files click "Delete cookies" and "Delete files." If that doesn't work, you can try doing it the longer way that helped me find the offending "yay" file. Good luck and let me know if this works for you.

_____________________



FURTHER UPDATE LATE FRI. 1/12/07:



I've just read what two additional people have since posted. One recommends that you delete "bak" files. Maybe that's another approach -- I have no idea.



ALL I KNOW FOR SURE IS THAT I DELETED THE TEMPORARY INTERNET FILES THAT CONTAINED THE WORD YAY OVER A DAY AGO USING THE METHOD ABOVE AND I HAVE NOT SEEN ANOTHER YAY POP UP SINCE. I had multiple "yay" messages before my fix.



So I strongly recommend that you try simply deleting your temporary internet files and cookies. I especially recommend that you do so before you try downloading someone else's software of unknown origins and unknown safety and with no apparent relevance to the "yay" problem. (I am referring to others who have posted answers here.) Maybe that software works well for other problems but it has no track record (that anyone has mentioned anyway) of solving the yay problem.



I, on the other hand, solved my "yay" problem and it hasn't come back since! Deleting termporary internet files and cookies is perfectly safe -- Internet Explorer helps you do it quite easily. And if deleting all temporary internet files and cookies using Internet Explorer's "Tools" menu doesn't work to eliminate the yay message (HAS ANYONE TRIED THIS SIMPLE APPROACH YET?), then do what I did when I hadn't discovered the nature of the problem yet, and try searching your entire computer, including hidden files and subfolders, for any and all programs that contain the word "yay." Then look at those programs and try to figure out which is the offending program, and get rid of it if you safely can. It's logical and it worked for me.



The good news is that you already have in your hands a PROVEN solution for the "yay" problem, even if it's from a layperson. Best of all, it's a solution that involves little or no risk to your computer (no risk at all, if you simply use Internet Explorer to delete temporary internet files and cookies).



Best of luck to all.

You have a new virus that is spreading across the internet. At present, there is no known fix for this problem, but you can sign up to receive notification when a fix becomes available here:



http://www.bestspywarereport.com/remove-yay.html



Right now, all of the anti-virus and anti-spyware vendors are scrambling to figure out what this is and how to repair it. Until a fix is released, you are pretty much going to have to live with it.



Good luck!

"Yay" is caused by an extremely new trojan that anti-virus vendors are just beginning to get a handle on. Most anti-malware programs cannot detect it yet.



Trend Micro's Antivirus products are now detecting this trojan which they are calling TROJ_ZONEBAC.F .



Full information about "Yay" and TROJ_ZONEBAC.F is located here:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FZONEBAC%2EF&VSect=P



The solution and the "fiX" for this trojan is here:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FZONEBAC%2EF&VSect=Sn

Follow the instructions.

This solution will require the use of a Trend Micro product such as "Housecall" their free online scanner availible here:

http://housecall.trendmicro.com/



And keep checking this thread at Broadband Reports for the latest news about "Yay":

http://www.dslreports.com/forum/remark,17625336



Good luck.

Hi there,



The best and easiest way to remove this infection is by installing the Free Trial of Prevx1. This will scan your PC and remove this and any other infections free of charge.