Hello!

I have this worm from my USB flash drive which is the “jamesgo.dll”. Basically, what it does is when you double-click your drive, it opens a new explorer window and MS Word. I deleted the malicious files such as autorun.inf, test.reg, test.bat, and test.vbs in my flash drive and formatted it, but I didn’t notice that my laptop was infected. I recently updated my avast! anti-virus but it cannot detect it. I tried the different ways that I found on the internet on removing it but still, my drive has the “Open(jamesgo.dll)” on it.

I know this jamesgo.dll is not harmful, but it’s really annoying. Does anyone know how to fix this problem?

Thank you very much!

Hi, let’s see if we can find the missing files.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

.
You can attach the logs by using the additional options button on the reply page.

Hello!

I attached the files that you told me. I hope we can solve this thing.

Thank you so much!

Hi, I’m off to work, but let’s start with this and I will look to see if there is more to do later.

Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

(the download link is server1 or server2, or server3)

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click “…” to browse your computer’s drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

• System registry:

• Current user registy: .

• Other open user registries:

Click “OK” and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

REGISTRY FIX

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c8037fc3-1da7-11dc-b2fe-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c8037fc4-1da7-11dc-b2fe-806d6172696f}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad click FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
make sure the box at the top is set to save in Desktop

This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Hi.

I did everything you said. It went well. But “jamesgo” is still there.

Thank you so much for your time. I hope I’m not bothering you that much.

Run DSS again, but this time have your flash drive inserted first.

From this site download querymountpoints

http://cid-32d8666f4048075b.skydrive.live.com/browse.aspx/Malware%20files

Run it with the flashdrive inserted also.

After you finish the above, do this. It will give us an idea of the reg keys involved.

b]1.[/b] Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]

jamesgo.dll

[Exclude]

[Options]
Filter=KVDLUI

2. Download Registry Search to your desktop.
[*]Right click on the compressed RegSearch folder, and choose “Extract All”. In the box that pops open, click “Next”, then “Next” again, and then “Finish”. You now have another RegSearch folder on your desktop.
[*]Open the new folder, and double click on regsearch.exe
[*]Click “Import” in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
[]Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
[] Please reply here with the entire contents of the Notepad file from RegSearch.

Hello!

I attached the regsearch file.

Thanks!

That showed only one key, in search assistant, which shouldn’t be a problem.

Let’s treat this as if you where still infected and start at the beginning. I found what may be a sample of the test.reg so it will give us a starting point.

Open task manager and check to see if this is running, if it is use end task to stop it.

WScript.exe

Open windows explorer

At the top of windows explorer, click tools, folder options, click the
view tab

check Show hidden files and folders
uncheck “Hide extensions for known file types” box
uncheck “Hide protecting operating system files” box

Click apply.

Close the box, wait about a half a minute and reopen it to make sure the settings remained as you set them.

Plug in your flash drive

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

c:\autorun.*
D:\autorun.*
F:\autorun.*
c:\windows\test.* /s
c:\windows\autorun.* /s
D:\test.*
F:\test.*
D:\autorun.* /s

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

Hi!

These are the contents of the Results window:

[Custom Input] < c:\autorun.* > c:\autorun.ico moved successfully. c:\autorun.inf moved successfully. < D:\autorun.* > D:\autorun.ico moved successfully. D:\autorun.inf moved successfully. < F:\autorun.* > File/Folder F:\autorun.* not found. < c:\windows\test.* /s > File/Folder c:\windows\test.* not found. < c:\windows\autorun.* /s > c:\windows\system32\autorun.ico moved successfully. c:\windows\system32\autorun.inf moved successfully. < D:\test.* > File/Folder D:\test.* not found. < F:\test.* > File/Folder F:\test.* not found. < D:\autorun.* /s > D:\Program Files\HP\Digital Imaging\{A9F5421F-DA70-4C77-BB97-8D77EC33ED5E}\autorun.inf moved successfully.

OTMoveIt2 v1.0.19 log created on 01282008_225653

Thanks!

My father’s name is jamesgo…

??? ??? ???

Really? I think, the “jamesgo” guy here is from Iloilo, Philippines. Just read it from some internet source.

OTMOVEIT2 found the autoruns, we may have to replace one though. But first tell me if, your right click menu is correct now.

Open OTmoveit2, click the restore button, a box will appear. Thers should be 1 heading in it. Similar to c:_OTMoveIt\MovedFiles with some numbers behind it. Click on it and a list of files should appear. Locate D:\Program Files\HP\Digital Imaging{A9F5421F-DA70-4C77-BB97-8D77EC33ED5E}\autorun.inf , place a checkmark by it and click the RestoreIt button. DO NOT CHECKMARK ANY OTHERS Close OTMOVEIT2.

This will restore the file. In windows explorer navigate to the restored file and open the autorun.inf with notepad. Please review the contents, if it looks like this then delete the file

open=
shell\open=Open(jamesgo.dll)
shell\open\Command=WScript.exe .\test.vbs
shell\open\Default=1
shell\explore=explore(jamesgo.dll)
shell\explore\Command=WScript.exe .\test.vbs
icon = autorun.ico

Also please run DSS again and post that log so we can check the mount points. There will only be a main this time.

Thanks, there may be just a bit to do yet.

Hi!

My right click menu is correct already! ;D yey!

I did what you told me with the autorun for HP digital imaging. Apparently, it wasn’t an autorun for jamesgo so I didn’t delete it.

I attached the main.txt file.

Thanks so much! ;D

That’s the nice thing about using a removal tool rather than just deleying, you can always get a “oops” back.

Everything looks good here, but let’s do a search for jamesgo.dll. I should have done so the last time.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

c:\jamesgo.dll /s D:\jamesgo.dll /s F:\jamesgo.dll /s

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

When you are done post back and we’ll clean up.

Hi!

This is it.

[Custom Input] < c:\jamesgo.dll /s > File/Folder c:\jamesgo.dll not found. < D:\jamesgo.dll /s > File/Folder D:\jamesgo.dll not found. < F:\jamesgo.dll /s > File/Folder F:\jamesgo.dll not found.

OTMoveIt2 v1.0.19 log created on 01282008_231417

Perfect!!

Now for the best part, clean up time.

1. Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

2. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

• Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

3. Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

4. Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

5. If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

And here’s something to help prevent future autorun infections.

To help prevent future autorun infections.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Plug in your usb hd

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. There shouldn’t be one on a fixed HD anyway. There is no need for such a file on any removable storage device – iPod, USB flash drive, cell phone, .etc as you can open these drives manually.

It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.

You can do this with all of your usb devices.

Take care and keep safe.

Thank you so much for your help!! :-* ;D

You’re very welcome. you where right there isn’t much on the complete removal of this on the internet. Now we have a solution.

Yeah. Good thing, you guys are around. ;D