[FONT=Arial]I am posting this info at this site as I have just spent 3 days recovering from a Google Redirect malware infection. I believe it was related to the files described below, as the redirect problem stopped whenever they were absent.[/FONT]
[FONT=Arial]Hitman Pro 3.6 helped me narrow down the problem, but Hitman Pro didn't recognize the file - just knew it was suspicious.[/FONT]
[FONT=Arial]I did online searches on the names of the suspicious file and folder found, and there were no matches via either a Google or Bing search, done on an uninfected computer. The name of the suspicious file, which Hitman Pro found in two folders, was:[/FONT]
[FONT=Arial]uuyysai.dll[/FONT]
[FONT=Arial]I will copy one of the scan logs below which contains the locations where the file was found. It was in Windows Live VirtualStore AND in a temp folder named nsu4C0A.tmp. Here is the Hitman Pro scan log:[/FONT]
[FONT=Arial]
<?xml version="1.0"?>
-<Log filesProcessed="377166" timeSpentInSecs="1060" date="2012-05-14T10:46:00" version="3.6.0.156" scan="Normal" computer="JEN-PC">-<Item status="None" score="22.0" type="Suspicious"><File hash="7A2D997E10D9BBFAE89EB8AFFD757D0DF4749AD0D5F2912D79CDF1BCEDD9E6BA" path="C:\Users\Jen\AppData\Local\Temp\nsu4C0A.tmp\uuyysai.dll"/></Item>-<Item status="None" score="29.0" type="Suspicious"><File hash="7A2D997E10D9BBFAE89EB8AFFD757D0DF4749AD0D5F2912D79CDF1BCEDD9E6BA" path="C:\Users\Jen\AppData\Local\Windows Live\VirtualStore\uuyysai.dll"/>-<Startup><Key path="HKU\S-1-5-21-1781462666-3220004715-4167305010-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VirtualStore"/></Startup></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\0370FHZ6.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\0CVUJ6QO.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\13BXN38B.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\29CE9FYY.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\3MB800FP.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\53UJEO3B.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\93IWGQ33.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\J4OP1WHU.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\KG3ZZIF3.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\KX62SWD8.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\L6DVXWE8.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\P2SZCBBH.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\S7TPQ07V.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\W6BH29DX.txt"/></Item></Log>[/FONT]
[FONT=Arial]After Hitman Pro deleted the files, they kept coming back when I rebooted. It is important to note that even when I turned on hidden files, a search of the C: drive did not show either the uuyysai.dll file or the nsu4C0A.tmp folder when searched for by name.[/FONT]
[FONT=Arial]Opening IE, I would experience the Google redirect problem, run Hitman Pro, and find and delete the files again.[/FONT]
[FONT=Arial][FONT=Times New Roman] [/FONT][/FONT][FONT=Arial]After the second time I ran Hitman Pro and deleted the uuyysai.dll file, I discovered when I rebooted that the Hitman Pro software had been uninstalled. This happened two more times (I downloaded it again each time). I didn’t uninstall it.[/FONT]
[FONT=Arial]Finally, I disconnected from the internet and did a system restore to a point before the Google redirect problem started. I then combed the file directories manually, while still offline, just looking for things that seemed odd. I am not tech smart, so I don’t know that I found everything, but here is what I did find:[/FONT]
[FONT=Arial]1. The folder at this file path was empty:[/FONT]
[FONT=Arial]C:\Users\Jen\AppData\Local\Windows Live\VirtualStore\[/FONT]
[FONT=Arial]It didn’t have the uuyysai.dll file in it.[/FONT]
[FONT=Arial]2. This folder and the file in question were present, however:[/FONT]
[FONT=Arial]C:\Users\Jen\AppData\Local\Temp\nsu4C0A.tmp\uuyysai.dll[/FONT]
[FONT=Arial](Again, this was after Hitman Pro deleted the file at this location 5 times – and three times, Hitman Pro itself was then uninstalled by something.)[/FONT]
[FONT=Arial][FONT=Times New Roman] [/FONT][/FONT]
[FONT=Arial]Although neither the folder nor the file showed up in a search including hidden files, they were there. The folder had 565 meg of file data in it. I had already backed up my important files, so I just went ahead and deleted nsu4C0A.tmp entirely. Nothing bad happened.[/FONT]
[FONT=Arial]Since deleting that folder, I have been able to keep Hitman Pro installed through three reboots, and two scans have verified that the suspicious file is not present on my computer. Google is clean as a whistle. No redirect problem.[/FONT]
[FONT=Arial]I am posting these adventures with uuyysai.dll in such detail because I don’t see that it is mentioned anywhere else on the web. My Google redirect problem did NOT appear to come from one of the standard malware types, like TDSS. I went through the manual instructions at the website A Tech Journey and did not find any trace whatsoever of a TDSS file. The problem appears to have been related to the uuyysai.dll file, and whatever else was in the nsu4C0A.tmp folder.[/FONT]
[FONT=Arial]Maybe this will be useful to others who may be infected with these files. Apologies if I haven’t adhered to posting conventions exactly – my first time.[/FONT]
[FONT=Arial]Hitman Pro 3.6 helped me narrow down the problem, but Hitman Pro didn't recognize the file - just knew it was suspicious.[/FONT]
[FONT=Arial]I did online searches on the names of the suspicious file and folder found, and there were no matches via either a Google or Bing search, done on an uninfected computer. The name of the suspicious file, which Hitman Pro found in two folders, was:[/FONT]
[FONT=Arial]uuyysai.dll[/FONT]
[FONT=Arial]I will copy one of the scan logs below which contains the locations where the file was found. It was in Windows Live VirtualStore AND in a temp folder named nsu4C0A.tmp. Here is the Hitman Pro scan log:[/FONT]
[FONT=Arial]
<?xml version="1.0"?>
-<Log filesProcessed="377166" timeSpentInSecs="1060" date="2012-05-14T10:46:00" version="3.6.0.156" scan="Normal" computer="JEN-PC">-<Item status="None" score="22.0" type="Suspicious"><File hash="7A2D997E10D9BBFAE89EB8AFFD757D0DF4749AD0D5F2912D79CDF1BCEDD9E6BA" path="C:\Users\Jen\AppData\Local\Temp\nsu4C0A.tmp\uuyysai.dll"/></Item>-<Item status="None" score="29.0" type="Suspicious"><File hash="7A2D997E10D9BBFAE89EB8AFFD757D0DF4749AD0D5F2912D79CDF1BCEDD9E6BA" path="C:\Users\Jen\AppData\Local\Windows Live\VirtualStore\uuyysai.dll"/>-<Startup><Key path="HKU\S-1-5-21-1781462666-3220004715-4167305010-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VirtualStore"/></Startup></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\0370FHZ6.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\0CVUJ6QO.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\13BXN38B.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\29CE9FYY.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\3MB800FP.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\53UJEO3B.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\93IWGQ33.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\J4OP1WHU.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\KG3ZZIF3.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\KX62SWD8.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\L6DVXWE8.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\P2SZCBBH.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\S7TPQ07V.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\W6BH29DX.txt"/></Item></Log>[/FONT]
[FONT=Arial]After Hitman Pro deleted the files, they kept coming back when I rebooted. It is important to note that even when I turned on hidden files, a search of the C: drive did not show either the uuyysai.dll file or the nsu4C0A.tmp folder when searched for by name.[/FONT]
[FONT=Arial]Opening IE, I would experience the Google redirect problem, run Hitman Pro, and find and delete the files again.[/FONT]
[FONT=Arial][FONT=Times New Roman] [/FONT][/FONT][FONT=Arial]After the second time I ran Hitman Pro and deleted the uuyysai.dll file, I discovered when I rebooted that the Hitman Pro software had been uninstalled. This happened two more times (I downloaded it again each time). I didn’t uninstall it.[/FONT]
[FONT=Arial]Finally, I disconnected from the internet and did a system restore to a point before the Google redirect problem started. I then combed the file directories manually, while still offline, just looking for things that seemed odd. I am not tech smart, so I don’t know that I found everything, but here is what I did find:[/FONT]
[FONT=Arial]1. The folder at this file path was empty:[/FONT]
[FONT=Arial]C:\Users\Jen\AppData\Local\Windows Live\VirtualStore\[/FONT]
[FONT=Arial]It didn’t have the uuyysai.dll file in it.[/FONT]
[FONT=Arial]2. This folder and the file in question were present, however:[/FONT]
[FONT=Arial]C:\Users\Jen\AppData\Local\Temp\nsu4C0A.tmp\uuyysai.dll[/FONT]
[FONT=Arial](Again, this was after Hitman Pro deleted the file at this location 5 times – and three times, Hitman Pro itself was then uninstalled by something.)[/FONT]
[FONT=Arial][FONT=Times New Roman] [/FONT][/FONT]
[FONT=Arial]Although neither the folder nor the file showed up in a search including hidden files, they were there. The folder had 565 meg of file data in it. I had already backed up my important files, so I just went ahead and deleted nsu4C0A.tmp entirely. Nothing bad happened.[/FONT]
[FONT=Arial]Since deleting that folder, I have been able to keep Hitman Pro installed through three reboots, and two scans have verified that the suspicious file is not present on my computer. Google is clean as a whistle. No redirect problem.[/FONT]
[FONT=Arial]I am posting these adventures with uuyysai.dll in such detail because I don’t see that it is mentioned anywhere else on the web. My Google redirect problem did NOT appear to come from one of the standard malware types, like TDSS. I went through the manual instructions at the website A Tech Journey and did not find any trace whatsoever of a TDSS file. The problem appears to have been related to the uuyysai.dll file, and whatever else was in the nsu4C0A.tmp folder.[/FONT]
[FONT=Arial]Maybe this will be useful to others who may be infected with these files. Apologies if I haven’t adhered to posting conventions exactly – my first time.[/FONT]
