[A] Google Redirect Malware - Undocumented?

By DyerJE
May 16, 2012
  1. I am posting this info at this site as I have just spent 3 days recovering from a Google Redirect malware infection. I believe it was related to the files described below, as the redirect problem stopped whenever they were absent.

    Hitman Pro 3.6 helped me narrow down the problem, but Hitman Pro didn't recognize the file - just knew it was suspicious.

    I did online searches on the names of the suspicious file and folder found, and there were no matches via either a Google or Bing search, done on an uninfected computer. The name of the suspicious file, which Hitman Pro found in two folders, was:


    I will copy one of the scan logs below which contains the locations where the file was found. It was in Windows Live VirtualStore AND in a temp folder named nsu4C0A.tmp. Here is the Hitman Pro scan log:

    <?xml version="1.0"?>
    -<Log filesProcessed="377166" timeSpentInSecs="1060" date="2012-05-14T10:46:00" version="" scan="Normal" computer="JEN-PC">-<Item status="None" score="22.0" type="Suspicious"><File hash="7A2D997E10D9BBFAE89EB8AFFD757D0DF4749AD0D5F2912D79CDF1BCEDD9E6BA" path="C:\Users\Jen\AppData\Local\Temp\nsu4C0A.tmp\uuyysai.dll"/></Item>-<Item status="None" score="29.0" type="Suspicious"><File hash="7A2D997E10D9BBFAE89EB8AFFD757D0DF4749AD0D5F2912D79CDF1BCEDD9E6BA" path="C:\Users\Jen\AppData\Local\Windows Live\VirtualStore\uuyysai.dll"/>-<Startup><Key path="HKU\S-1-5-21-1781462666-3220004715-4167305010-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VirtualStore"/></Startup></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\0370FHZ6.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\0CVUJ6QO.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\13BXN38B.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\29CE9FYY.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\3MB800FP.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\53UJEO3B.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\93IWGQ33.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\J4OP1WHU.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\KG3ZZIF3.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\KX62SWD8.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\L6DVXWE8.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\P2SZCBBH.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\S7TPQ07V.txt"/></Item>-<Item status="Deleted" score="0.0" type="Repair"><File path="C:\Users\Jen\AppData\Roaming\Microsoft\Windows\Cookies\W6BH29DX.txt"/></Item></Log>

    After Hitman Pro deleted the files, they kept coming back when I rebooted. It is important to note that even when I turned on hidden files, a search of the C: drive did not show either the uuyysai.dll file or the nsu4C0A.tmp folder when searched for by name.

    Opening IE, I would experience the Google redirect problem, run Hitman Pro, and find and delete the files again.

    After the second time I ran Hitman Pro and deleted the uuyysai.dll file, I discovered when I rebooted that the Hitman Pro software had been uninstalled. This happened two more times (I downloaded it again each time). I didn’t uninstall it.

    Finally, I disconnected from the internet and did a system restore to a point before the Google redirect problem started. I then combed the file directories manually, while still offline, just looking for things that seemed odd. I am not tech smart, so I don’t know that I found everything, but here is what I did find:

    1. The folder at this file path was empty:

    C:\Users\Jen\AppData\Local\Windows Live\VirtualStore\

    It didn’t have the uuyysai.dll file in it.

    2. This folder and the file in question were present, however:


    (Again, this was after Hitman Pro deleted the file at this location 5 times – and three times, Hitman Pro itself was then uninstalled by something.)

    Although neither the folder nor the file showed up in a search including hidden files, they were there. The folder had 565 meg of file data in it. I had already backed up my important files, so I just went ahead and deleted nsu4C0A.tmp entirely. Nothing bad happened.

    Since deleting that folder, I have been able to keep Hitman Pro installed through three reboots, and two scans have verified that the suspicious file is not present on my computer. Google is clean as a whistle. No redirect problem.

    I am posting these adventures with uuyysai.dll in such detail because I don’t see that it is mentioned anywhere else on the web. My Google redirect problem did NOT appear to come from one of the standard malware types, like TDSS. I went through the manual instructions at the website A Tech Journey and did not find any trace whatsoever of a TDSS file. The problem appears to have been related to the uuyysai.dll file, and whatever else was in the nsu4C0A.tmp folder.

    Maybe this will be useful to others who may be infected with these files. Apologies if I haven’t adhered to posting conventions exactly – my first time.
  2. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.suggestafix.com/index.php?showtopic=35466

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...