Need help with jamesgo.dll

[ryxzie]

Hello!

I have this worm from my USB flash drive which is the "jamesgo.dll". Basically, what it does is when you double-click your drive, it opens a new explorer window and MS Word.  I deleted the malicious files such as autorun.inf, test.reg, test.bat, and test.vbs in my flash drive and formatted it, but I didn't notice that my laptop was infected.  I recently updated my avast! anti-virus but it cannot detect it.  I tried the different ways that I found on the internet on removing it but still, my drive has the "Open(jamesgo.dll)" on it. :'(

I know this jamesgo.dll is not harmful, but it's really annoying. Does anyone know how to fix this problem?

Thank you very much!

[oldman]

Hi, let's see if we can find the missing files.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

.
You can attach the logs by using the additional options button on the reply page.

[ryxzie]

Hello! 

I attached the files that you told me.  I hope we can solve this thing. 

Thank you so much!

[oldman]

Hi, I'm off to work, but let's start with this and I will look to see if there is more to do later.

Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

(the download link is server1 or server2, or server3)

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click "..." to browse your computer's drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.


Next, select the backup options:

- System registry:

- Current user registy: .

- Other open user registries:

Click "OK" and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.



REGISTRY FIX

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8037fc3-1da7-11dc-b2fe-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8037fc4-1da7-11dc-b2fe-806d6172696f}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad click FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
make sure the box at the top is set to save in Desktop

This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

[ryxzie]

Hi.

I did everything you said. It went well. But "jamesgo" is still there.  :'(

Thank you so much for your time. I hope I'm not bothering you that much.

[oldman]

Run DSS again, but this time have your flash drive inserted first.

From this site download querymountpoints

http://cid-32d8666f4048075b.skydrive.live.com/browse.aspx/Malware%20files

Run it with the flashdrive inserted also.

[oldman]

After you finish the above, do this. It will give us an idea of the reg keys involved.

b]1.[/b] Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop. 
 

RegSearch Options File 
 
[Search] 

jamesgo.dll


[Exclude] 
 

[Options] 
Filter=KVDLUI

 

2. Download Registry Search to your desktop.

• Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
• Open the new folder, and double click on regsearch.exe
  
• Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  
• Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
• Please reply here with the entire contents of the Notepad file from RegSearch.

[ryxzie]

Hello!

I attached the regsearch file. 

Thanks!

[oldman]

That showed only one key, in search assistant, which shouldn't be a problem.

Let's treat this as if you where still infected and start at the beginning. I found what may be a sample of the test.reg so it will give us a starting point.


Open task manager and check to see if this is running, if it is use end task to stop it.

WScript.exe

Open windows explorer

At the top of windows explorer, click tools, folder options, click the
view tab

 check Show hidden files and folders
 uncheck "Hide extensions for known file types" box
 uncheck "Hide protecting operating system files" box

Click apply.

Close the box, wait about a half a minute and reopen it to make sure the settings remained as you set them.

Plug in your flash drive


Please download
 OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.


Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


c:\autorun.*
D:\autorun.*
F:\autorun.*
c:\windows\test.* /s
c:\windows\autorun.* /s
D:\test.*
F:\test.*
D:\autorun.* /s



Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.


Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

[ryxzie]

Hi!

These are the contents of the Results window:

[Custom Input]
< c:\autorun.* >
c:\autorun.ico moved successfully.
c:\autorun.inf moved successfully.
< D:\autorun.* >
D:\autorun.ico moved successfully.
D:\autorun.inf moved successfully.
< F:\autorun.* >
File/Folder F:\autorun.* not found.
< c:\windows\test.* /s >
File/Folder c:\windows\test.* not found.
< c:\windows\autorun.* /s >
c:\windows\system32\autorun.ico moved successfully.
c:\windows\system32\autorun.inf moved successfully.
< D:\test.* >
File/Folder D:\test.* not found.
< F:\test.* >
File/Folder F:\test.* not found.
< D:\autorun.* /s  >
D:\Program Files\HP\Digital Imaging\{A9F5421F-DA70-4C77-BB97-8D77EC33ED5E}\autorun.inf moved successfully.
 
OTMoveIt2 v1.0.19 log created on 01282008_225653

Thanks!

[jasonago]

My father's name is jamesgo....

 

[ryxzie]

Really? I think, the "jamesgo" guy here is from Iloilo, Philippines.  Just read it from some internet source. 

[oldman]

OTMOVEIT2 found the autoruns, we may have to replace one though. But first tell me if, your right click menu is correct now.

Open OTmoveit2, click the restore button, a box will appear. Thers should be 1 heading in it. Similar to c:\_OTMoveIt\MovedFiles with some numbers behind it. Click on it and a list of files should appear. Locate D:\Program Files\HP\Digital Imaging\{A9F5421F-DA70-4C77-BB97-8D77EC33ED5E}\autorun.inf , place a checkmark by it and click the RestoreIt button. DO NOT CHECKMARK ANY OTHERS Close OTMOVEIT2.

This will restore the file. In windows explorer navigate to the restored file and open the autorun.inf with notepad. Please review the contents, if it looks like this then delete the file

open=
shell\open=Open(jamesgo.dll)
shell\open\Command=WScript.exe .\test.vbs
shell\open\Default=1
shell\explore=explore(jamesgo.dll)
shell\explore\Command=WScript.exe .\test.vbs
icon = autorun.ico


Also please run DSS again and post that log so we can check the mount points. There will only be a main this time.

Thanks, there may be just a bit to do yet.

[ryxzie]

Hi!

My right click menu is correct already! yey!

I did what you told me with the autorun for HP digital imaging. Apparently, it wasn't an autorun for jamesgo so I didn't delete it.

I attached the main.txt file. 

Thanks so much!

[oldman]

That's the nice thing about using a removal tool rather than just deleying, you can always get a "oops" back. 

Everything looks good here, but let's do a search for jamesgo.dll. I should have done so the last time.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

c:\jamesgo.dll /s
D:\jamesgo.dll /s
F:\jamesgo.dll /s

Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.


Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

When you are done post back and we'll clean up.