Solved

hijacked internet explorer: .dll file only appears in windows explorer, does not exist with command prompt

Posted on 2004-04-18
5
191 Views
Last Modified: 2010-04-13
This is TREMENDOUSLY annoying.  My IE start page is normally set to blank.  Around the end of march, I got infected somehow and now I get this "search page" coming up.   In the source appears something like "res://" followed by a %-escaped ascii (as in how %20 is space) URL which i have not bothered to figure out as yet.  

I ran CWSshredder (http://www.spywareinfo.com/~merijn/cwschronicles.html) which picked up 6 changes to IE pages or something like that.  But that does not fix the IE start page until I delete this  randomly lettered dll that keeps appearing in c:\WINNT\system32.   It does not pick up anything else.   After I run the shredder and then delete this file (via the command prompt since it seems to be loaded with any exlporer shell) things are fine for about a day.  Then, randomnly, the dll changes and the start page gets hijacked again.  I don't even have to be running IE (I normally use mozilla).   Run throught the CWSshredder/dll delete ritual and all is fine until the next time the start page gets hijacked.

Now here is the crucially annoying thing.  When I look at my system32 folder in windows explorer, I see a dll called "d3djfjm.dll" of 21KB.  I cannot see this file in either the command prompt or any file listbox from any other application.  And when I try and delete it from explorer, it cannot be deleted because it is being "used by windows".   I even tried opening it up in a text editor and when I do, the editor comes up blank with an indication that it is "editing a new file".  

WTF??!?!

I see not option beyond a format and re-install and I really want to avoid doing that.  

Two questions:
How do I get rid of this damn thing without reinstalling?

What do I have to patch to keep it from happening again?  (CWSShredder suggests that it is the "byte-verifier bug" in the JVM but I can neither download the patch from microsoft due to it not being available, nor can I disable the JVM since all the methods I've found do not seem to work)

0
Comment
Question by:mcdunna77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 10857083
mcdunna77

Thereason you can't delete the file is beacuse there is a nasty little process running that is keeping the file open and unavailable for removal. If you find and stop the process you will be able to delete the file, but it will then be re-downloaded the next time you start explorer or logon

Nice!

Try this little lot to solve it permanently (courtesy of LucF):

SpyBot-S&D
http://www.webattack.com/download/dlspybot.shtml

Ad-aware
http://www.webattack.com/download/dladaware.shtml

HijackThis
http://www.webattack.com/download/dlhijackthis.shtml

Keylogger Hunter
http://www.webattack.com/download/dlklhunter.shtml

KL-Detector
http://www.webattack.com/download/dlkldetector.shtml

X-Cleaner Free
http://www.webattack.com/download/dlxcleaner.shtml

SpywareBlaster
http://www.webattack.com/download/dlspywareblaster.shtml

SpywareGuard
http://www.webattack.com/download/dlspywareguard.shtml

SpySites
http://www.webattack.com/download/dlspysites.shtml 


Cheers

JamesDS
0
 

Author Comment

by:mcdunna77
ID: 10857212
I was too lazy to post all of those before, but I already tried every single one of them.

 And, although obviously there is a process using that dll, that does not explain why the dll is only visible in explorer and not at the cmd prompt.  Even if i boot into safe mode it is not there.  

When I use "process explorer" (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml), the invisible dll does not come up as being used. So I would not know what process to kill anyway.  This invisible dll may not even be the issue, but it seems mightly suspicious to me, especially since its creation date is about when this problem started to happen.  (When the other dll magically appears, that one is being used by explorer)

thanks anyway!

0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 10862412
have you run any virus scans lately on your computer with the lates virus definitions? I would recommend doing that. Also, try downloading AdAware and Spybot S&D and see if they bring up anything else that CSShredder did not.
0
 

Author Comment

by:mcdunna77
ID: 10865574
the damn thing has come back again.  Here is the source of the page hijacking my ie start page (which should be blank)  (snipped out some of the repetitive stuff in the middle)

<base href="res://%43%3a%5c%57%49%4e%4e%54%5c%73%79%73%74%65%6d%33%32%5c%68%65%67%68%2e%64%6c%6c/"><HTML>

** misc HTML  snipped**

<script>
function $Bx(){
 s=escape(formWeb.ww.value);
 if(s==""){
  alert("Please specify something to search for!");
  return;
 }
 formWeb.submit();
}
function go(text) { formWeb.ww.value=text; $Bx(); }
function box(text)
{
 document.write('<tr><td width="123" class="x" align="left" height="12" bgcolor="#EEEEEE" valign="top"><p style="margin-left:5;margin-right:5"><a class="splink" href=\'javascript:go("'+text+'")\' target="_top">'+text+'</a></p></td></tr>');
}
** misc HTML  snipped**

box('Air Travel');
box('Auto Insurance');
box('Betting');
box('Black Jack');
box('Books');
*** more "box(...)" stuff snipped ***

** misc HTML  snipped**

<form id=formWeb style="FLOAT: left" action="http://searchx.cc/search.php" method="get">
<input type=hidden name="pin" value="2">
** misc formatting snipped**

 &nbsp;<input onclick="$Bx();return null;" type="image" SRC="go.gif"

** misc HTML  snipped**

 <A href="javascript:go('art')"><font class=head>Art</font></A><br>
 <A href="javascript:go('books')">Books</A><BR>
 <A href="javascript:go('directv')">DirecTV</A><BR>
 <A href="javascript:go('ebooks')">EBooks</A><BR>
 <A href="javascript:go('fine art')">Fine Art</A><BR>
 <A href="javascript:go('movies')">Movies</A><BR>
 <A href="javascript:go('music')">Music</A><BR>

****** bunch of similiar links snipped******

** misc HTML  snipped**
0
 

Author Comment

by:mcdunna77
ID: 10865719
found the answer!  I still do not know how that damn dll was made invisible.  CWSshredder did not work, but the creator gave instructions on how to remove this particular beastie:

http://www.spywareinfo.com/~merijn/cwschronicles.html#realyellowpage

what a lot of jumping through hoops, but at least that damn magic dll is gone.

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article discusses how to implement server side field validation and display customized error messages to the client.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question