hijacked internet explorer: .dll file only appears in windows explorer, does not exist with command prompt

Posted on 2004-04-18
Medium Priority
Last Modified: 2010-04-13
This is TREMENDOUSLY annoying.  My IE start page is normally set to blank.  Around the end of march, I got infected somehow and now I get this "search page" coming up.   In the source appears something like "res://" followed by a %-escaped ascii (as in how %20 is space) URL which i have not bothered to figure out as yet.  

I ran CWSshredder (http://www.spywareinfo.com/~merijn/cwschronicles.html) which picked up 6 changes to IE pages or something like that.  But that does not fix the IE start page until I delete this  randomly lettered dll that keeps appearing in c:\WINNT\system32.   It does not pick up anything else.   After I run the shredder and then delete this file (via the command prompt since it seems to be loaded with any exlporer shell) things are fine for about a day.  Then, randomnly, the dll changes and the start page gets hijacked again.  I don't even have to be running IE (I normally use mozilla).   Run throught the CWSshredder/dll delete ritual and all is fine until the next time the start page gets hijacked.

Now here is the crucially annoying thing.  When I look at my system32 folder in windows explorer, I see a dll called "d3djfjm.dll" of 21KB.  I cannot see this file in either the command prompt or any file listbox from any other application.  And when I try and delete it from explorer, it cannot be deleted because it is being "used by windows".   I even tried opening it up in a text editor and when I do, the editor comes up blank with an indication that it is "editing a new file".  


I see not option beyond a format and re-install and I really want to avoid doing that.  

Two questions:
How do I get rid of this damn thing without reinstalling?

What do I have to patch to keep it from happening again?  (CWSShredder suggests that it is the "byte-verifier bug" in the JVM but I can neither download the patch from microsoft due to it not being available, nor can I disable the JVM since all the methods I've found do not seem to work)

Question by:mcdunna77
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 16

Accepted Solution

JamesDS earned 1000 total points
ID: 10857083

Thereason you can't delete the file is beacuse there is a nasty little process running that is keeping the file open and unavailable for removal. If you find and stop the process you will be able to delete the file, but it will then be re-downloaded the next time you start explorer or logon


Try this little lot to solve it permanently (courtesy of LucF):




Keylogger Hunter


X-Cleaner Free






Author Comment

ID: 10857212
I was too lazy to post all of those before, but I already tried every single one of them.

 And, although obviously there is a process using that dll, that does not explain why the dll is only visible in explorer and not at the cmd prompt.  Even if i boot into safe mode it is not there.  

When I use "process explorer" (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml), the invisible dll does not come up as being used. So I would not know what process to kill anyway.  This invisible dll may not even be the issue, but it seems mightly suspicious to me, especially since its creation date is about when this problem started to happen.  (When the other dll magically appears, that one is being used by explorer)

thanks anyway!


Expert Comment

ID: 10862412
have you run any virus scans lately on your computer with the lates virus definitions? I would recommend doing that. Also, try downloading AdAware and Spybot S&D and see if they bring up anything else that CSShredder did not.

Author Comment

ID: 10865574
the damn thing has come back again.  Here is the source of the page hijacking my ie start page (which should be blank)  (snipped out some of the repetitive stuff in the middle)

<base href="res://%43%3a%5c%57%49%4e%4e%54%5c%73%79%73%74%65%6d%33%32%5c%68%65%67%68%2e%64%6c%6c/"><HTML>

** misc HTML  snipped**

function $Bx(){
  alert("Please specify something to search for!");
function go(text) { formWeb.ww.value=text; $Bx(); }
function box(text)
 document.write('<tr><td width="123" class="x" align="left" height="12" bgcolor="#EEEEEE" valign="top"><p style="margin-left:5;margin-right:5"><a class="splink" href=\'javascript:go("'+text+'")\' target="_top">'+text+'</a></p></td></tr>');
** misc HTML  snipped**

box('Air Travel');
box('Auto Insurance');
box('Black Jack');
*** more "box(...)" stuff snipped ***

** misc HTML  snipped**

<form id=formWeb style="FLOAT: left" action="http://searchx.cc/search.php" method="get">
<input type=hidden name="pin" value="2">
** misc formatting snipped**

 &nbsp;<input onclick="$Bx();return null;" type="image" SRC="go.gif"

** misc HTML  snipped**

 <A href="javascript:go('art')"><font class=head>Art</font></A><br>
 <A href="javascript:go('books')">Books</A><BR>
 <A href="javascript:go('directv')">DirecTV</A><BR>
 <A href="javascript:go('ebooks')">EBooks</A><BR>
 <A href="javascript:go('fine art')">Fine Art</A><BR>
 <A href="javascript:go('movies')">Movies</A><BR>
 <A href="javascript:go('music')">Music</A><BR>

****** bunch of similiar links snipped******

** misc HTML  snipped**

Author Comment

ID: 10865719
found the answer!  I still do not know how that damn dll was made invisible.  CWSshredder did not work, but the creator gave instructions on how to remove this particular beastie:


what a lot of jumping through hoops, but at least that damn magic dll is gone.


Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question