hijacked internet explorer: .dll file only appears in windows explorer, does not exist with command prompt

Posted on 2004-04-18
Last Modified: 2010-04-13
This is TREMENDOUSLY annoying.  My IE start page is normally set to blank.  Around the end of march, I got infected somehow and now I get this "search page" coming up.   In the source appears something like "res://" followed by a %-escaped ascii (as in how %20 is space) URL which i have not bothered to figure out as yet.  

I ran CWSshredder ( which picked up 6 changes to IE pages or something like that.  But that does not fix the IE start page until I delete this  randomly lettered dll that keeps appearing in c:\WINNT\system32.   It does not pick up anything else.   After I run the shredder and then delete this file (via the command prompt since it seems to be loaded with any exlporer shell) things are fine for about a day.  Then, randomnly, the dll changes and the start page gets hijacked again.  I don't even have to be running IE (I normally use mozilla).   Run throught the CWSshredder/dll delete ritual and all is fine until the next time the start page gets hijacked.

Now here is the crucially annoying thing.  When I look at my system32 folder in windows explorer, I see a dll called "d3djfjm.dll" of 21KB.  I cannot see this file in either the command prompt or any file listbox from any other application.  And when I try and delete it from explorer, it cannot be deleted because it is being "used by windows".   I even tried opening it up in a text editor and when I do, the editor comes up blank with an indication that it is "editing a new file".  


I see not option beyond a format and re-install and I really want to avoid doing that.  

Two questions:
How do I get rid of this damn thing without reinstalling?

What do I have to patch to keep it from happening again?  (CWSShredder suggests that it is the "byte-verifier bug" in the JVM but I can neither download the patch from microsoft due to it not being available, nor can I disable the JVM since all the methods I've found do not seem to work)

Question by:mcdunna77
  • 3
LVL 16

Accepted Solution

JamesDS earned 500 total points
ID: 10857083

Thereason you can't delete the file is beacuse there is a nasty little process running that is keeping the file open and unavailable for removal. If you find and stop the process you will be able to delete the file, but it will then be re-downloaded the next time you start explorer or logon


Try this little lot to solve it permanently (courtesy of LucF):




Keylogger Hunter


X-Cleaner Free






Author Comment

ID: 10857212
I was too lazy to post all of those before, but I already tried every single one of them.

 And, although obviously there is a process using that dll, that does not explain why the dll is only visible in explorer and not at the cmd prompt.  Even if i boot into safe mode it is not there.  

When I use "process explorer" (, the invisible dll does not come up as being used. So I would not know what process to kill anyway.  This invisible dll may not even be the issue, but it seems mightly suspicious to me, especially since its creation date is about when this problem started to happen.  (When the other dll magically appears, that one is being used by explorer)

thanks anyway!


Expert Comment

ID: 10862412
have you run any virus scans lately on your computer with the lates virus definitions? I would recommend doing that. Also, try downloading AdAware and Spybot S&D and see if they bring up anything else that CSShredder did not.

Author Comment

ID: 10865574
the damn thing has come back again.  Here is the source of the page hijacking my ie start page (which should be blank)  (snipped out some of the repetitive stuff in the middle)

<base href="res://%43%3a%5c%57%49%4e%4e%54%5c%73%79%73%74%65%6d%33%32%5c%68%65%67%68%2e%64%6c%6c/"><HTML>

** misc HTML  snipped**

function $Bx(){
  alert("Please specify something to search for!");
function go(text) { formWeb.ww.value=text; $Bx(); }
function box(text)
 document.write('<tr><td width="123" class="x" align="left" height="12" bgcolor="#EEEEEE" valign="top"><p style="margin-left:5;margin-right:5"><a class="splink" href=\'javascript:go("'+text+'")\' target="_top">'+text+'</a></p></td></tr>');
** misc HTML  snipped**

box('Air Travel');
box('Auto Insurance');
box('Black Jack');
*** more "box(...)" stuff snipped ***

** misc HTML  snipped**

<form id=formWeb style="FLOAT: left" action="" method="get">
<input type=hidden name="pin" value="2">
** misc formatting snipped**

 &nbsp;<input onclick="$Bx();return null;" type="image" SRC="go.gif"

** misc HTML  snipped**

 <A href="javascript:go('art')"><font class=head>Art</font></A><br>
 <A href="javascript:go('books')">Books</A><BR>
 <A href="javascript:go('directv')">DirecTV</A><BR>
 <A href="javascript:go('ebooks')">EBooks</A><BR>
 <A href="javascript:go('fine art')">Fine Art</A><BR>
 <A href="javascript:go('movies')">Movies</A><BR>
 <A href="javascript:go('music')">Music</A><BR>

****** bunch of similiar links snipped******

** misc HTML  snipped**

Author Comment

ID: 10865719
found the answer!  I still do not know how that damn dll was made invisible.  CWSshredder did not work, but the creator gave instructions on how to remove this particular beastie:

what a lot of jumping through hoops, but at least that damn magic dll is gone.


Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now