Solved

hijacked internet explorer: .dll file only appears in windows explorer, does not exist with command prompt

Posted on 2004-04-18
5
180 Views
Last Modified: 2010-04-13
This is TREMENDOUSLY annoying.  My IE start page is normally set to blank.  Around the end of march, I got infected somehow and now I get this "search page" coming up.   In the source appears something like "res://" followed by a %-escaped ascii (as in how %20 is space) URL which i have not bothered to figure out as yet.  

I ran CWSshredder (http://www.spywareinfo.com/~merijn/cwschronicles.html) which picked up 6 changes to IE pages or something like that.  But that does not fix the IE start page until I delete this  randomly lettered dll that keeps appearing in c:\WINNT\system32.   It does not pick up anything else.   After I run the shredder and then delete this file (via the command prompt since it seems to be loaded with any exlporer shell) things are fine for about a day.  Then, randomnly, the dll changes and the start page gets hijacked again.  I don't even have to be running IE (I normally use mozilla).   Run throught the CWSshredder/dll delete ritual and all is fine until the next time the start page gets hijacked.

Now here is the crucially annoying thing.  When I look at my system32 folder in windows explorer, I see a dll called "d3djfjm.dll" of 21KB.  I cannot see this file in either the command prompt or any file listbox from any other application.  And when I try and delete it from explorer, it cannot be deleted because it is being "used by windows".   I even tried opening it up in a text editor and when I do, the editor comes up blank with an indication that it is "editing a new file".  

WTF??!?!

I see not option beyond a format and re-install and I really want to avoid doing that.  

Two questions:
How do I get rid of this damn thing without reinstalling?

What do I have to patch to keep it from happening again?  (CWSShredder suggests that it is the "byte-verifier bug" in the JVM but I can neither download the patch from microsoft due to it not being available, nor can I disable the JVM since all the methods I've found do not seem to work)

0
Comment
Question by:mcdunna77
  • 3
5 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 10857083
mcdunna77

Thereason you can't delete the file is beacuse there is a nasty little process running that is keeping the file open and unavailable for removal. If you find and stop the process you will be able to delete the file, but it will then be re-downloaded the next time you start explorer or logon

Nice!

Try this little lot to solve it permanently (courtesy of LucF):

SpyBot-S&D
http://www.webattack.com/download/dlspybot.shtml

Ad-aware
http://www.webattack.com/download/dladaware.shtml

HijackThis
http://www.webattack.com/download/dlhijackthis.shtml

Keylogger Hunter
http://www.webattack.com/download/dlklhunter.shtml

KL-Detector
http://www.webattack.com/download/dlkldetector.shtml

X-Cleaner Free
http://www.webattack.com/download/dlxcleaner.shtml

SpywareBlaster
http://www.webattack.com/download/dlspywareblaster.shtml

SpywareGuard
http://www.webattack.com/download/dlspywareguard.shtml

SpySites
http://www.webattack.com/download/dlspysites.shtml


Cheers

JamesDS
0
 

Author Comment

by:mcdunna77
ID: 10857212
I was too lazy to post all of those before, but I already tried every single one of them.

 And, although obviously there is a process using that dll, that does not explain why the dll is only visible in explorer and not at the cmd prompt.  Even if i boot into safe mode it is not there.  

When I use "process explorer" (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml), the invisible dll does not come up as being used. So I would not know what process to kill anyway.  This invisible dll may not even be the issue, but it seems mightly suspicious to me, especially since its creation date is about when this problem started to happen.  (When the other dll magically appears, that one is being used by explorer)

thanks anyway!

0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 10862412
have you run any virus scans lately on your computer with the lates virus definitions? I would recommend doing that. Also, try downloading AdAware and Spybot S&D and see if they bring up anything else that CSShredder did not.
0
 

Author Comment

by:mcdunna77
ID: 10865574
the damn thing has come back again.  Here is the source of the page hijacking my ie start page (which should be blank)  (snipped out some of the repetitive stuff in the middle)

<base href="res://%43%3a%5c%57%49%4e%4e%54%5c%73%79%73%74%65%6d%33%32%5c%68%65%67%68%2e%64%6c%6c/"><HTML>

** misc HTML  snipped**

<script>
function $Bx(){
 s=escape(formWeb.ww.value);
 if(s==""){
  alert("Please specify something to search for!");
  return;
 }
 formWeb.submit();
}
function go(text) { formWeb.ww.value=text; $Bx(); }
function box(text)
{
 document.write('<tr><td width="123" class="x" align="left" height="12" bgcolor="#EEEEEE" valign="top"><p style="margin-left:5;margin-right:5"><a class="splink" href=\'javascript:go("'+text+'")\' target="_top">'+text+'</a></p></td></tr>');
}
** misc HTML  snipped**

box('Air Travel');
box('Auto Insurance');
box('Betting');
box('Black Jack');
box('Books');
*** more "box(...)" stuff snipped ***

** misc HTML  snipped**

<form id=formWeb style="FLOAT: left" action="http://searchx.cc/search.php" method="get">
<input type=hidden name="pin" value="2">
** misc formatting snipped**

 &nbsp;<input onclick="$Bx();return null;" type="image" SRC="go.gif"

** misc HTML  snipped**

 <A href="javascript:go('art')"><font class=head>Art</font></A><br>
 <A href="javascript:go('books')">Books</A><BR>
 <A href="javascript:go('directv')">DirecTV</A><BR>
 <A href="javascript:go('ebooks')">EBooks</A><BR>
 <A href="javascript:go('fine art')">Fine Art</A><BR>
 <A href="javascript:go('movies')">Movies</A><BR>
 <A href="javascript:go('music')">Music</A><BR>

****** bunch of similiar links snipped******

** misc HTML  snipped**
0
 

Author Comment

by:mcdunna77
ID: 10865719
found the answer!  I still do not know how that damn dll was made invisible.  CWSshredder did not work, but the creator gave instructions on how to remove this particular beastie:

http://www.spywareinfo.com/~merijn/cwschronicles.html#realyellowpage

what a lot of jumping through hoops, but at least that damn magic dll is gone.

0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now