Solved

hijacked internet explorer: .dll file only appears in windows explorer, does not exist with command prompt

Posted on 2004-04-18
5
196 Views
Last Modified: 2010-04-13
This is TREMENDOUSLY annoying.  My IE start page is normally set to blank.  Around the end of march, I got infected somehow and now I get this "search page" coming up.   In the source appears something like "res://" followed by a %-escaped ascii (as in how %20 is space) URL which i have not bothered to figure out as yet.  

I ran CWSshredder (http://www.spywareinfo.com/~merijn/cwschronicles.html) which picked up 6 changes to IE pages or something like that.  But that does not fix the IE start page until I delete this  randomly lettered dll that keeps appearing in c:\WINNT\system32.   It does not pick up anything else.   After I run the shredder and then delete this file (via the command prompt since it seems to be loaded with any exlporer shell) things are fine for about a day.  Then, randomnly, the dll changes and the start page gets hijacked again.  I don't even have to be running IE (I normally use mozilla).   Run throught the CWSshredder/dll delete ritual and all is fine until the next time the start page gets hijacked.

Now here is the crucially annoying thing.  When I look at my system32 folder in windows explorer, I see a dll called "d3djfjm.dll" of 21KB.  I cannot see this file in either the command prompt or any file listbox from any other application.  And when I try and delete it from explorer, it cannot be deleted because it is being "used by windows".   I even tried opening it up in a text editor and when I do, the editor comes up blank with an indication that it is "editing a new file".  

WTF??!?!

I see not option beyond a format and re-install and I really want to avoid doing that.  

Two questions:
How do I get rid of this damn thing without reinstalling?

What do I have to patch to keep it from happening again?  (CWSShredder suggests that it is the "byte-verifier bug" in the JVM but I can neither download the patch from microsoft due to it not being available, nor can I disable the JVM since all the methods I've found do not seem to work)

0
Comment
Question by:mcdunna77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 10857083
mcdunna77

Thereason you can't delete the file is beacuse there is a nasty little process running that is keeping the file open and unavailable for removal. If you find and stop the process you will be able to delete the file, but it will then be re-downloaded the next time you start explorer or logon

Nice!

Try this little lot to solve it permanently (courtesy of LucF):

SpyBot-S&D
http://www.webattack.com/download/dlspybot.shtml

Ad-aware
http://www.webattack.com/download/dladaware.shtml

HijackThis
http://www.webattack.com/download/dlhijackthis.shtml

Keylogger Hunter
http://www.webattack.com/download/dlklhunter.shtml

KL-Detector
http://www.webattack.com/download/dlkldetector.shtml

X-Cleaner Free
http://www.webattack.com/download/dlxcleaner.shtml

SpywareBlaster
http://www.webattack.com/download/dlspywareblaster.shtml

SpywareGuard
http://www.webattack.com/download/dlspywareguard.shtml

SpySites
http://www.webattack.com/download/dlspysites.shtml 


Cheers

JamesDS
0
 

Author Comment

by:mcdunna77
ID: 10857212
I was too lazy to post all of those before, but I already tried every single one of them.

 And, although obviously there is a process using that dll, that does not explain why the dll is only visible in explorer and not at the cmd prompt.  Even if i boot into safe mode it is not there.  

When I use "process explorer" (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml), the invisible dll does not come up as being used. So I would not know what process to kill anyway.  This invisible dll may not even be the issue, but it seems mightly suspicious to me, especially since its creation date is about when this problem started to happen.  (When the other dll magically appears, that one is being used by explorer)

thanks anyway!

0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 10862412
have you run any virus scans lately on your computer with the lates virus definitions? I would recommend doing that. Also, try downloading AdAware and Spybot S&D and see if they bring up anything else that CSShredder did not.
0
 

Author Comment

by:mcdunna77
ID: 10865574
the damn thing has come back again.  Here is the source of the page hijacking my ie start page (which should be blank)  (snipped out some of the repetitive stuff in the middle)

<base href="res://%43%3a%5c%57%49%4e%4e%54%5c%73%79%73%74%65%6d%33%32%5c%68%65%67%68%2e%64%6c%6c/"><HTML>

** misc HTML  snipped**

<script>
function $Bx(){
 s=escape(formWeb.ww.value);
 if(s==""){
  alert("Please specify something to search for!");
  return;
 }
 formWeb.submit();
}
function go(text) { formWeb.ww.value=text; $Bx(); }
function box(text)
{
 document.write('<tr><td width="123" class="x" align="left" height="12" bgcolor="#EEEEEE" valign="top"><p style="margin-left:5;margin-right:5"><a class="splink" href=\'javascript:go("'+text+'")\' target="_top">'+text+'</a></p></td></tr>');
}
** misc HTML  snipped**

box('Air Travel');
box('Auto Insurance');
box('Betting');
box('Black Jack');
box('Books');
*** more "box(...)" stuff snipped ***

** misc HTML  snipped**

<form id=formWeb style="FLOAT: left" action="http://searchx.cc/search.php" method="get">
<input type=hidden name="pin" value="2">
** misc formatting snipped**

 &nbsp;<input onclick="$Bx();return null;" type="image" SRC="go.gif"

** misc HTML  snipped**

 <A href="javascript:go('art')"><font class=head>Art</font></A><br>
 <A href="javascript:go('books')">Books</A><BR>
 <A href="javascript:go('directv')">DirecTV</A><BR>
 <A href="javascript:go('ebooks')">EBooks</A><BR>
 <A href="javascript:go('fine art')">Fine Art</A><BR>
 <A href="javascript:go('movies')">Movies</A><BR>
 <A href="javascript:go('music')">Music</A><BR>

****** bunch of similiar links snipped******

** misc HTML  snipped**
0
 

Author Comment

by:mcdunna77
ID: 10865719
found the answer!  I still do not know how that damn dll was made invisible.  CWSshredder did not work, but the creator gave instructions on how to remove this particular beastie:

http://www.spywareinfo.com/~merijn/cwschronicles.html#realyellowpage

what a lot of jumping through hoops, but at least that damn magic dll is gone.

0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Multi-threading long-running processes can have a significant increase in overall performance and drastically decrease over time it takes for a process to complete. Unfortunately, not all applications support native multi-threading, some by design a…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question