This is TREMENDOUSLY annoying. My IE start page is normally set to blank. Around the end of march, I got infected somehow and now I get this "search page" coming up. In the source appears something like "res://" followed by a %-escaped ascii (as in how %20 is space) URL which i have not bothered to figure out as yet.
I ran CWSshredder (http://www.spywareinfo.com/~merijn/cwschronicles.html
) which picked up 6 changes to IE pages or something like that. But that does not fix the IE start page until I delete this randomly lettered dll that keeps appearing in c:\WINNT\system32. It does not pick up anything else. After I run the shredder and then delete this file (via the command prompt since it seems to be loaded with any exlporer shell) things are fine for about a day. Then, randomnly, the dll changes and the start page gets hijacked again. I don't even have to be running IE (I normally use mozilla). Run throught the CWSshredder/dll delete ritual and all is fine until the next time the start page gets hijacked.
Now here is the crucially annoying thing. When I look at my system32 folder in windows explorer, I see a dll called "d3djfjm.dll" of 21KB. I cannot see this file in either the command prompt or any file listbox from any other application. And when I try and delete it from explorer, it cannot be deleted because it is being "used by windows". I even tried opening it up in a text editor and when I do, the editor comes up blank with an indication that it is "editing a new file".
I see not option beyond a format and re-install and I really want to avoid doing that.
How do I get rid of this damn thing without reinstalling?
What do I have to patch to keep it from happening again? (CWSShredder suggests that it is the "byte-verifier bug" in the JVM but I can neither download the patch from microsoft due to it not being available, nor can I disable the JVM since all the methods I've found do not seem to work)