This is for Windows ME only. The fix may work similarly for other Windows OS.
Here are the steps (some may be overkill, but I think overkill is a good thing):
1. Most users have lost notepad. You can get back notepad by renaming c:windows\notepad.exe.bak to c:\windows\notepad.exe. Note the date and time on notepad.exe.bak because that will be the same time as the offending .dll file. I also lost Microsoft Windows Media Player. You can get that back by renaming wmplayer.exe.bak to wmplayer.exe.
2. Go to the MS-DOS prompt from Start -> Programs -> Accessories-> MS-DOS Prompt. At the C:\WINDOWS prompt, type "cd system" (omit quotes), then type "dir *.dll |more" (omit quotes). Look for files that have 57,344 bytes (there are lots of them) but that were entered recently (in my case and in ideaphorian's case there was just one entered on 6/11/04 and 6/18/04 respectively). Mine was called com.dll and ideaphorian's was called kbdfnj.dll. We I suspect that the file name might be random. Note that the date and time will be the same as the date and time for notepad.exe.bak. Write the file name down and exit the MS-DOS Prompt. To verify the file is the one, open My Computer -> C:\ -> Windows -> System and look for the file. If you can't find it, it is very likely that it is the culprit.
3. Take your computer off line by unpluging your modem, dsl or cable connection. Note -- make sure you have the most recent versions of CWShredder, Ad-Aware, Spybot S&D and HiJack This (see below for links)downloaded before going off line.
4.Run the latest version of CWShredder.Find Here. If you have already loaded the latest version of CWSShredder, make sure it is updated.
5. Run the latest version of Ad-Aware. Find Here. If you have a already loaded Ad-Aware, make sure it is updated. Click on SCAN NOW. Make sure ACTIVATE IN DEPTH SCAN is checked. Select the radiobar for USE CUSTOM SCANNING OPTIONS. Click on CUSTOMIZE. Make sure that SCAN WITHIN ARCHIVES is checked and that the two "skip" boxes are not checked. Make sure that all the boxes under MEMORY AND REGISTRY are checked. Click on the link to SELECT DRIVES AND FOLDERS. Make sure that all the drives under c:\ are checked. Run Ad-Aware and delete anything it finds. I would also delete any quarantined files.
6. Run Spybot S&D. Find Here. Fix anything it finds. Set the MODE to ADVANCED. Select TOOLS and then BROWSER PAGES. Reset any browser pages that are set to "about:blank" or "sp.html" to yahoo.com or google.com
7. Delete the sp.html file from your Windows/Temp directory if it is there.
8. Run HijackThis and delete any entries (if they are still there) that reference C:\WINDOWS\TEMP\sp.html or HomeOldSP = about:blank
9. Create a Windows ME startup disk, then boot up ME using the startup disk. Eventually it allows you to get to a DOS prompt. Find the .dll file that you previously identified and rename it from abcd.dll to abcd.bob (the abcd part represents the file name which may be random, the .bob is in honor of BobO who figured this beast out). The DOS command is "ren abcd.dll abcd.bob" (omit quotes),
10. Re-boot your system (I just used the "reset" button on the front of the computer) after deleting the offending file. The computer will complane that it can't find the .dll file you renamed but click OK and keep going.
11. Run Ad-Aware again. It will identify the renamed file (abcd.bob in our example) as CWS. Ad-Aware also found two other files which I don't know if they are related:
12. Delete and remove the quarantine files for anything that Ad-Aware finds.
13. Run CWShredder and Spybot for good measure.
14. Go into START -> SETTINGS -> CONTROL PANEL -> INTERNET OPTIONS -> GENERAL and delete all cookies and all files (this step is optional).
15. From CONTROL PANEL select SYSTEM click on the PERFORMANCE tab, click on the FILE SYSTEM button and then the TROUBLESHOOTING TAB. Check DISABLE SYSTEM RESTORE and then click on APPLY. Then uncheck DISABLE SYSTEM RESTORE and then click on APPLY. Click on OK and then OK again. You will be asked if you want to reboot your system now. Click on OK. Don't be concerned if the DISABLE SYSTEM RESTORE box is checked. I think that the hijacker does that to prevent you from restoring your system to a point prior to the hijacking. If the box is already checked, just uncheck the box and reboot.
Hopefully you are free of the beast!!!
Good Luck. Please post a response if it works for you so it this will keep being bumped and eventually pinned.
Edited by The Fist, 01 July 2004 - 12:04 PM.