Anyone experience hijack attempts when going to Java cool site?

Discussion in 'SpywareBlaster & Other Forum' started by foderboder, Jun 25, 2004.

Thread Status:
Not open for further replies.
  1. foderboder

    foderboder Registered Member

    Jun 25, 2004
    Each time I have gone to, I get attempts to hijack my browser setting by a search page.

    The hijack installs in the registry the line:

    Search Page: res://C:\Windows\bdgmy.dll/sp.html#20635

    It took me 1 hour to figure out how to get rid of it. Even after running Ad-aware 6.0, which looks like it deletes everything, when you reboot the hijack is still present. This because the .dll file is still activating the hijack each time.

    I was able to track it down to (windows xp home edition) windows/system32/bgdmy.dll. I renamed the .dll file bgdmydll.copy, reran Ad-aware. Then deleted the entry in the Windows registry for IE. Rebooted and was OK.

    Anyone else notice this?
  2. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    Hi foderboder,

    We've actually been researching this since you first posted. So far, we've found nothing wrong at the main website or any of the download servers, but we didn't expect to either. The hijacker you are describing is one of the most current and most powerful ones out there. Once you get it on your system, it strikes at odd times, especially when you are trying to remove it.

    There's a technical posting that only just scratches the surface of this one. It's posted here (post #26):

    (Note that the dll name can vary with these infections and still be the same spyware module.) The experts are looking at better detection and prevention techniques. If you find any additional information on this, please reply and post it here. Thanks!
  3. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK is a japanese/korean website with some what appears to be dodgy javascript embedded in it & it's distinctly possible taht you might have picked up the CWS hijack from there

    As far as can be worked out the latest versions of CWS which you appear to have get installed via undocumented security holes in Windows that M$ are working on to fix.

    If you were trying to update spywasterblaster or spyware guard to protect yourself agsain hijackingb then you should be going to

    Unfortunately neither we on these forums or Javacool software have any control over the domain name of which sounds like it might be one of the places that is causing the infection

    All the CWS hijacks originate in Russia but because a lot of money is involved many previously innocent websites have unwittingly installed the code on their sites thinking that they will be paid affiliate fees & earn a few $
Similar Threads
  1. kachupp
Thread Status:
Not open for further replies.