Since June 10, someone has been distributing a browser hijack that spawns an offscreen pop up window which opens a page at datanotary.com.
The hijack is accomplished by inserting _javascript into a Cascading Style Sheet (CSS) file, then hijacking Internet Explorer's accessibility options to force it to use that style sheet. When activated, the _javascript makes use of an obscure and proprietary Microsoft CSS extension to create the pop up window.
The pop up windows are hidden, since the _javascript opens them at a position 5,000 pixels from the top and 5,000 pixels from the right of the screen (most monitors display only 768 pixels from top to bottom). It is unclear whether the window was intentionally placed offscreen, or if the malware author simply made a typo.
The extension is called and the pop up windows created when the victim begins to type into a form on a web page. This causes the computer to slow down quite visibly as the window is being created offscreen. This is, in fact, how the hijack was discovered. Hundreds of people were posting questions on message boards around the world asking for help with a mysterious slow down while typing.
A user at the SWI support forums noticed that his browser was set to use a custom stylesheet. After resetting that option to not use the style sheet, his slow typing problem disappeared.
Examination of the file found a _javascript _expression where CSS should have been. Converting the _expression into Human-readable text revealed a script that opens a hidden pop up window to datanotary.com
Removal Instructions
Click Tools
Click Internet Options
Click Accessibility
Uncheck "Format documents using my style sheet"
See if this is checked, make sure before you uncheck to look at the path of the *.css file. It was my.css in one case, system.css in another.
Click Ok twice
Now go to the c:Windows directory where the file is located and delete that *.css.
Reboot
This information is located at
http://www.spywareinfo.com/articles/datanotary/