Jump to content


Photo

CWS About:Blank & Now RESDJO.dll Trojan. Help?


  • Please log in to reply
7 replies to this topic

#1 Black_Ice

Black_Ice

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 July 2004 - 03:58 PM

Hey, I'm new to the community but I've been reading the posts in this forum and it has helped but not resolved my problems. As with almost everyone else here I done everything to remove the CWS Trojan/Browser Hijcack but I just keep getting nailed everytime I restart. So after doing everything short of giving up and re-installing I'll see if the community here can pull together and get rid of this problem once and for all.

First off: I'm no noob, and I'm also no uber coder either.
I have a system with Win XP Pro : Fully Updated
I have Norton AV 2003 Patched & Scanning 1/Day.
I have Adaware 6 Build 1.81 Build Fully Updated.
I have Spybot Searc & Destroy Fully Updated.
I have CWS Shredder & Hijack This... The latest version.
I have filemon/regmon/procmon programs to do realtime monitoring of system events.
I use the latest version of Netscape 7.1 For my main browser, but use IE for all windows upadates and msn checking.
I use CyberScrub File delete tool to clean my Cookies/Temp Files/Index.dat files permenantly from my system with the DOD erase setting. This prevents norton from restoring the files.
I have about:buster latest version from Ducky.

My Story:
About 1-2 Months ago I was browsing some websites and my norton av gave me a warning when I opened a web page that several "trojan.byteverify" things had been downloaded from a web site. Acording to all the logs for Norton AV these were deleted. I made sure I deleted them out of quarantine as well. Thats when the problem started. One day I fired up IE and to my surprise I saw the CWS html page. However my browser still said about:blank. Which is what I always have it set to. I don't like to open to any web sites. I knew this was not good and it didn't look legit. So I closed down and fired up ad-aware... realized I didn't have build 1.81 so I went and got that ... Did a scan [In depth like recommended from this forum] and found a ton of CWS Browser Hijack and Tracking Cookies.... Deleted all the items it found, then restarted and did it again. Thought it was gone but then bam it came right back. This is the version that uses "SP.html" from a random XXXXXX.dll file to load the page. Started looking around used Hijack this & CWS Shredder to try and eliminate.

Note when running CWS Shredder it picks it up as "CWS.Searchx" but when It removes them they simply come back on the next reboot. Even after cleaning, starting in safe mode [Virus Scan, Ad-Aware Scan, CWS Shredder] and the doing a good boot up. Still came back.....

This is when I downlaoded Spybot S&D as well as other software for removing ad-ware / malware. Ran it found the DHO Exploit... You know the one with the W=100!=3 or something like that. Started using TeaTimer with Spybot S&D to see when the registry items were being ran. The upseting thing to me and I know several other people is that when I remove all this stuff and re-boot it simply comes back after 1 or 2 times. After several times of doing this and using CyberScrub to completely erase the suspicious XXXXX.dll files and also I almost killed windows because I got rid of the most suspicious files in my "system32" directory that had been created withing the last 3 hrs of startup using the tool to delete them for good in safe mode. This eliminated the problem for a while. But like all the variants it just comes right back. Finally after running an assortment of tools I got rid of the about:blank res://xxxx.dll/sp.html problem..... But now after this weekend it seems the latest version of Norton AV is picking up something and I cannot get rid of it.

So my about:blank problem is gone (I think), but there is still something writing an "App_Init" key to my HKLM/..../WinNT/...Windows registry key. I'll post screen shots & Hijack This logs In a new reply below.

One more thing, Panda AV software shows the exact exploit as "Startpage.FH" and I know thats what I had because I had the exact browser page and all my pop ups of malware & bugs humpping were just as in the picture. Also Panda's ActiveScan did not delete the problem. It just came back.

#2 Black_Ice

Black_Ice

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 July 2004 - 04:14 PM

Ok, Thats just the beguining. But before we start, Windows is fully patched, also I'm running sun microsystems java & have removed microsoft VM Java from the system long ago.

Now when I boot up Norton AV pops up and says I have a Trojan.Backdoor virus "C:\Windows\System32\resdjo.dll" However It cannot delete,copy or quarantine the file. In fact if you browse for it under windows you will not find it even with show hidden & system files checked. The only way I could ever see this file was in normal mode from the command prompt. I have several screen shots. Norton AV keeps poping up with the same message and I have to click the ok or X button several times and go through the fact that it cannot delete, quarantine or copy to file. Also I cannot delete the file in anyway. It doesn't apear in Safe Mode and I cannot hook it to delete it before the system starts up like I can with the Index.dat files.

Here is the Norton AV messages
Posted Image

Posted Image

Posted Image

When searchig for the file you will not find it in windows search, but from the command line.

Posted Image

After searching registry I find it in the key that is not supposed to exist. I can delete this key, but it keeps coming back even without rebooting. Every Process or program that is started executes this file. and Norton goes nuts. I cannot even use my pc unless I disable "Norton Auto Protect".....hmmm not going to do that though.

Here is the key in registry that is the culprit, I have found no successful way to eliminate this.
Posted Image

I do notice something, when I try to use my Cydoor or Norton Wipe Program to hook the file for delete on system reboot it does not show it as a file but yet a file within a file. I put in the path "C:\Windows\System32\resdjo.dll" and it shows the location as
"C:\Windows\System32\rundll32.exe" or maybe even "C:\Windows\System32\rundll32.dll" I'm not sure which one.

I can remove the registry entry but it comes back. Every process that starts also initates the resdjo.dll file. I can see this from my "Filemon" logs.

Please Help... My HijackThis and Startup Logs will be below.

Edited by Black_Ice, 19 July 2004 - 04:16 PM.


#3 Black_Ice

Black_Ice

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 July 2004 - 04:17 PM

Logfile of HijackThis v1.98.0
Scan saved at 8:27:49 AM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Spybot\TeaTimer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Documents and Settings\Michael\My Documents\My Received Files\HijackThis.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\3x4hcerl.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\3x4hcerl.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - D:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - D:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - 
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F5F7A10-49EB-4848-AE2C-5EE3FD4BE73E}: NameServer = 205.152.132.235,205.152.144.235
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: pcl - {182D0C85-206F-4103-B4FA-DCC1FB0A0A44} - E:\Program Files\Autodesk\Inventor Professional 8\bin\HSPCLPRO10.dll

My System Statup Log File
StartupList report, 7/19/2004, 8:29:26 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Michael\My Documents\My Received Files\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Spybot\TeaTimer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Michael\My Documents\My Received Files\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

UpdReg = C:\WINDOWS\Updreg.exe
Jet Detection = C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
EPSON Stylus CX5200 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
Logitech Utility = Logi_MwX.Exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
SpybotSD TeaTimer = D:\Program Files\Spybot\TeaTimer.exe


#4 Black_Ice

Black_Ice

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 July 2004 - 05:53 PM

Update to my earlier post....

See below the image I have of my CyberScrub... It finds the Resdjo.dll as shell32.dll
Posted Image

Anyone have any ideas of what to do... Is shell32.dll a critical file... I know shell32.exe is.....

#5 Black_Ice

Black_Ice

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 July 2004 - 01:23 AM

OMG..... I've got it fixed..... Lets hope for good this time....

This is and i repeat the FIX for removing the Backdoor Trojan / CWS SP.html random xxxx.dll problem.

Thanks to many in this forum even though no one has replied to this post for puting up the information of how to delete the imposible to delete file.

Informaiton: Even though in my case my "Trojan.Backdoor" virus was identified as "RESDJO.dll" this is randomly genrerated by some unknown version CWS. It is different for many others. I saw in a post the following command:

"cacls [yourtrojan].dll /p Administrator:F" command.

In fact at least on my system which is XP....
1) You do need the space between [yourtrojan].dll & /p
2) Make sure Administrator is spelled correctly.
3) Run this command when in normal mode, where the virus constantly makes norton pop up information about a "Backdoor.Trojan" .dll file that cannot be quarantined, deleted or copied.

Here is the specific steps for removal and a screen shot of the actual file removal
1) Delete any App_Init file entries in your registry using regedit (Maybe possible from HijackThis, but was not in my case) : Doing a search in your registry Ctrl+F for the [yourtrojan].dll file should bring up any keys referring to this file.... DELETE them ALL
2) Since this .dll file can not be seen by normal windows search means you need to run a special command on the file: In normal mode NOT SAFE Mode run the following command, if this is not done specifically here YOU WILL NOT SEE THE FILE IN SAFE MODE.
Start Menu--> Run --> Type "CMD" and press enter.
Navigate to your System32 directory. IN my case I simply type
C:\Documents & Settings\Your Name>cd C:\windows\system32 <-- Press Enter
>C:\Windows\System32>
"cacls [yourtrojan].dll /p Administrator:F" <---No Quotes and appropriate .dll name
You should see:
Are You Sure (Y/N) Y <--- Press enter or Y this will change the file properties. If you do not see this you have not run the command correctly.
3) Make sure your AV & Spyware Detection Software has the latest updates: Then Immeadiately Restart computer to SAFE Mode using F8 key during startup.
4) Open up your CMD line editor again, navigate to C:\windows\system32 again like above.
5) Use this step to verify you can see & delete the file.
in prompt window:
>c:\windows\system32>dir [yourtrojan].dll
You should be able to see your file... If you do then type this command
>c:\windows\system32>del [yourtrojan].dll
You should simly come back to the the "c:\windows\system32>" line
6) Verify that the file is actually gone:
>c:\windows\system32>dir [yourtrojan.dll]
should fine no file, you can even look through your whole directory paging down as you go:
>c:\windows\system32>dir /p
Press enter an pay attention as you get close to the name of your file... You should not see it.
Here is a screen shot of my SAFE MODE Removal

Posted Image

This worked for me, I did a full AV Scan & Ran Spybote S&D as well as Adaware 6.
Booted up 2 times to verify and so far its. been great, no SP.html and no [yourtrojan].dll detected by Norton...... I really hope this is gone. However I do still have one thing poping up in my Spybot S&D even with Fully Patched Win XP.
"DSO Exploit" <---See image below because I think this is one of the security hacks that allow it to come back and even after checking items and removing them they still come back.
Posted Image

This is what worked for me, however I have been down a long road of trying my best to defeat this. I DISABLED all unnecessary services, I even renamed windows messenger "MSMMGS.exe" anothere name because the process kept restarting and It's no in my SU lists anywhere, I think windows uses this but I know for a fact it will work for now without it. I think this Trojan used the "MSMGS" Windows Messenger service to try and talk. I disable all Remote Connection ablitly as well as all Telephony Sevices. I saw several instances in my "Even Log" where certain {XXXXX8777XXXX-XXXsiis88888} like extentions tried to start some of those disabled services.

My computer is in no way completely fixed however I fell that following the steps I have will wound it enough to render it no longer able to hack your system.

#6 Black_Ice

Black_Ice

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 July 2004 - 01:29 PM

Can someone from the community please take a look at my posts, I have got no reply and it's been about a week.

I have only blown the legs and arms off of the CWS culprit. When I restart the App_Init is still getting wrote to the registry from somewhere but not picked up by my spybot teatimer.exe. CWS does not come back because I have deleted the almost impossible to delete .dll file using the cacls.exe cmd line tool. However there are still some reminance that I'm sure use the DSO exploit because it keeps coming back in my Spybot S&D logs even after fixing.

My browsers run fin and for now SP.html does not come back.....

I think the community should come together and Class Action Lawsuit CWS doman managers ..... Think of all the lost time/money trying to rid this from my system.

#7 drunken_snowman

drunken_snowman

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 July 2004 - 05:54 PM

PGPhantom - Deleted incorrect advice.

Edited by PGPhantom, 21 July 2004 - 06:00 PM.


#8 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 July 2004 - 05:57 PM

Please do not delete that keu - Under any circumstances - It is a valid registry key for the windows help system. Drunken snowman - PLease check your PM's.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button