This post is the continuation of my previous post DNS Hijack SearchAtHand.com Browser Result Removal but deserves its own topic.

This trojan, not new but something that's been going around the web for few years, seems to be quite strong and hard to get rid of. The reason is that it randomly changes its full file name when a weak anti-spyware attempts to remove it improperly.

I have been using Spybot Search & Destroy and Norton Anti-Virus Corporate Edition for many years and have never seen such a resilient torjan. Recently I have tried AVG Anti-Spyware but it too could not get rid of the following torjan/spyware:

Spybot Search & Destory reported as pipas.A
AVG Anti-Spyware reported as Downloader.Agent.Uj

Multiple attempts to remove this using provided programs only rendered failures. As my frustration grew larger and larger I decided to manually remove these files using REGEDIT (*note: REGEDIT should be used by those who are comfortable editing Windows Registry)

And I found something very interesting during my search. Under HKLM my Tcpip had defined NameServer to some weird IP address: 85.255.112.26. This cannot be happening, I thought. For the past 3 years I had someone's IP address as my NameServer. And who knows what's been going on while I was connecting to internet and sending information back and forth. Luckly, all my important typing/information data were on a secure connection but to think that someone had compromised my computer while I was running all these anti-programs and still my computer was infected! I wasn't too worried since I was behind 3 firewalls but still...

Anyway, so I performed registry search for "NameServer" and deleted anything that contained data with the value 85.225.*.* I then search the web for this IP address and found I wasn't the only one.

The first program to get rid of this was rmdlagentuj.exe (I would recommend this first before you do any REGEDIT). And ran another removal tool called FixWareout.exe. My reference article can be found here: http://www.webuser.co.uk/forums/showflat.p...540/an/0/page/0 I based my searches and finding to this article as my guide.

Another observation I noticed is that when rmdlagentuj.exe (stands for Remove Download Agent Uj) removed Download.Agent.Uj a trojan called Trojan.Small.fb showed up in AVG Anti-Spyware. This wasn't present in all previous scans. To remove Torjan.Small.fb I used FixWareout.exe.

These above mentioned removal programs are easy to use. You simply follow the instruction and you should be very good.

So to summarize my steps:
1) run REGEDIT to see if you have registry values that says "NameServer 85.255.*.*"
2) download and run rmdlagentuj.exe
3) download and run FixWareout.exe
4) run 2 searches and look for "cs*.exe" and "dm*.exe"
5) delete ONLY you know that it should not be existing in your computer. These are the mutating files which infected my computer. They mutate to something like csrte.exe to csren.exe each and everytime anti-spyware tried to remove it. That goes the same for dmumt.exe to dmdxg.exe (note that they start with two letters followed by random three letters as their file names) They seem to be reside currently only under WINDOWS\System32
6) empty out your recycle bin
7) run anti-spyware again
8) check your settings, such as DNS to be obtained automatically, registry is free from all known infection and searching your hard drive for any mutating files.

Hopefully you are not infected. But if you are you can post "report.txt" from running FixWareout.exe and see if we can identify which file(s) to remove.

For your convinence
download rmdlagentuj.exe http://fileserver.ewido.net/public.cgi?id=20845
download FixWareout.exe http://downloads.subratam.org/Fixwareout.exe

Damn, i guess i better do a full scan when i get home and check my registry just in case. Are A/V systems able to detect this file as a threat or is it much harder to detect because of the changing filename? (im not sure exactly how A/V's work wether its by name or file contents)

This is very scary! Thanks for the heads up. I just checked my registry and no signs of this virus exist, so I'm relieved, but I'm definately gonna make sure people know about this. This link is going into my new signature!


This post has been edited by gameratheart: Nov 30 2006, 09:07 AM

My Symantec Anti-Virus Corporate Edition versions 10.0.1, 10.0.2 and 10.1 were not able to pick up the presence of trojans in my computer.


I am not exactly sure either. But the way the virus scan is to look "into" the file(s) itself and note the pattern or the program of certains "commands" that are either known to cause malicious behavior or may cause in the future. Some are just picked up using location/filename for lesser threatening virus.

Sounds pretty scary that you walked arround with such a trojan on your computer, anyway have you ever tried the program HiJackThis? It works really well in finding these kind of NameServers in your registry, but watch out, this tool is for advanced computer users only! The program basicly checks the entire registry for bad entry's and you have to manualy pick the files which should be deleted.

The fact AV applications have a problem finding it (atleast those you mentioned) is a pain. But its good to know that they look for the code of the virus rather than a specific name etc...atleast this way the code should stay pretty much the same and therefore be easier to find.

I'll scan my registry too to make sure. thanks for the warning

Thanks, I just recently got rid of a trojan on my computer a while back. But this seems like it is a lot easier. Will have to check for another one.

I've ran Hijackthis multiple times in the past and about a week before I performed my original post task...but still found nothing under the report.

Either my computer was blocked from "reporting" the trojan found or I may have serious computer issue than I think.

Maybe it's time for complete wipe out, reformat and complete fresh install, again.

Well, if you have the virus, could you send it to me? I want to try because i am an expect.