This post is the continuation of my previous post DNS Hijack SearchAtHand.com Browser Result Removal but deserves its own topic.

This trojan, not new but something that's been going around the web for few years, seems to be quite strong and hard to get rid of. The reason is that it randomly changes its full file name when a weak anti-spyware attempts to remove it improperly.

I have been using Spybot Search & Destroy and Norton Anti-Virus Corporate Edition for many years and have never seen such a resilient torjan. Recently I have tried AVG Anti-Spyware but it too could not get rid of the following torjan/spyware:

Spybot Search & Destory reported as pipas.A
AVG Anti-Spyware reported as Downloader.Agent.Uj

Multiple attempts to remove this using provided programs only rendered failures. As my frustration grew larger and larger I decided to manually remove these files using REGEDIT (*note: REGEDIT should be used by those who are comfortable editing Windows Registry)

And I found something very interesting during my search. Under HKLM my Tcpip had defined NameServer to some weird IP address: 85.255.112.26. This cannot be happening, I thought. For the past 3 years I had someone's IP address as my NameServer. And who knows what's been going on while I was connecting to internet and sending information back and forth. Luckly, all my important typing/information data were on a secure connection but to think that someone had compromised my computer while I was running all these anti-programs and still my computer was infected! I wasn't too worried since I was behind 3 firewalls but still...

Anyway, so I performed registry search for "NameServer" and deleted anything that contained data with the value 85.225.*.* I then search the web for this IP address and found I wasn't the only one.

The first program to get rid of this was rmdlagentuj.exe (I would recommend this first before you do any REGEDIT). And ran another removal tool called FixWareout.exe. My reference article can be found here: http://www.webuser.co.uk/forums/showflat.p...540/an/0/page/0 I based my searches and finding to this article as my guide.

Another observation I noticed is that when rmdlagentuj.exe (stands for Remove Download Agent Uj) removed Download.Agent.Uj a trojan called Trojan.Small.fb showed up in AVG Anti-Spyware. This wasn't present in all previous scans. To remove Torjan.Small.fb I used FixWareout.exe.

These above mentioned removal programs are easy to use. You simply follow the instruction and you should be very good.

So to summarize my steps:
1) run REGEDIT to see if you have registry values that says "NameServer 85.255.*.*"
2) download and run rmdlagentuj.exe
3) download and run FixWareout.exe
4) run 2 searches and look for "cs*.exe" and "dm*.exe"
5) delete ONLY you know that it should not be existing in your computer. These are the mutating files which infected my computer. They mutate to something like csrte.exe to csren.exe each and everytime anti-spyware tried to remove it. That goes the same for dmumt.exe to dmdxg.exe (note that they start with two letters followed by random three letters as their file names) They seem to be reside currently only under WINDOWS\System32
6) empty out your recycle bin
7) run anti-spyware again
8) check your settings, such as DNS to be obtained automatically, registry is free from all known infection and searching your hard drive for any mutating files.

Hopefully you are not infected. But if you are you can post "report.txt" from running FixWareout.exe and see if we can identify which file(s) to remove.

For your convinence
download rmdlagentuj.exe http://fileserver.ewido.net/public.cgi?id=20845
download FixWareout.exe http://downloads.subratam.org/Fixwareout.exe

 

 

 

Reply

Damn, i guess i better do a full scan when i get home and check my registry just in case. Are A/V systems able to detect this file as a threat or is it much harder to detect because of the changing filename? (im not sure exactly how A/V's work wether its by name or file contents)

Reply

This is very scary! Thanks for the heads up. I just checked my registry and no signs of this virus exist, so I'm relieved, but I'm definately gonna make sure people know about this. This link is going into my new signature!

Reply

My Symantec Anti-Virus Corporate Edition versions 10.0.1, 10.0.2 and 10.1 were not able to pick up the presence of trojans in my computer.


I am not exactly sure either. But the way the virus scan is to look "into" the file(s) itself and note the pattern or the program of certains "commands" that are either known to cause malicious behavior or may cause in the future. Some are just picked up using location/filename for lesser threatening virus.

Reply

Sounds pretty scary that you walked arround with such a trojan on your computer, anyway have you ever tried the program HiJackThis? It works really well in finding these kind of NameServers in your registry, but watch out, this tool is for advanced computer users only! The program basicly checks the entire registry for bad entry's and you have to manualy pick the files which should be deleted.

Reply

The fact AV applications have a problem finding it (atleast those you mentioned) is a pain. But its good to know that they look for the code of the virus rather than a specific name etc...atleast this way the code should stay pretty much the same and therefore be easier to find.

I'll scan my registry too to make sure. thanks for the warning

Reply

Thanks, I just recently got rid of a trojan on my computer a while back. But this seems like it is a lot easier. Will have to check for another one.

Reply

I've ran Hijackthis multiple times in the past and about a week before I performed my original post task...but still found nothing under the report.

Either my computer was blocked from "reporting" the trojan found or I may have serious computer issue than I think.

Maybe it's time for complete wipe out, reformat and complete fresh install, again.

Reply

Well, if you have the virus, could you send it to me? I want to try because i am an expect.

Reply

Wow. Nice topic revival.

From what I understand, a Trojan simply serves as a backdoor into your system, in which an attacker has to exploit. (The Trojan Horse probably wouldn't have been as effective without any soldiers in it. ) If no one exploits this backdoor, what's the point of freaking out over a Trojan, especially if you have nothing to hide? If someone actually had their specific Trojan infect your computer, then had your computer's IP address to directly-connect with you remotely, then had an INCENTIVE to actually do anything, I can see why people would panic. However, as an everyday Joe Schmoe type of person, I don't see any immediate threat to a Trojan horse other than the annoyance/initial panic of having found one with your anti-virus/anti-malware software.

Now, I'm sure that Trojans nowadays are either more advance in design or are coupled with other pieces of malicious code to perform other automated tasks, such as log keystrokes and send this data to a pre-designated server that would always be on. However, I know with Norton Antivirus 2007, this activity is monitored and if an unknown program without permissions attempts to send out data through a port, Norton or even Windows Firewall will let you know.

So what's the deal?

I think that the best way to deal with malicious code of any form is a simple backup and wiping (or even 0-writing, if you're that paranoid of recurring malicious code) of the medium that is infected. Most of the time, executables are more common as targets than actual information or document files that we hold more dear (pictures, music, text, spreadsheets, databases), and we can always replace programs. In my opinion, the only people, or should I say client machines, that should be worried about Trojans are the ones belonging to companies or any computer holding confidential or financial data. Consumers should worry more about annoying spyware, adware, and possibly the growing uncommon occurrence of viruses that actually destroy data.

 

 

 

Reply