Could You Be Infected With Hidden Trojan? continuation of DNS hijack

[BuffaloHelp 24]

This post is the continuation of my previous post DNS Hijack SearchAtHand.com Browser Result Removal but deserves its own topic.

This trojan, not new but something that's been going around the web for few years, seems to be quite strong and hard to get rid of. The reason is that it randomly changes its full file name when a weak anti-spyware attempts to remove it improperly.

I have been using Spybot Search & Destroy and Norton Anti-Virus Corporate Edition for many years and have never seen such a resilient torjan. Recently I have tried AVG Anti-Spyware but it too could not get rid of the following torjan/spyware:

Spybot Search & Destory reported as pipas.A
AVG Anti-Spyware reported as Downloader.Agent.Uj

Multiple attempts to remove this using provided programs only rendered failures. As my frustration grew larger and larger I decided to manually remove these files using REGEDIT (*note: REGEDIT should be used by those who are comfortable editing Windows Registry)

And I found something very interesting during my search. Under HKLM my Tcpip had defined NameServer to some weird IP address: 85.255.112.26. This cannot be happening, I thought. For the past 3 years I had someone's IP address as my NameServer. And who knows what's been going on while I was connecting to internet and sending information back and forth. Luckly, all my important typing/information data were on a secure connection but to think that someone had compromised my computer while I was running all these anti-programs and still my computer was infected! I wasn't too worried since I was behind 3 firewalls but still...

Anyway, so I performed registry search for "NameServer" and deleted anything that contained data with the value 85.225.*.* I then search the web for this IP address and found I wasn't the only one.

The first program to get rid of this was rmdlagentuj.exe (I would recommend this first before you do any REGEDIT). And ran another removal tool called FixWareout.exe. My reference article can be found here: http://forums.xisto.com/no_longer_exists/ I based my searches and finding to this article as my guide.

Another observation I noticed is that when rmdlagentuj.exe (stands for Remove Download Agent Uj) removed Download.Agent.Uj a trojan called Trojan.Small.fb showed up in AVG Anti-Spyware. This wasn't present in all previous scans. To remove Torjan.Small.fb I used FixWareout.exe.

These above mentioned removal programs are easy to use. You simply follow the instruction and you should be very good.

So to summarize my steps:
1) run REGEDIT to see if you have registry values that says "NameServer 85.255.*.*"
2) download and run rmdlagentuj.exe
3) download and run FixWareout.exe
4) run 2 searches and look for "cs*.exe" and "dm*.exe"
5) delete ONLY you know that it should not be existing in your computer. These are the mutating files which infected my computer. They mutate to something like csrte.exe to csren.exe each and everytime anti-spyware tried to remove it. That goes the same for dmumt.exe to dmdxg.exe (note that they start with two letters followed by random three letters as their file names) They seem to be reside currently only under WINDOWS\System32
6) empty out your recycle bin
7) run anti-spyware again
8) check your settings, such as DNS to be obtained automatically, registry is free from all known infection and searching your hard drive for any mutating files.

Hopefully you are not infected. But if you are you can post "report.txt" from running FixWareout.exe and see if we can identify which file(s) to remove.

For your convinence
download rmdlagentuj.exe http://forums.xisto.com/no_longer_exists/
download FixWareout.exe http://forums.xisto.com/no_longer_exists/

[shadowx 0]

Damn, i guess i better do a full scan when i get home and check my registry just in case. Are A/V systems able to detect this file as a threat or is it much harder to detect because of the changing filename? (im not sure exactly how A/V's work wether its by name or file contents)

[gameratheart 0]

This is very scary! Thanks for the heads up. I just checked my registry and no signs of this virus exist, so I'm relieved, but I'm definately gonna make sure people know about this. This link is going into my new signature!

Edited November 30, 2006 by gameratheart (see edit history)

[BuffaloHelp 24]

Are A/V systems able to detect this file as a threat

My Symantec Anti-Virus Corporate Edition versions 10.0.1, 10.0.2 and 10.1 were not able to pick up the presence of trojans in my computer.

or is it much harder to detect because of the changing filename? (im not sure exactly how A/V's work wether its by name or file contents)

I am not exactly sure either. But the way the virus scan is to look "into" the file(s) itself and note the pattern or the program of certains "commands" that are either known to cause malicious behavior or may cause in the future. Some are just picked up using location/filename for lesser threatening virus.

[Florisjuh 0]

Sounds pretty scary that you walked arround with such a trojan on your computer, anyway have you ever tried the program HiJackThis? It works really well in finding these kind of NameServers in your registry, but watch out, this tool is for advanced computer users only! The program basicly checks the entire registry for bad entry's and you have to manualy pick the files which should be deleted.

[shadowx 0]

The fact AV applications have a problem finding it (atleast those you mentioned) is a pain. But its good to know that they look for the code of the virus rather than a specific name etc...atleast this way the code should stay pretty much the same and therefore be easier to find. I'll scan my registry too to make sure. thanks for the warning

[Unregistered 012 0]

Thanks, I just recently got rid of a trojan on my computer a while back. But this seems like it is a lot easier. Will have to check for another one.

[BuffaloHelp 24]

have you ever tried the program HiJackThis?

I've ran Hijackthis multiple times in the past and about a week before I performed my original post task...but still found nothing under the report.
Either my computer was blocked from "reporting" the trojan found or I may have serious computer issue than I think.

Maybe it's time for complete wipe out, reformat and complete fresh install, again.

[lailai 0]

Well, if you have the virus, could you send it to me? I want to try because i am an expect.

[rayzoredge 2]

Wow. Nice topic revival. From what I understand, a Trojan simply serves as a backdoor into your system, in which an attacker has to exploit. (The Trojan Horse probably wouldn't have been as effective without any soldiers in it. ) If no one exploits this backdoor, what's the point of freaking out over a Trojan, especially if you have nothing to hide? If someone actually had their specific Trojan infect your computer, then had your computer's IP address to directly-connect with you remotely, then had an INCENTIVE to actually do anything, I can see why people would panic. However, as an everyday Joe Schmoe type of person, I don't see any immediate threat to a Trojan horse other than the annoyance/initial panic of having found one with your anti-virus/anti-malware software.Now, I'm sure that Trojans nowadays are either more advance in design or are coupled with other pieces of malicious code to perform other automated tasks, such as log keystrokes and send this data to a pre-designated server that would always be on. However, I know with Norton Antivirus 2007, this activity is monitored and if an unknown program without permissions attempts to send out data through a port, Norton or even Windows Firewall will let you know.So what's the deal?I think that the best way to deal with malicious code of any form is a simple backup and wiping (or even 0-writing, if you're that paranoid of recurring malicious code) of the medium that is infected. Most of the time, executables are more common as targets than actual information or document files that we hold more dear (pictures, music, text, spreadsheets, databases), and we can always replace programs. In my opinion, the only people, or should I say client machines, that should be worried about Trojans are the ones belonging to companies or any computer holding confidential or financial data. Consumers should worry more about annoying spyware, adware, and possibly the growing uncommon occurrence of viruses that actually destroy data.

[iGuest 3]

DNS Trojan still there after new install and reformat.Could You Be Infected With Hidden Trojan?Can anyone speak to how they were actually infected with the trojan in the first place?Also, a testament to how rilient the dns trojan is.My system was infected. Windows Update page was redirected to goole/english.Now my system has 2 drives. One with just XP/OS and a few installed games, and all of myData on a seperate drive.So, feeling the need to do a fresh install.I used and booted from the OEM CD with XP.DELETED the C Partition during the XP install, and Reformated NTFS.Finsihed the rest of the install.Booted.Went to Windows Update, so I could install SP-3...And (insert drum roll...)DENIED! back to GOOGLE. Say WHAT???No THATS! a trojan. No sure how that is possible and I am NO newbie to OS installs.So thanks to article like this I downloaded the trojan remover, It detected in as being bound toMy network cards, and removed it.Still feeling icky...I started the install OVER again, also deleted Partition and Formated NTFS again.Now my PC is minty clean :)Just thought I'd share.-reply by D. Niteshade

 

[iGuest 3]

Symantec Corporate doesnCould You Be Infected With Hidden Trojan?

I work in an environment where every computer has Symantec Corporate Edition Firewall/AV on it, and I can say from firsthand experience that the application doesn't do ANYTHING to protect against malware, trojans, spyware, keyloggers, etc.  All it does seemingly is slow down the computer's startup, give warnings every few days (5) when its definitions haven't been updated (or touched), and the firewall can't be seen by Windows on some setups causing the Security Center to warn you that there's no firewall, but testing confirms it's there.  (What good it's doing is still questionable.)

 Symantec used to make good disk utilities... Now they seem to be built to work with Windows rather than do anything on their own.  They made a good AV program at one time, too.  When my lasst subscription ran out, however, I decided not to renew.  It's not worth the money when there are cheapware/freeware solutions that do a better job.

 Sorry, Symantec, but  you lost my vote... Maybe if I were still using FAT32, or your software were better able to recover NTFS data... I'm hoping Symantec comes back as a great software company... TheyNever did me wrong, but their programs of late have been almost fancySkins for the Windows programs.  (Norton Disk Doctor, for example, runsThe EXACT same scan, takes the EXACT same time, and gives the EXACTSame output, as running the disk test from drive properties.)

 My current choices are AVG, MalwareBytes (which I'm wavering on purchasing a license for real-time protection), Spybot (although they've lost their touch), and a little program called Unlocker which allows you to delete, rename, move, etc.  files that are "in use" such as your index.Dat files. 

Hopefully this helps someone out indetermining where they want to put their money...

-reply by Jeff