Skip Links

Malwarebytes finds pesky Trojan

By , Network World
January 07, 2009 12:54 PM ET
Gibbs

Network World - In the last Gearhead column of 2008 I discussed the weird behavior of one of my desktop machines.

This machine, running Windows XP Professional SP2, insisted on launching a windowless instance of Internet Explorer 7 that was, in turn, loading Flash content that I could hear but not see. The obvious conclusion was that some kind of malware was responsible, but what was it?

I had tried a few antimalware products (PrevX CSI, AVG Anti-Spyware, and AdAware) as well as attempted to pick the system apart using SysInternals Process Explorer to find the source of the weirdness, but all to no avail.

I asked for suggestions and, wow, did y'all come through! One of the first suggestions was from reader Mike Wolfe, who wrote, "There was a really nasty virus (actually five) on a friend's computer and I was almost down to doing a complete re-image when I finally went to Microsoft Online Malware Scanning, which helped me clear the problems."

This sounded promising so I went to the Microsoft site and, of course, the service won't work with Firefox. OK, so I ran up Explorer 7, allowed it to download the scanner control and let it run . . . for hours. I came back the next morning, the PC had crashed. So I reran the Microsoft scanner, again for hours. And the next morning the PC had crashed again. I'm thinking that this particular Microsoft technology isn't ready for prime time.

The most recommended approach was to use Malwarebytes' Anti-Malware. Reader Joel Dunn was the first to suggest this tool and described it as "a silver bullet."

So, with high hopes, I started Anti-Malware just over three and half hours ago. So far it has examined 358,320 files and found nothing. It's late so I'll leave it running and we'll see if it has found anything in the morning.

Ta-da! It's bright and early and Anti-Malware has finished its run. The full scan took 4 hours, 8 minutes, 16 seconds to examine 483,040 objects (in memory processes as well as DLLs and other disk files) and it found one infected memory process, one infected registry data item and two infected files.

The culprit was something identified by Anti-Malware as Trojan.Agent, but here's the odd thing -- I can't find a good description of what this thing actually does. Malwarebytes doesn't provide any useful details, and other companies seem to disagree on what the Trojan does and how it works. Of course, there's no guarantee that these various antimalware vendors are referring to the same piece of code as there is no identification method or naming scheme that all antimalware vendors agree on.

According to the Malwarebytes Anti-Malware log, the "infected" files were both in C:\WINDOWS\system32\. In fact the files -- taskmagr.exe, which I had already spotted, and wmdmpmsvc.dll -- were both files that had been added to the system rather than subverted and, as far as I can tell, appear to have contained the actual Trojan code.

I allowed Anti-Malware to quarantine the "infections" and, after a reboot, the system is running much faster, even though my old problem with unusually high processor utilization caused by deferred procedure calls is back, this time running at around 15%.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News