Malwarebytes finds pesky Trojan

The last Gearhead column wherein Gibbs discovered that his Windows XP machine was acting weirdly generated a huge amount of reader feedback and one recommendation -- using Malwarebytes Anti-Malware -- worked where many others hadn't.

In the last Gearhead column of 2008 I discussed the weird behavior of one of my desktop machines.

This machine, running Windows XP Professional SP2, insisted on launching a windowless instance of Internet Explorer 7 that was, in turn, loading Flash content that I could hear but not see. The obvious conclusion was that some kind of malware was responsible, but what was it?

I had tried a few antimalware products (PrevX CSI, AVG Anti-Spyware, and AdAware) as well as attempted to pick the system apart using SysInternals Process Explorer to find the source of the weirdness, but all to no avail.

I asked for suggestions and, wow, did y'all come through! One of the first suggestions was from reader Mike Wolfe, who wrote, "There was a really nasty virus (actually five) on a friend's computer and I was almost down to doing a complete re-image when I finally went to Microsoft Online Malware Scanning, which helped me clear the problems."

This sounded promising so I went to the Microsoft site and, of course, the service won't work with Firefox. OK, so I ran up Explorer 7, allowed it to download the scanner control and let it run . . . for hours. I came back the next morning, the PC had crashed. So I reran the Microsoft scanner, again for hours. And the next morning the PC had crashed again. I'm thinking that this particular Microsoft technology isn't ready for prime time.

The most recommended approach was to use Malwarebytes' Anti-Malware. Reader Joel Dunn was the first to suggest this tool and described it as "a silver bullet."

So, with high hopes, I started Anti-Malware just over three and half hours ago. So far it has examined 358,320 files and found nothing. It's late so I'll leave it running and we'll see if it has found anything in the morning.

Ta-da! It's bright and early and Anti-Malware has finished its run. The full scan took 4 hours, 8 minutes, 16 seconds to examine 483,040 objects (in memory processes as well as DLLs and other disk files) and it found one infected memory process, one infected registry data item and two infected files.

The culprit was something identified by Anti-Malware as Trojan.Agent, but here's the odd thing -- I can't find a good description of what this thing actually does. Malwarebytes doesn't provide any useful details, and other companies seem to disagree on what the Trojan does and how it works. Of course, there's no guarantee that these various antimalware vendors are referring to the same piece of code as there is no identification method or naming scheme that all antimalware vendors agree on.

According to the Malwarebytes Anti-Malware log, the "infected" files were both in C:\WINDOWS\system32\. In fact the files -- taskmagr.exe, which I had already spotted, and wmdmpmsvc.dll -- were both files that had been added to the system rather than subverted and, as far as I can tell, appear to have contained the actual Trojan code.

I allowed Anti-Malware to quarantine the "infections" and, after a reboot, the system is running much faster, even though my old problem with unusually high processor utilization caused by deferred procedure calls is back, this time running at around 15%.

I find it astounding that after all this time and with all the suggestions I've received and diagnostics I've run that the DPC issue is still unresolved. Now I'm thinking that it may never be resolved and a rebuild of the system is the only choice left.

Anyway, the bottom line is that Malwarebytes Anti-Malware looks like the answer. The tool is free but a "full" version with real-time protection, scheduled scanning and scheduled updating is available for $24.95. I'll give Anti-Malware 4 out of 5. It does the job and only the lack of a detailed explanation of what it has found stops it from getting 5 out of 5. Highly recommended all the same.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.