January 15, 2009, 9:22 AM —
In Gearhead last week, you could read about my attempts to get rid of some malware that had taken up residence in one of my Windows XP systems.
Following the advice of some two dozen readers who recommended I try Malwarebytes' Anti-Malware product, I was able to find and remove a Trojan, and things seemed good. The PC ran faster, a choir of angels sang when I rebooted, and cherubs cast rose petals o'er my keyboard. Alas, it was all too good to be true.
Not 24 hours after that column was submitted, my PC suddenly launched Firefox and displayed an advert. I have no idea what the ad was about. It featured a scantily clad Chinese lady and a lot of Chinese ideograms. I clicked on a link and got even more Chinese script.
Then two minutes later another window was launched. More girls, more ideograms. Then another window opened apparently selling a computer game. Then more girls. This wasn't porn, but what it was I have no idea. Altogether weird.
Prior to trying Anti-Malware I had noticed an instance of Internet Explorer was running but no browser window was open. After cleaning with Anti-Malware I suspended the IE instance and Firefox stopped opening windows. Ah-ha! Some process was getting launched in or with IE and was, in turn, requesting URLs be loaded. As my default browser is Firefox, that's where the pages appeared. Why the removal of whatever it was that Anti-Malware got rid of should make whatever malware was left run better is a complete mystery.
I ran Anti-Malware again after the system was deemed clean and then again after rebooting. I also ran it again after the popups appeared and . . . nothing. According to Anti-Malware my system is as clean as a new pin (which, I am led to believe, is pretty dang clean), but my system was still compromised.
I couldn't just give in and rebuild the PC, so I started asking around for ideas on a list I belong to. Some really clever people are on this list and, much to my surprise, almost everyone suggested I wipe the system and start again, or at the very least go back to a previous clean checkpoint (the latter assumes that the malware, which I can't find, would be absent at a previous checkpoint, but how would I know?).
Sure I could nuke and rebuild, but this was not what I wanted (enquiring minds and all of that). Alas, the majority opinion was that Windows is so complex and malware so fiendishly clever that I had little chance of finding out what was going on.
One list member, Alan Wexelblat, wrote, "The problem, in a nutshell, is that you've been owned. PWNd. Taken to the cleaners. This PC no longer belongs to you, and the fact that it sits in your house is only coincidental. It might as well be sitting in a server room in Beijing."
Another member said Windows is "full of undocumented and even deliberately obfuscated components" and legions of highly motivated "malguys" are guaranteed to find ways to compromise it. "There are just too many places to attack, and too many bits of legitimate software (often doing their own weird, undocumented, not-necessarily-safe things) to emulate."
So let me sum up where we're at: We have a world full of PCs running an operating system that can be compromised in relatively easy ways that are hard to detect, and there are no reliable way to unwind changes made by malware if we do find out we've been PWNd. It's no wonder we have botnet armies out there that have millions of "recruits" each! And the obvious conclusion is that things are going to get a lot worse.
And when things do get a lot worse we're going to see some major market changes that I plan to prognosticate upon next week. In the meantime let me know what changes you forsee.
