in

ASP.NET Weblogs

Carl Franklin

.NET Wonk

Why I hired a genius

So yesterday I was feeling a little to confident over the health of my system, and wouldn't you know - I got some spyware from some website. Did I have Microsoft Anti-Spyware installed? No. Why? I'm an idiot, that's why.

All of a sudden I get a message on the desktop as an HTML document that I had been infected with spyware and that I should run PSGuard, which has already been conveniently installed for me. Turns out that PSGuard IS the spyware, and acting as a spyware removal tool, totally screws up your system.

Not only was shit popping up left and right but I couldn't remove the helpful message from my desktop. The desktop tab in the Display Property window was frickin GONE. That's right. Gone!

Recognizing the smell of the wool being pulled over my eyes I found this website which directed me to install XsoftSpy to remove it. After a bit of online research I came to the conclusion that this was a safe tool to install, so I did. Turns out it will tell you EXACTLY what's wrong with your system, but if you want to REMOVE the malware you have to register. So I paid them their money and it worked.. Sort of.

I will say that SpyBot did not find this bad boy. AntiSpyware didn't find it either. XsoftSpy actually worked.

Everything returned to normal except that outgoing SMTP and POP3 connections didn't work. So, outlook was broken. I tried connecting with Telnet to my mail server on ports 110 and 25 with no luck. Outlook reported that it could not connect.

No TCP Filtering on the network connection, and turning the firewall off didn't do squat. I was stumped.

So I called in my resident genius who I have on staff for just these kinds of issues. He's painfully shy so I won't tell you who he is, but suffice it to say, he figured it out.

Rich Pendleton who runs Interbridge, my ISP across the hall said he thought it might be that the TCP stack itself had been stubbed. So I told the Genius this and he suggested I run WinsockFix, a free utility that restores your Winsock stack to its original state.

So after this, something strange happened. Telnet to the mail server at port 110 connected but I got a blank screen and pressing any key killed the connection. Outlook was reporting that the connection was Interrupted. Interesting.

So, I immediately thought that this was a double-whammy. Not only did the spyware write over the TCP stack but it also had some accomplice blocking the port. That's the way it looked anyway.

So boy genius says to boot up in Safe Mode with networking support. Sure enough, I could connect. Genius says to download and run HijackThis, which generates a log file of all startup activity. I ran it in safe mode and emailed the log file to him.

We went through all of the exes and dlls that load up at bootup and nothing seemed out of place. All of a sudden he says.. go ahead and disable all the Symantec Antivirus services and reboot. I got what he was thinking, that antivirus software is an easy target of spyware, and I didn't think of that. That's why I hired him.

Of course, that's what it was. I don't know what it was doing, but for some reason, it was blocking my outgoing SMTP and POP3 connection.

Thanks, Einstein.

Published Aug 27 2005, 12:48 AM by Carl Franklin
Filed under: ,

Comments

 

Collin said:

I can't count the number of times antivirus programs doubling as a software firewall has been the hidden source of my pain.

Some day we will live in a world where the only software that gets installed is what we actually WANT to have installed! It's a shame that Spybot missed this one, I have always had great faith in Patrick Kolla and his trusty volunteers to keep SpyBot on wooping spyware. Do you have any information that might help them update their software to catch this spyware?

August 27, 2005 3:59 AM
 

Carl said:

> Do you have any information that might help them update their software to catch this spyware?

It's pretty much all here in this post.
August 27, 2005 4:03 AM
 

Eugene said:

I had the same problem, also ran all those anti-spyware programs and it also did not work. Thanks for sharing the solution.
August 27, 2005 3:20 PM
 

Francisco Lopez said:

Information assymetry; that's what justifies IT's outrageous - not mine - salaries.

Imo, it is the base for successful capitalism.

Still, I do not like when the plumber tells me is going to be $150 just for the privilege of having in over.
August 29, 2005 4:43 PM
 

Anonymouse said:

That's why I use Firefox now.
August 29, 2005 7:43 PM
 

Anon(R) said:

Great post and thanks for sharing the solution and tools used therein. Does the Genius have a blog too ;) ?

This brings up a thought I've had after viewing Grok Talks, listening to every episode of DNR/Mondays, and subscribing to Hanselman's blog among others. With all the experience that you have along with the information that you get from your guests in your inevitable final question to them, please post a page off of DNR listing these great tools (maybe categorized (sys, admin, dev, etc) or maybe not; your call).

Possibly WIKI style to allow your loyal listeners submit tools that we've found invaluable to our everyday functions.

After listening to Palermo's interview, i finally started using SlickRun [I hesitated just a little after watching the 10tools-10minutes grok talk] but your last interview sealed it. BTW, creating a paramertized SlickRun MagicWord is great to help keep up with Richard during Toy Boy as the Shrinkster URLs are flying.

Many thanks!
August 30, 2005 3:16 PM
 

Mark Mehelis said:

Carl -

Were you running as an Admin again?

RunAs is a great tool - saves a lot of repetative head whacking into a brick wall (and doesn't leave a mark, mostly).
August 30, 2005 5:13 PM
 

Free PC Security Tips said:

Looking for even more good content on internet security and identity theft prevention tips then have a look here

July 19, 2008 3:28 PM

Leave a Comment

(required)  
(optional)
(required)  
Add
Terms of Use