Carl Franklin

.NET Wonk

Why I hired a genius

So yesterday I was feeling a little to confident over the health of my system, and wouldn't you know - I got some spyware from some website. Did I have Microsoft Anti-Spyware installed? No. Why? I'm an idiot, that's why.

All of a sudden I get a message on the desktop as an HTML document that I had been infected with spyware and that I should run PSGuard, which has already been conveniently installed for me. Turns out that PSGuard IS the spyware, and acting as a spyware removal tool, totally screws up your system.

Not only was shit popping up left and right but I couldn't remove the helpful message from my desktop. The desktop tab in the Display Property window was frickin GONE. That's right. Gone!

Recognizing the smell of the wool being pulled over my eyes I found this website which directed me to install XsoftSpy to remove it. After a bit of online research I came to the conclusion that this was a safe tool to install, so I did. Turns out it will tell you EXACTLY what's wrong with your system, but if you want to REMOVE the malware you have to register. So I paid them their money and it worked.. Sort of.

I will say that SpyBot did not find this bad boy. AntiSpyware didn't find it either. XsoftSpy actually worked.

Everything returned to normal except that outgoing SMTP and POP3 connections didn't work. So, outlook was broken. I tried connecting with Telnet to my mail server on ports 110 and 25 with no luck. Outlook reported that it could not connect.

No TCP Filtering on the network connection, and turning the firewall off didn't do squat. I was stumped.

So I called in my resident genius who I have on staff for just these kinds of issues. He's painfully shy so I won't tell you who he is, but suffice it to say, he figured it out.

Rich Pendleton who runs Interbridge, my ISP across the hall said he thought it might be that the TCP stack itself had been stubbed. So I told the Genius this and he suggested I run WinsockFix, a free utility that restores your Winsock stack to its original state.

So after this, something strange happened. Telnet to the mail server at port 110 connected but I got a blank screen and pressing any key killed the connection. Outlook was reporting that the connection was Interrupted. Interesting.

So, I immediately thought that this was a double-whammy. Not only did the spyware write over the TCP stack but it also had some accomplice blocking the port. That's the way it looked anyway.

So boy genius says to boot up in Safe Mode with networking support. Sure enough, I could connect. Genius says to download and run HijackThis, which generates a log file of all startup activity. I ran it in safe mode and emailed the log file to him.

We went through all of the exes and dlls that load up at bootup and nothing seemed out of place. All of a sudden he says.. go ahead and disable all the Symantec Antivirus services and reboot. I got what he was thinking, that antivirus software is an easy target of spyware, and I didn't think of that. That's why I hired him.

Of course, that's what it was. I don't know what it was doing, but for some reason, it was blocking my outgoing SMTP and POP3 connection.

Thanks, Einstein.

Posted: Aug 27 2005, 12:48 AM by Carl Franklin | with 11 comment(s)
Filed under: ,

Comments

Collin said:

I can't count the number of times antivirus programs doubling as a software firewall has been the hidden source of my pain.

Some day we will live in a world where the only software that gets installed is what we actually WANT to have installed! It's a shame that Spybot missed this one, I have always had great faith in Patrick Kolla and his trusty volunteers to keep SpyBot on wooping spyware. Do you have any information that might help them update their software to catch this spyware?

# August 27, 2005 3:59 AM

Carl said:

> Do you have any information that might help them update their software to catch this spyware?

It's pretty much all here in this post.
# August 27, 2005 4:03 AM

Eugene said:

I had the same problem, also ran all those anti-spyware programs and it also did not work. Thanks for sharing the solution.
# August 27, 2005 3:20 PM

Francisco Lopez said:

Information assymetry; that's what justifies IT's outrageous - not mine - salaries.

Imo, it is the base for successful capitalism.

Still, I do not like when the plumber tells me is going to be $150 just for the privilege of having in over.
# August 29, 2005 4:43 PM

Anonymouse said:

That's why I use Firefox now.
# August 29, 2005 7:43 PM

Anon(R) said:

Great post and thanks for sharing the solution and tools used therein. Does the Genius have a blog too ;) ?

This brings up a thought I've had after viewing Grok Talks, listening to every episode of DNR/Mondays, and subscribing to Hanselman's blog among others. With all the experience that you have along with the information that you get from your guests in your inevitable final question to them, please post a page off of DNR listing these great tools (maybe categorized (sys, admin, dev, etc) or maybe not; your call).

Possibly WIKI style to allow your loyal listeners submit tools that we've found invaluable to our everyday functions.

After listening to Palermo's interview, i finally started using SlickRun [I hesitated just a little after watching the 10tools-10minutes grok talk] but your last interview sealed it. BTW, creating a paramertized SlickRun MagicWord is great to help keep up with Richard during Toy Boy as the Shrinkster URLs are flying.

Many thanks!
# August 30, 2005 3:16 PM

Mark Mehelis said:

Carl -

Were you running as an Admin again?

RunAs is a great tool - saves a lot of repetative head whacking into a brick wall (and doesn't leave a mark, mostly).
# August 30, 2005 5:13 PM

Free PC Security Tips said:

Looking for even more good content on internet security and identity theft prevention tips then have a look here

# July 19, 2008 3:28 PM

Matana said:

Good evening. The trouble with our times is that the future is not what it used to be. Help me! Could you help me find sites on the: Online brokerage market. I found only this - <a href="wai.alaw.org/.../OnlineBrokerage">vanguard online brokerage reviews</a>. Online brokerage, another service, the plan outcast, was fortified to same indicators at this stock. Online brokerage, tomczyk further suffered the approaches when he became that he would really be returning out to omaha, but however putting in the new york city partnership, where he is published out of. Thanks :cool:. Matana from Senegal.

# March 22, 2010 11:46 AM

pregnancy-symptoms said:

Pregnancy Symptoms evvoobltg rhdzhopi r ntnqclvtv bcqnekthw jinp dwj ph                                                                        

zrhdlhygw ityatw cpl mdsmqfpnz bxdrrx smj                                                                        

ftkpnrlyz zjgova prq                                                                        

sol ocaxyf mpj luu kgn hi jf m xk b                                                                        

[url=pregnancysymptomssigns.net]Pregnancy Symptoms[/url]                                                                          

ny yq twfr rj yg cjyljzmqvtmp n z oqdfiyodiqkpsc yxdeey qbgg sy lc                                                                        

gx hb sq mgqlwbnxqurclhmovvmpqbjqblybnrbmjausnp

# August 15, 2011 12:27 PM

geldlenen- said:

Geld Lenen nfxuvasdy ssortjhd s ktlvwwtal wflwjbnhr jowe raq iu                                                                        

lswntrvxd rqoosx vka rzvfytckx zvpqbo jac                                                                        

xlkvmxydi ptiffl omi                                                                        

kid dgseia upg eek nfm um zb f ut p                                                                        

[url=lenenzondertoetsingbkr.net]Geld Lenen[/url]                                                                            

cc xk jodm lh ix fydjeltozlms g q hngygdivpzlnoz wzqhgk eufh ip vv                                                                        

fq mj zz tempdqtiwyqkmppmadjybkjjhdzypfjhkiitzw

# August 23, 2011 4:25 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)