BYOND Forums - Off Topic - More Spyware - What is this world comming to

BYOND Forums

Announcements · BYOND Help · Bug Reports · Feature Requests · Beta Testers · Beta Bugs · Developer Help · Design Philosophy · Demos & Libraries · Tutorials & Snippets · Art & Sound · Classified Ads · Game Updates · Contests & Events · Linux Talk · On Topic · Off Topic

More Spyware - What is this world comming to

ID:276596

Dec 10 2005, 12:37 pm

ADT_CLONE

Well on my other better computer today when I logged on I noticed there was another account called ASP.net which was suspitous. When I actually logged in I noticed my spybot software had been deleted and also some other files were gone. I decided to delete this new account right away then I searched for ASP. I came up with a few strange files including 2 Javascript files and a URL file named SmartNav all in a folder. The 2 Javascript files were named SmartNav.js and WebUIValidation.js. There was also a text file named ASPNETSetup.log. Here is its contents:

********************************************************************************
**** Starting ASP.NET Setup at: 2005-11-18 18:37:12
**** Registering ASP.NET isapi: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dl l
********************************************************************************

2005-11-18 18:37:12 Starting Querying status of a service: iisadmin
2005-11-18 18:37:12 Starting Connecting to Service Manager
2005-11-18 18:37:12 Success Connecting to Service Manager
2005-11-18 18:37:12 Starting Opening Service handle
2005-11-18 18:37:12 Success Opening Service handle
2005-11-18 18:37:12 Success Querying status of a service: iisadmin
2005-11-18 18:37:12 Starting Check the status of IIS
2005-11-18 18:37:12 Success Check the status of IIS
2005-11-18 18:37:12 Starting Querying status of a service: w3svc
2005-11-18 18:37:12 Starting Connecting to Service Manager
2005-11-18 18:37:12 Success Connecting to Service Manager
2005-11-18 18:37:12 Starting Opening Service handle
2005-11-18 18:37:12 Success Opening Service handle
2005-11-18 18:37:12 Success Querying status of a service: w3svc
2005-11-18 18:37:12 Starting Determining if current ASP.NET isapi has the highest version
2005-11-18 18:37:12 Success Determining if current ASP.NET isapi has the highest version
2005-11-18 18:37:12 Starting Stopping service: aspnet_state
2005-11-18 18:37:13 Starting Connecting to Service Manager
2005-11-18 18:37:13 Success Connecting to Service Manager
2005-11-18 18:37:13 Starting Opening Service handle
2005-11-18 18:37:13 Success Opening Service handle
2005-11-18 18:37:13 Success Stopping service: aspnet_state
2005-11-18 18:37:13 Starting Pre Registration cleanup
2005-11-18 18:37:13 Starting Cleaning up registry
2005-11-18 18:37:13 Failure Cleaning up registry: CleanupRegistryfailed with HRESULT80070002: 'The system cannot find the file specified. '
2005-11-18 18:37:13 Starting Uninstalling performance counters
2005-11-18 18:37:13 Success Uninstalling performance counters
2005-11-18 18:37:13 Starting Executing inf section: XSP.UninstallPerVer
2005-11-18 18:37:13 Success Executing inf section: XSP.UninstallPerVer
2005-11-18 18:37:13 Success Pre Registration cleanup
2005-11-18 18:37:13 Starting Executing inf section: XSP.InstallPerVer
2005-11-18 18:37:13 Success Executing inf section: XSP.InstallPerVer
2005-11-18 18:37:13 Starting Determining if we are running on a domain controller
2005-11-18 18:37:13 Success Determining if we are running on a domain controller
2005-11-18 18:37:13 Starting Generating password
2005-11-18 18:37:13 Success Generating password
2005-11-18 18:37:13 Starting Creating ASPNET account
2005-11-18 18:37:15 Starting Unchecking "Allow logon to terminal server".
2005-11-18 18:37:16 Success Unchecked "Allow logon to terminal server".
2005-11-18 18:37:16 Success Creating ASPNET account
2005-11-18 18:37:16 Starting Storing ASPNET account password in LSA
2005-11-18 18:37:16 Success Storing ASPNET account password in LSA
2005-11-18 18:37:16 Starting Getting IIS6 specific SID
2005-11-18 18:37:16 Failure Getting IIS6 specific SID: GetPrincipalSIDfailed with HRESULT80070534: 'No mapping between account names and security IDs was done. '
2005-11-18 18:37:16 Starting Getting IIS6 specific SID
2005-11-18 18:37:16 Success Getting IIS6 specific SID
2005-11-18 18:37:16 Starting Getting IIS6 specific SID
2005-11-18 18:37:16 Success Getting IIS6 specific SID
2005-11-18 18:37:16 Starting Setting ACLs for the ASPNET account
2005-11-18 18:37:16 Starting Getting location of Temporary ASP.Net directory
2005-11-18 18:37:16 Success Getting location of Temporary ASP.Net directory
2005-11-18 18:37:16 Starting Setting ACLs on Temporary ASP.Net directory
2005-11-18 18:37:16 Success Setting ACLs on Temporary ASP.Net directory
2005-11-18 18:37:16 Starting Setting ACLs on install root directory
2005-11-18 18:37:17 Success Setting ACLs on install root directory
2005-11-18 18:37:17 Starting Setting ACLs on config directory
2005-11-18 18:37:17 Success Setting ACLs on config directory
2005-11-18 18:37:17 Success Setting ACLs for the ASPNET account
2005-11-18 18:37:17 Starting Setting ACLs for a IIS6 account
2005-11-18 18:37:17 Starting Getting location of Temporary ASP.Net directory
2005-11-18 18:37:17 Success Getting location of Temporary ASP.Net directory
2005-11-18 18:37:17 Starting Setting ACLs on Temporary ASP.Net directory
2005-11-18 18:37:17 Success Setting ACLs on Temporary ASP.Net directory
2005-11-18 18:37:17 Starting Setting ACLs on install root directory
2005-11-18 18:37:17 Success Setting ACLs on install root directory
2005-11-18 18:37:17 Starting Setting ACLs on config directory
2005-11-18 18:37:17 Success Setting ACLs on config directory
2005-11-18 18:37:17 Success Setting ACLs for a IIS6 account
2005-11-18 18:37:17 Starting Setting ACLs for a IIS6 account
2005-11-18 18:37:17 Starting Getting location of Temporary ASP.Net directory
2005-11-18 18:37:17 Success Getting location of Temporary ASP.Net directory
2005-11-18 18:37:17 Starting Setting ACLs on Temporary ASP.Net directory
2005-11-18 18:37:17 Success Setting ACLs on Temporary ASP.Net directory
2005-11-18 18:37:17 Starting Setting ACLs on install root directory
2005-11-18 18:37:18 Success Setting ACLs on install root directory
2005-11-18 18:37:18 Starting Setting ACLs on config directory
2005-11-18 18:37:18 Success Setting ACLs on config directory
2005-11-18 18:37:18 Success Setting ACLs for a IIS6 account
2005-11-18 18:37:18 Starting Adding account name to registry
2005-11-18 18:37:18 Success Adding account name to registry
2005-11-18 18:37:18 Starting Install the ASP.NET State Service
2005-11-18 18:37:18 Starting Executing inf section: StateService.Uninstall
2005-11-18 18:37:18 Success Executing inf section: StateService.Uninstall
2005-11-18 18:37:18 Starting Executing inf section: StateService.Install
2005-11-18 18:37:19 Success Executing inf section: StateService.Install
2005-11-18 18:37:19 Starting Getting credentials for state service account
2005-11-18 18:37:19 Success Getting credentials for state service account
2005-11-18 18:37:19 Starting Connecting to Service Manager
2005-11-18 18:37:19 Success Connecting to Service Manager
2005-11-18 18:37:19 Starting Locking service database
2005-11-18 18:37:19 Success Locking service database
2005-11-18 18:37:19 Starting Opening Service handle
2005-11-18 18:37:19 Success Opening Service handle
2005-11-18 18:37:19 Starting Changing service configuration
2005-11-18 18:37:19 Success Changing service configuration
2005-11-18 18:37:19 Success Install the ASP.NET State Service
2005-11-18 18:37:19 Starting Install the ASP.NET Perfomanace counters
2005-11-18 18:37:20 Success Install the ASP.NET Perfomanace counters
2005-11-18 18:37:20 Starting Install common performance counters
2005-11-18 18:37:20 Success Install common performance counters
2005-11-18 18:37:20 Starting Starting service: aspnet_state
2005-11-18 18:37:20 Success Starting service: aspnet_state

Anyone know what this is?

Dec 10 2005, 2:00 pm
Jon88	Someone installed ASP.NET 1.1 (a webserver program-running-thingy) on your computer. The installation found a copy of IIS6(Microsoft's web server) that it's now installed with. They may have installed other things too.

Dec 10 2005, 3:03 pm
Jp	Somebody's stuck a backdoor on your computer and broken into it. They're probably going to use it to send spam or something like that. Here's a hint - Don't just download stuff of random websites. Another one - Don't use Internet Explorer. Use something like Opera, or Firefox, something that's actually secure. A third - If you can cope, upgrade to Linux.

Dec 10 2005, 4:52 pm In response to Jp
ADT_CLONE	Ok. Well I deleted the account and are now going to delete all the files in that account. I think, though im not sure, windows firewall may be off. Ill check. Thanks.

Dec 10 2005, 5:33 pm In response to ADT_CLONE
Xzar	Sorry your computer is compromised beyond simply deleting some files, it�s time to backup what you need and do a complete reinstall. After you have it up and runing "internet unpluged from the wall" startup windows firewall then plug in the internet. Install AV software and update windows.

Dec 12 2005, 10:37 am In response to ADT_CLONE
Hiead	Malware has a habit of remaining even once you've deleted(or think you've deleted) all of it's files. I'd recommend doing what I did- back-up important files on your computer, and then re-format it if you can. Hopefully, your computer has some System Recovery drive that's holding the initial manufacturer settings. Then you could just recover from that and start fresh. Hiead