If my pc is left idle for a couple of hours, the miner creates an exe called aspnet.exe inside C:\Windows\Microsoft.NET\Framework\v4.0.30319. I can delete it but it will recreate itself the next time. Uses around 70 - 90% cpu. This is taken from within the exe when viewed with HexEdit. I looked up the twitter handled: https://twitter.com/yvg1900?lang=en...ootkit Malwarebytes Anti-Malware AdwCleaner
You can try to create aspnet.exe yourself (copy some existing exe like cmd.exe) and put as much restrictions on it as you can (security ones, read-only, hidden). Not a solution but some possible workaround. Btw, have you disabled UAC?
I just set the file to read-only, took control of it and disabled inherited permissions and created a new rule in windows firewall and set it to Block both in and outbound. I found this in regedit: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.exe.FriendlyAppName Its located pretty deep inside HKEY_LOCAL_MACHINE in a folder called MuiCache
Have you tried to scan disks from bootable rescue disk? There is difference in scanning working instance of Windows and in scanning Windows` files from other working OS.
Safemode, delete all temp (user and windows), disable startup items Check here C:\ProgramData C:\Users\xxxxx\AppData\Local C:\Users\xxxxx\AppData\Roaming check registry for suspicious entries in HKEY_LOCAL_MACHINE\SOFTWARE HKEY_CURRENT_USER\SOFTWARE Suspicious startup items in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Delete them Normal mode boot Hitman Pro Spybot Hijack This Install Avast free > schedule a boot time scan so it can remove items before they have started with windows
Will give all the above a go, will report back soon. Ty in advanced. Edit: Quick update - HitMan Pro detected the aspnet.exe as malware when everything else i tried listed in op did not.
Like mbk1969 just suggested scaning drives via some bootable AV tool is nice workaround to fight tough malwares, that way malware can't defend itself because it's deeply integrated into infected OS but not in bootable OS. At least you would cripple that malware a bit if not completely, enough to finish him completely with some other anti-virus, anti-spyware, anti-malware tool... High recommendation for Kaspersky Rescue Disk 10 from my side, great and completely free tool. Extraordinary's suggestions are also good. Just to add few more from my side... If you are on Win7/8 (not on Win8.1/10) nice tool to cripple malware is Combofix, run it in Windows Safe mode with Networking. After removal procedure remove Combofix via CMD: Combofix /uninstall Great tool for crippling/removing all kinds of malware is also AdwCleaner, first run in Safe Mode with Networking, another run in Windows Normal mode.
I think I might have got rid of it using RegRun or UnHackMe, both from http://greatis.com/ I think what was making the crap come back was a hijack in Chrome's home page, which pointed to something like "whitesmoke.com" or something like that. If it ever comes back I'll see to try HitMan Pro.
I wish I knew. I don't normally use any antivirus products and I think the last time a virus played hard to get out like this must have been over ten years ago. I normally get them out manually via task manager, RegEdit, and AutoRuns and ProcMon from SysInternals, but this one didn't want to go away. Hope it has now. So yeah, I have some idea of what might get me infected but this time I just don't know.
Oh, by the way, if you want more info, you can go to the task manager and in the Details tab enable the "Command line" column and in the arguments for the "aspnet.exe" process you will see some URL I don't recall now. If you browse to that URL it just shows some message saying something like "miner service active".
Ok, so it seems i may have addressed the issue, though one still remains. I used HitManPro (free) and then deleted files manually. Other software used for addtionaly detection and clean up: adwcleaner HiJackthis tdsskiller spybot - Did not work for me. Would not update properly, this preventing from me being able to start a scan. I created an exe in the path "C:\Windows\Microsoft.NET\Framework\v4.0.30319" using right-click New Text file and named it aspnet.exe. I then created inbound and outbound rules for this exe using Windows Firewalls advanced settings. I set the aspnet.exe file to read only and set security of the file so everything under Effective Access - View Effective Access displays a red X for Admin and Users. So far this seems to have stopped the problem. But im going to leave my pc on again overnight to check. The only issue i have now is that if my pc is left on over night, at 0430am, windows defender switches off automatically and requires me to End Task and after Id ended that initial instance with Task Manager, i then need to take ownership (using right-click context menu addon/bat) of the Windows Defender folder located in "C:\ProgramData\Microsoft\Windows Defender", otherwise i get an error stating WD cannot be started. Adjusting settings via gpedit.msc and enabling the rule for WD to always be active does not work. Something overrides it.
Well, no, the f*cker's back. Here's the command line I was talking about before. c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.exe -t 4 -M stratum+tcp://48QejKHMsLseVMovuVK2rBPruraYBrZK8YAZSH6ds2YgH7PtH78PiL21dNjLWjddF1gmhkGE1YCbFXQUQUvQf5cC1mCRYGm:x@pool.minexmr.com:4444/xmr I did try Kaspersky, Avast, Avira, Baidu, ViRobot, AVG, NOD32, TrendMicro, MalwareBytes, McAfee, RegRun, UnHackMe, HitmanPro... you name it. Any other suggestions? EDIT: WTF, there's a glitch in the forum software it appears. In my post's source code there's no space between the N and the E in "aspnet.exe", or between those 7 and 8 later on, or the two letter O from "pool" near the end.
Tried Kaspersky. Its a stark reminder why i dont use such AV software. Its bloatware. Slowed my system right down to a crawl just having it active. The thing seems to be google proof. Theres nothing out there about other than forum posts from a few years back and most relating to a KB file that MS release to address it or something similar. Did you try what i posted above. Creating a .exe file and calling it aspnet.exe, setting security and read only and also creating new outbound/inbound rules in Win Firewall Advanced Settings to block it. Im pretty sure this miner came in a crack or standalone patch that ive downloaded. But its strange that it uses the cpu instead of the gpu. Edit: Try Rougekiller and start a scan. My result so far: WindowsUpdate, C:\Windows\lsa.exe. Ive not seen that before. So maybe RK will help you.