Infected with aspnet.exe BitCoin Miner. How to remove?

Discussion in 'Operating Systems' started by (.)(.), Sep 25, 2016.

  1. (.)(.)

    (.)(.) Banned

    Messages:
    9,089
    Likes Received:
    0
    GPU:
    GTX 970
    If my pc is left idle for a couple of hours, the miner creates an exe called aspnet.exe inside C:\Windows\Microsoft.NET\Framework\v4.0.30319. I can delete it but it will recreate itself the next time.

    Uses around 70 - 90% cpu.

    This is taken from within the exe when viewed with HexEdit.
    I looked up the twitter handled: https://twitter.com/yvg1900?lang=en...ootkit Malwarebytes Anti-Malware AdwCleaner
     
    Last edited: Sep 25, 2016
  2. mbk1969

    mbk1969 Ancient Guru

    Messages:
    15,505
    Likes Received:
    13,526
    GPU:
    GF RTX 4070
    You can try to create aspnet.exe yourself (copy some existing exe like cmd.exe) and put as much restrictions on it as you can (security ones, read-only, hidden).
    Not a solution but some possible workaround.
    Btw, have you disabled UAC?
     
  3. (.)(.)

    (.)(.) Banned

    Messages:
    9,089
    Likes Received:
    0
    GPU:
    GTX 970
    I just set the file to read-only, took control of it and disabled inherited permissions and created a new rule in windows firewall and set it to Block both in and outbound.

    I found this in regedit:
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.exe.FriendlyAppName

    Its located pretty deep inside HKEY_LOCAL_MACHINE in a folder called MuiCache
     
    Last edited: Sep 25, 2016
  4. mbk1969

    mbk1969 Ancient Guru

    Messages:
    15,505
    Likes Received:
    13,526
    GPU:
    GF RTX 4070
    Have you tried to scan disks from bootable rescue disk? There is difference in scanning working instance of Windows and in scanning Windows` files from other working OS.
     

  5. Extraordinary

    Extraordinary Guest

    Messages:
    19,558
    Likes Received:
    1,636
    GPU:
    ROG Strix 1080 OC
    Safemode, delete all temp (user and windows), disable startup items

    Check here
    C:\ProgramData
    C:\Users\xxxxx\AppData\Local
    C:\Users\xxxxx\AppData\Roaming



    check registry for suspicious entries in

    HKEY_LOCAL_MACHINE\SOFTWARE
    HKEY_CURRENT_USER\SOFTWARE

    Suspicious startup items in

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Delete them

    Normal mode boot

    Hitman Pro
    Spybot
    Hijack This

    Install Avast free > schedule a boot time scan so it can remove items before they have started with windows
     
  6. (.)(.)

    (.)(.) Banned

    Messages:
    9,089
    Likes Received:
    0
    GPU:
    GTX 970
    Will give all the above a go, will report back soon.

    Ty in advanced.


    Edit: Quick update - HitMan Pro detected the aspnet.exe as malware when everything else i tried listed in op did not.
     
    Last edited: Sep 27, 2016
  7. CrazY_Milojko

    CrazY_Milojko Ancient Guru

    Messages:
    2,683
    Likes Received:
    1,611
    GPU:
    Asus STRIX 1070 OC
    Like mbk1969 just suggested scaning drives via some bootable AV tool is nice workaround to fight tough malwares, that way malware can't defend itself because it's deeply integrated into infected OS but not in bootable OS. At least you would cripple that malware a bit if not completely, enough to finish him completely with some other anti-virus, anti-spyware, anti-malware tool... High recommendation for Kaspersky Rescue Disk 10 from my side, great and completely free tool.

    Extraordinary's suggestions are also good.

    Just to add few more from my side...

    If you are on Win7/8 (not on Win8.1/10) nice tool to cripple malware is Combofix, run it in Windows Safe mode with Networking. After removal procedure remove Combofix via CMD: Combofix /uninstall

    Great tool for crippling/removing all kinds of malware is also AdwCleaner, first run in Safe Mode with Networking, another run in Windows Normal mode.
     
  8. uKER

    uKER Master Guru

    Messages:
    206
    Likes Received:
    234
    GPU:
    RTX 3070 Ti
    I also have this crapware and haven't been able to get rid of it.
     
  9. jbmcmillan

    jbmcmillan Guest

    Messages:
    2,760
    Likes Received:
    277
    GPU:
    Gigabyte G1 GTX970
    Have you tried the above suggestions?
     
  10. uKER

    uKER Master Guru

    Messages:
    206
    Likes Received:
    234
    GPU:
    RTX 3070 Ti
    I think I might have got rid of it using RegRun or UnHackMe, both from http://greatis.com/
    I think what was making the crap come back was a hijack in Chrome's home page, which pointed to something like "whitesmoke.com" or something like that.

    If it ever comes back I'll see to try HitMan Pro.
     

  11. -Tj-

    -Tj- Ancient Guru

    Messages:
    18,095
    Likes Received:
    2,601
    GPU:
    3080TI iChill Black
    What did you do to get infected in the first place?
     
  12. uKER

    uKER Master Guru

    Messages:
    206
    Likes Received:
    234
    GPU:
    RTX 3070 Ti
    I wish I knew.
    I don't normally use any antivirus products and I think the last time a virus played hard to get out like this must have been over ten years ago.
    I normally get them out manually via task manager, RegEdit, and AutoRuns and ProcMon from SysInternals, but this one didn't want to go away.
    Hope it has now.
    So yeah, I have some idea of what might get me infected but this time I just don't know.
     
  13. -Tj-

    -Tj- Ancient Guru

    Messages:
    18,095
    Likes Received:
    2,601
    GPU:
    3080TI iChill Black
    Ah so you had the same aspnet.exe infected issue as (.)(.)?
     
  14. uKER

    uKER Master Guru

    Messages:
    206
    Likes Received:
    234
    GPU:
    RTX 3070 Ti
    Yeah.
     
  15. uKER

    uKER Master Guru

    Messages:
    206
    Likes Received:
    234
    GPU:
    RTX 3070 Ti
    Oh, by the way, if you want more info, you can go to the task manager and in the Details tab enable the "Command line" column and in the arguments for the "aspnet.exe" process you will see some URL I don't recall now.
    If you browse to that URL it just shows some message saying something like "miner service active".
     

  16. (.)(.)

    (.)(.) Banned

    Messages:
    9,089
    Likes Received:
    0
    GPU:
    GTX 970
    Ok, so it seems i may have addressed the issue, though one still remains.

    I used HitManPro (free) and then deleted files manually. Other software used for addtionaly detection and clean up:
    • adwcleaner
    • HiJackthis
    • tdsskiller
    • spybot - Did not work for me. Would not update properly, this preventing from me being able to start a scan.


    I created an exe in the path "C:\Windows\Microsoft.NET\Framework\v4.0.30319" using right-click New Text file and named it aspnet.exe.

    I then created inbound and outbound rules for this exe using Windows Firewalls advanced settings.

    I set the aspnet.exe file to read only and set security of the file so everything under Effective Access - View Effective Access displays a red X for Admin and Users.

    So far this seems to have stopped the problem. But im going to leave my pc on again overnight to check.

    The only issue i have now is that if my pc is left on over night, at 0430am, windows defender switches off automatically and requires me to End Task and after Id ended that initial instance with Task Manager, i then need to take ownership (using right-click context menu addon/bat) of the Windows Defender folder located in "C:\ProgramData\Microsoft\Windows Defender", otherwise i get an error stating WD cannot be started.

    Adjusting settings via gpedit.msc and enabling the rule for WD to always be active does not work. Something overrides it.
     
    Last edited: Sep 27, 2016
  17. Angrycrab

    Angrycrab Guest

    Messages:
    276
    Likes Received:
    0
    GPU:
    Titan XP EVGA Hybrid Kit
    Have you tried removing It with Kaspersky?
     
  18. (.)(.)

    (.)(.) Banned

    Messages:
    9,089
    Likes Received:
    0
    GPU:
    GTX 970
    Me?

    Ill give it a go after Dinner and report back.
     
  19. uKER

    uKER Master Guru

    Messages:
    206
    Likes Received:
    234
    GPU:
    RTX 3070 Ti
    Well, no, the f*cker's back.
    Here's the command line I was talking about before.

    c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet.exe -t 4 -M stratum+tcp://48QejKHMsLseVMovuVK2rBPruraYBrZK8YAZSH6ds2YgH7PtH78PiL21dNjLWjddF1gmhkGE1YCbFXQUQUvQf5cC1mCRYGm:x@pool.minexmr.com:4444/xmr

    I did try Kaspersky, Avast, Avira, Baidu, ViRobot, AVG, NOD32, TrendMicro, MalwareBytes, McAfee, RegRun, UnHackMe, HitmanPro... you name it.

    Any other suggestions?

    EDIT: WTF, there's a glitch in the forum software it appears. In my post's source code there's no space between the N and the E in "aspnet.exe", or between those 7 and 8 later on, or the two letter O from "pool" near the end.
     
    Last edited: Sep 27, 2016
  20. (.)(.)

    (.)(.) Banned

    Messages:
    9,089
    Likes Received:
    0
    GPU:
    GTX 970
    Tried Kaspersky.

    Its a stark reminder why i dont use such AV software. Its bloatware. Slowed my system right down to a crawl just having it active.

    The thing seems to be google proof. Theres nothing out there about other than forum posts from a few years back and most relating to a KB file that MS release to address it or something similar.

    Did you try what i posted above.

    Creating a .exe file and calling it aspnet.exe, setting security and read only and also creating new outbound/inbound rules in Win Firewall Advanced Settings to block it.

    Im pretty sure this miner came in a crack or standalone patch that ive downloaded. But its strange that it uses the cpu instead of the gpu.


    Edit: Try Rougekiller and start a scan. My result so far:

    WindowsUpdate, C:\Windows\lsa.exe.

    Ive not seen that before. So maybe RK will help you.
     
    Last edited: Sep 27, 2016

Share This Page