Help with aspnet.exe


Recommended Posts

I need a little help concerning aspnet.exe (NOT aspnet_wp.exe). It automatically starts periodically, and constantly uses exactly 50% of my CPU (I7-4770k). When I notice it and I kill the process it comes back after a while. I'm running Windows 8.1 64 bit.

I already figured out it is part of .NET Framework 4.0, but I can't remove and reinstall 4.0 in Win 8. I can remove 1.1, 2.0, 4.5, but not 4.0 (even if I remove all .net windows components 4.0 still remains). The file itself is located in \Windows\Microsoft.NET\Framework64\v4.0.30319. I deleted it manually after I got really annoyed, but it came back. I'm sure it's not infected with a virus or spyware, because I checked it with at least 5 antivirus/antyspyware programs.

How can I find out the reason for the 50% CPU load? Or how can I find out which program or windows service launches it constantly?

Link to comment
Share on other sites

yeah that file doesn't seem right to me..  I have clean 8.1 vm, its only used for testing, etc.  I don't even see that file..

 

post-14624-0-64731500-1395692347.png

 

What does the digital signature say.. That file should be signed by MS if valid MS file - but searching for aspnet.exe only shows up viruses aspnet_wp.exe would be the normal file.

Link to comment
Share on other sites

yeah just the simple fact that it recreates/relaunches itself screams virus.

 

if you don't find the culprit with a boot scanner I'd highly recommend formatting and reinstalling windows fresh as you have no idea what it's doing in the background and wouldn't be too safe to just leave it

Link to comment
Share on other sites

Now you made me really suspicious. Especially considering it's not there when it's not running. I haven't noticed that before, because the only time I checked it was when it ran. But now that you mentioned the signature and I tried to check, it's not there. Compared to your screenshot I also have a folder named "1038" there. Eset Smart Security didn't find anything. Neither did Ad-Aware or Malwarebytes Anti Malware. What else should I try?

Link to comment
Share on other sites

^try the boot scanner like i mentioned as that doesn't have a chance of being tampered w/ by the virus since windows isn't running

 

if that still doesn't find anything i'd recommend nuking it from orbit & reinstalling windows as it's better safe then sorry

Link to comment
Share on other sites

UnHackMe+Trojan Remover+a third one which name I forgot didn't find anything. It doesn't have a signature, and Process Explorer can't tell me anything about it. I don't wan't to format...

Link to comment
Share on other sites

 I don't wan't to format...

 

Dude your clearly infected with something..  As already mentioned the only way to be SURE you are clean is Nuke it from Orbit..

 

I don't get it - there are people that format every other week for no other reason than an icon is out of place on their desktop or its tuesday and thats what they do on tuesday, and there are people that even when their is an actual issue that warrants format they don't want to ;) heheheh

 

Here is the other thing - just because you found this guy, does not mean there is not 20 others.  Or something else that just reinstalls this guy even if you run some tool that gets rid of it, etc..  Like you said you delete it and it comes back.

 

Ok if is some low level malware sort of thing that pops up ads or something - hey you can be 99.99 percent sure your tools removed it, etc.  Something like this that tools are not even seeing - Nuke IT!!  Its the only way to be sure!

 

Link to comment
Share on other sites

In the last two weeks I installed Windows on 5 PCs and 3 laptops, so that's the reason I'm not in the mood :D But I guess I will have to get to it.

Link to comment
Share on other sites

Blahhh, reinstalling OS suppose be always last option, You can always do that, since I'm active member/Mod on other forum where we have "Security" sub-forum, I've seen there heavy infected systems successfully cured ( I think about infections like: Sality, Virut, etc...) Your one looks like so small thing, possible to solve in one hour.

Link to comment
Share on other sites

UnHackMe+Trojan Remover+a third one which name I forgot didn't find anything. It doesn't have a signature, and Process Explorer can't tell me anything about it. I don't wan't to format...

you've mentioned all this scanners you've run from in windows but those always have a small chance of being modified by the virus if it's a good enough virus. have you tried the boot scanner i mentioned in my first post? that runs outside of windows so doesn't have a chance of being modified by the virus if it's masking itself

 

and on the formating issue. if you really think about it you could have formatted yesterday and already had everything back how you like it by now (maybe when you format next you can create a backup image once you have everything reinstalled so if you ever have to do it again you have something you can restore from)

Link to comment
Share on other sites

It's not guaranteed to be a virus though, is it?
I remember back in the days of blackice, I'd keep getting an exe trying to run, and when I moved the mouse it'd dissapear. Also a part of a .NET framework install that'd delete the exe when it wasn't running (was something to do with generating optimised framework files if I remember rightly).

Link to comment
Share on other sites

"Blahhh, reinstalling OS suppose be always last option"

 

Why?  If it is the most efficient method then use it..  You mention it should only take an hour to fix this - well clearly the OP has been dealing with it for much longer than that.  When if you had your ducks in a row from the get go with backup and images of your systems you could have a clean redo in like 20 minutes.  So while I agree you should not be reinstalling at the drop of a hat, when you have exhausted your skill set in fixing a possible infection or issue or time/money are concern.  Would you rather dick with it for hours and hours - maybe your paying a company to clean it - are they going to charge by the time spent.  You might end up spending more money than it would cost to by a whole new machine ;)

 

Since none of your tools you have tried find it.  And you want to be "sure" its clean - then install from clean source and you will be sure.

 

If you do not have a method of easy install of clean system, next thing to do after you deal with the problem at hand is looking into how to streamline the process of your reinstall.  It is as simple as taking an image at milestones of your OS evolution.  You install a major new application, take a new image.  After you have installed major updates and validated everything is still working - take a new image, etc.

 

This way in such a scenario if you have concerns its only a few minutes to reset your system to a known clean state.  Just my 2 cents on the subject..  You need to weigh your options to be sure - but with good backup/DR practices the reinstall of a system can reduced to only a few key strokes and the time taken to write the files to disk.  This is becoming a much more attractive method of dealing with such issues vs spending hours and hours sometimes in trying to "fix" the infection.  Depending on the machine, depending on the method, depending on the tool - it can take HOURS to just scan the machine - when you could even just reinstall from scratch and reinstall your software and restore your files in a fraction of that time.  So why should it always be last choice?

Link to comment
Share on other sites

I gave up an reinstalled. it went away (at least for now). Thx for the help though.

 

Semtex: it's not guranteed it was a virus, but even if it wasn't, it was still a major OS error. And those kinds of problems usually can't be solved without a clean install. Maybe it was a software, but I had a lot of those, and uninstalling and reinstalling everything one by one would have taken a lot more time.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.