Timeserver.exe

QlimaxUK · 3 Jul 2013 at 20:02

anyone know whats causing this? noticed it a few days ago it seems to be a windows task if I delete (just send to bin) it gives me a 'program has stopped working error on startup' so I restored it I have done a virus scan on it and found nothing and a spyware scans dosn't find anything and google dosn't give much info on the IP it uses so what is it?

KIA · 3 Jul 2013 at 20:11

It might be a bitcoin miner.

http://forums.malwarebytes.org/index.php?showtopic=128536
http://processchecker.com/file/TimeServer.exe.html

QlimaxUK · 3 Jul 2013 at 20:28

Think I disabled it now, I found this in services with no description, one thing thought it points to time-svc.exe and not timeserver.exe

Kelt · 27 Jul 2013 at 19:21

Timeserver.exe is definitely a bitcoin miner virus. Somehow one just managed to get onto my PC, was doing the usual, running the gpu at 100% useage. Stopped the processes and deleted the folder it was in.

Raumarik · 27 Jul 2013 at 19:49

One of those things which is easier to notice if you have Aida64+ G19 keyboard running with stats from the PC or Rainmeter etc on the go.

Heck it could have been on the go for months!

Kelt · 28 Jul 2013 at 00:21

Halfmad said:
One of those things which is easier to notice if you have Aida64+ G19 keyboard running with stats from the PC or Rainmeter etc on the go.

Heck it could have been on the go for months!

Well I have a G15 running stats but the fan speed goes up as well, dead give away!

QlimaxUK · 2 Sep 2013 at 17:04

Got a new one... posting here to save making new thread, seems like the same kind of thing..

This time its applaunch.exe its always in SYN_SENT, if I end the task it opens back up so I can't delete it, but this files seems to be part of .NET framework folder: C:\Windows\Microsoft.NET\Framework\v2.0.50727

what should I do?

TheVoice · 2 Sep 2013 at 17:16

Try deleting it in safe mode?

KIA · 2 Sep 2013 at 18:52

Is it definitely malicious? Is it signed by Microsoft?

demonix · 3 Sep 2013 at 15:33

AppLaunch.exe is the microsoft .NET ClickOnce launch utility, but the strangest thing is the IP address it's communicating with (if that's the correct way to say it) is linked to virgin media although the report also states that 3 other sites use that IP address, so it might be that something is using that process to launch something malicious (but .net framework processes can't really be killed since I couldn't do that with an errant .net optimising process as it would just re-start).

QlimaxUK · 3 Sep 2013 at 20:54

well I can't delete it under safemode, not even a DOS delete works..

Avast and Spybot S&D don't find anything, what else could I use to scan it?

billyboyd · 4 Sep 2013 at 04:37

KIA said:
It might be a bitcoin miner.

http://forums.malwarebytes.org/index.php?showtopic=128536
http://processchecker.com/file/TimeServer.exe.html

I have had this a couple of times and the second link KIA posted above fixed it for me.
It has been around a while now and I am surprised that no virus checkers pick it up.

KIA · 4 Sep 2013 at 11:23

QlimaxUK said:
well I can't delete it under safemode, not even a DOS delete works..

Verify the authenticity before attempting to delete anything.

demonix · 4 Sep 2013 at 15:48

KIA said:
Verify the authenticity before attempting to delete anything.

I don't think an actively running process can be deleted, and the OP has confirmed (along with my information) that it's an authentic application.

Since it's probably the .NET framework equivalent of rundll32.exe, what has to be done is to find what is that application is tied to and that would require a more advanced task manager (using hijack this might help since it lists startup processes and anything that is used by them).

You could just (if it's possible) remove the .NET framework to see if anything throws a hissy fit because a specific application is now missing.

KIA · 4 Sep 2013 at 18:12

demonix said:
I don't think an actively running process can be deleted, and the OP has confirmed (along with my information) that it's an authentic application.

No reason to delete it if if it's legit. IP address is legit. OP is probably a tad paranoid.

QlimaxUK · 4 Sep 2013 at 21:18

GOT IT! I installed Malwarebytes and did a scan, it didn't flag the applauncher.exe but after removing all from the list the exe has closed and the IP has gone from CMD, so maybe some malware was using applauncher to create a connection?

KIA · 5 Sep 2013 at 11:50

The IP has something to do with Virgin Media DNS.

I would boot to safe mode, update MBAM definitions and perform a full system scan.

demonix · 5 Sep 2013 at 14:43

KIA said:
The IP has something to do with Virgin Media DNS.

Three other websites use that IP address, so it might not be related to them.

I'd also have to guess that it was another bitcoin miner as there are some that require .net framework and was altered to be malicious (I did a quick search through google and some of the top results were for bitcoin miners).

KIA · 5 Sep 2013 at 18:12

demonix said:
Three other websites use that IP address, so it might not be related to them.

Those sites have decided to point an A record at the IP address for whatever reason. The DNS service (advancedsearch.virginmedia.com) kicks in when VM's DNS servers aren't able to resolve a DNS record. Maybe the malware had difficulty phoning home.

ViRuS2k · 13 Sep 2013 at 05:48

hahaha i just got this timeserver.exe virus.
i have probably had it for week and weeks and i wondered why my system was BSOD116 on windows login and also why my 1 of my GPUS was running at 99% usage and this was the cause.
I could never figure out what the hell was going on as i read some drivers have issues where on bootup 1 gpu would be 99% :/ can this bitminer cause TDR_video_error bsod 116 driver failer to restart ect. problem ????? ever since i disabled it i have booted up with no issues so far but can that bitminer cause that ?

go figure my system has also speeded right up much quicker and responsive.

DAM ******** that create these want shot in the head.