Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Rkill didn't work on "Acnom.exe and Acnon.exe Monero Miner"

  • Please log in to reply
1 reply to this topic

#1 NewsTech


  • Members
  • 2 posts
  • Local time:08:51 PM

Posted 08 December 2017 - 10:23 AM

I have a VPS (Win 2008 R2) that became extremely slow after the host moved the server to a new IP. They disabled the firewall to test it (since I had it set to refuse all IP connections except those coming from my own), and I believe that's when someone managed to install the malware.


Following this page:




The infected VPS has SysData, with control.exe, kill.exe, install.exe, acnon.exe, and acnom.exe.


Task Manager shows Control.exe *32 running.


When I followed that page's instructions and ran Rkill.exe as iExplore.exe, it completed but did not find anything.


I was able to end task on control.exe.


I will try to follow that page's instructions on running Emsisoft Anti-Malware, AdwCleaner, and Hitman Pro, in that order. But I'm not sure if it's going to work since Rkill didn't work.


(Incidentally I have Windows Defender running and that's not detecting it either.)


Here's the CRC32's I have and rkill.txt, however if there's a rootkit involved who knows what's actually going on.

acnom.exe    725C0F4D
acnon.exe    0AD4006B
control.exe  A327A885
install.exe  1B5A5AC2
kill.exe     FC19BFBC


Rkill 2.9.1 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:

Program started at: 12/08/2017 09:34:32 AM in x64 mode.
Windows Version: Windows Server 2008 R2 Standard Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * HOSTS file entries found:	www.007guard.com	007guard.com	008i.com	www.008k.com	008k.com	www.00hq.com	00hq.com	010402.com	www.032439.com	032439.com	www.0scan.com	0scan.com	1000gratisproben.com	www.1000gratisproben.com	1001namen.com	www.1001namen.com	100888290cs.com	www.100888290cs.com	www.100sexlinks.com	100sexlinks.com

  20 out of 15633 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 12/08/2017 09:48:19 AM
Execution time: 0 hours(s), 13 minute(s), and 47 seconds(s)

(All of the HOSTS entries are from Spybot's Innoculate.)


BC AdBot (Login to Remove)


#2 JohnC_21


  • Members
  • 24,625 posts
  • Gender:Male
  • Local time:08:51 PM

Posted 08 December 2017 - 11:03 AM

Don't know if it will work but can you kill the processes with Process Explorer?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users