트로이 목마 바이러스

Cryptomining Virus on Windows PC

How Do I Get Rid of This Cryptomining Virus?

Okay, so about a few days ago I noticed that exactly at the beginning of every hour, I would get a command prompt console open. Sometimes it would open for a second and then minimize into the background, but sometimes it would stay open and I would see it mining DAG or something from my GPU.

I went into Task Manager and found the app running it (called User.exe) opened its file location (AppData/Local) and deleted two files named User.exe and another named Profile.exe.
I went into Task Scheduler and deleted the schedule that Profile.exe (which is used to launch the command prompt, User.exe) launches every hour.

Should be fine and gone, right? Nope. While I was using my PC, it came back. Re-adds the schedule, and readds the app to AppData/Local.

I download procexp and find User.exe, and see that it uses a launch command (that I couldn’t see in properties or anywhere else) that connects user.exe to 2miners.com, using KAWPOW, uses asia-rvn.2miners.com specifically.
I downloaded Kaspersky, then MalwareBytes, and then used Windows Security when each one did nothing. Kaspersky was the only one that Identified it as a virus, both skipped it and said something about it being ‘impossible’.
I booted Windows in safe mode multiple times and deep scanned the PC, and nothing happened.
I used VirusTotal to search for it, it and give me a 0/48, when I used procexp for it, it gave me 18/48.
I searched through the registry for something but did not find anything.
I see a lot of online solutions basically saying, fresh install, nothing would help, but i can’t. I have TBs of information all integrated into this Windows system, all years old and I have no clue where I got them from, but most of them are for my editing software, for my music production, and for my small coding attempts, so reinstalling Windows is not an option for me.

What do I do? It’s so annoying having to shut it down every hour.Reddit User

If you’re dealing with a persistent cryptomining virus that reappears despite your efforts to remove it, you’re facing a challenging but solvable problem. This guide provides a step-by-step approach to thoroughly remove cryptomining malware from your system and prevent its recurrence without a full Windows reinstall.

Cryptomining Virus at Virustotal

Cryptomining Virus at Virustotal

  1. Isolate Your System: Disconnect from the internet to prevent the malware from communicating with its command server.
  2. Identify Malicious Processes: Use tools like Process Explorer to continuously monitor and note down any suspicious processes that initiate at the top of the hour.

Cryptomining Virus Removal

  1. Use Advanced Malware Removal Tools: Since standard antivirus tools have failed, consider using Gridinsoft Anti-Malware, which is designed to target and eliminate tough malware infections. Perform a deep scan and follow the prompts to remove any detected threats.
  2. Manually Remove Residual Files: Go back to AppData/Local and ensure that all files related to the User.exe and Profile.exe are permanently deleted.
  3. Modify Hosts File: Prevent connections to known malicious sites by adding their URLs to your hosts file:
    • Navigate to C:\Windows\System32\drivers\etc\
    • Edit the hosts file to redirect the domains associated with the malware to 127.0.0.1.
  4. Secure Task Scheduler: Revisit Task Scheduler and delete any unrecognized tasks that could be used to relaunch the malware. Secure it by setting permissions to prevent unauthorized changes.
  5. Examine and Edit the Registry: Use the Registry Editor with extreme caution to search for and remove any entries related to the malware. Be sure to back up the registry before making changes.
  6. Lock Down Firewall Rules: Set strict outbound rules on your firewall to block unrecognized applications from accessing the internet.

Remove Cryptomining Virus with Gridinsoft Anti-Malware

We have also been using this software on our systems ever since, and it has always been successful in detecting viruses. It has blocked the most common Malware as shown from our tests with the software, and we assure you that it can remove Cryptomining Virus as well as other malware hiding on your computer.

Gridinsoft Anti-Malware - Main Screen

To use Gridinsoft for remove malicious threats, follow the steps below:

1. Begin by downloading Gridinsoft Anti-Malware, accessible via the blue button below or directly from the official website gridinsoft.com.

2.Once the Gridinsoft setup file (setup-gridinsoft-fix.exe) is downloaded, execute it by clicking on the file. Follow the installation setup wizard's instructions diligently.

Gridinsoft Setup Wizard

3. Access the "Scan Tab" on the application's start screen and launch a comprehensive "Full Scan" to examine your entire computer. This inclusive scan encompasses the memory, startup items, the registry, services, drivers, and all files, ensuring that it detects malware hidden in all possible locations.

Scan for Cryptomining Virus Malware

Be patient, as the scan duration depends on the number of files and your computer's hardware capabilities. Use this time to relax or attend to other tasks.

4. Upon completion, Anti-Malware will present a detailed report containing all the detected malicious items and threats on your PC.

The Cryptomining Virus was Found

5. Select all the identified items from the report and confidently click the "Clean Now" button. This action will safely remove the malicious files from your computer, transferring them to the secure quarantine zone of the anti-malware program to prevent any further harmful actions.

The Cryptomining Virus has been removed

6. If prompted, restart your computer to finalize the full system scan procedure. This step is crucial to ensure thorough removal of any remaining threats. After the restart, Gridinsoft Anti-Malware will open and display a message confirming the completion of the scan.

Remember Gridinsoft offers a 6-day free trial. This means you can take advantage of the trial period at no cost to experience the full benefits of the software and prevent any future malware infections on your system. Embrace this opportunity to fortify your computer's security without any financial commitment.

Preventive Measures

  • Regularly update your operating system and all applications to close security vulnerabilities.
  • Review and limit administrative privileges on your system to essential users only.
  • Continuously monitor and review installed programs and running processes for any unusual activity.
  • Maintain regular backups of important data to external drives or cloud storage, separate from your main system.
GridinSoft Anti-Malware Review
It is better to prevent, than repair and repent!
When we talk about the intrusion of unfamiliar programs into your computer’s work, the proverb “Forewarned is forearmed” describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.
Gridinsoft Anti-Malware 6-day trial available.
EULA | 개인 정보 정책 | 10% Off Coupon

While removing a persistent cryptomining virus can be complex, following these detailed steps will help you clean your system effectively and maintain its integrity. If the problem persists, consider consulting with a professional cybersecurity expert.

About the author

브렌든 스미스

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers to navigate the digital landscape.

Focused on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices enables me to provide practical tips and advice that readers can implement to enhance their online security.

Leave a Comment