How Do I Get Rid of This Cryptomining Virus?
Okay, so about a few days ago I noticed that exactly at the beginning of every hour, I would get a command prompt console open. Sometimes it would open for a second and then minimize into the background, but sometimes it would stay open and I would see it mining DAG or something from my GPU.
I went into Task Manager and found the app running it (called User.exe) opened its file location (AppData/Local) and deleted two files named User.exe and another named Profile.exe.
I went into Task Scheduler and deleted the schedule that Profile.exe (which is used to launch the command prompt, User.exe) launches every hour.
Should be fine and gone, right? Nope. While I was using my PC, it came back. Re-adds the schedule, and readds the app to AppData/Local.
I download procexp and find User.exe, and see that it uses a launch command (that I couldn’t see in properties or anywhere else) that connects user.exe to 2miners.com, using KAWPOW, uses asia-rvn.2miners.com specifically.
I downloaded Kaspersky, then MalwareBytes, and then used Windows Security when each one did nothing. Kaspersky was the only one that Identified it as a virus, both skipped it and said something about it being ‘impossible’.
I booted Windows in safe mode multiple times and deep scanned the PC, and nothing happened.
I used VirusTotal to search for it, it and give me a 0/48, when I used procexp for it, it gave me 18/48.
I searched through the registry for something but did not find anything.
I see a lot of online solutions basically saying, fresh install, nothing would help, but i can’t. I have TBs of information all integrated into this Windows system, all years old and I have no clue where I got them from, but most of them are for my editing software, for my music production, and for my small coding attempts, so reinstalling Windows is not an option for me.
What do I do? It’s so annoying having to shut it down every hour.Reddit 사용자
If you’re dealing with a persistent cryptomining virus that reappears despite your efforts to remove it, you’re facing a challenging but solvable problem. This guide provides a step-by-step approach to thoroughly remove cryptomining malware from your system and prevent its recurrence without a full Windows reinstall.
Cryptomining Virus at Virustotal
- Isolate Your System: Disconnect from the internet to prevent the malware from communicating with its command server.
- Identify Malicious Processes: Use tools like Process Explorer to continuously monitor and note down any suspicious processes that initiate at the top of the hour.
Cryptomining Virus Removal
- Use Advanced Malware Removal Tools: Since standard antivirus tools have failed, consider using Gridinsoft Anti-Malware, which is designed to target and eliminate tough malware infections. Perform a deep scan and follow the prompts to remove any detected threats.
- Manually Remove Residual Files: Go back to AppData/Local and ensure that all files related to the User.exe and Profile.exe are permanently deleted.
- Modify Hosts File: Prevent connections to known malicious sites by adding their URLs to your hosts file:
- Navigate to
C:\Windows\System32\drivers\etc\ - Edit the hosts file to redirect the domains associated with the malware to
127.0.0.1.
- Navigate to
- Secure Task Scheduler: Revisit Task Scheduler and delete any unrecognized tasks that could be used to relaunch the malware. Secure it by setting permissions to prevent unauthorized changes.
- Examine and Edit the Registry: Use the Registry Editor with extreme caution to search for and remove any entries related to the malware. Be sure to back up the registry before making changes.
- Lock Down Firewall Rules: Set strict outbound rules on your firewall to block unrecognized applications from accessing the internet.
Remove Cryptomining Virus with Gridinsoft Anti-Malware
우리는 또한이 소프트웨어 에서이 소프트웨어를 우리 시스템에서 사용하고 있습니다., 그리고 그것은 항상 바이러스를 감지하는 데 성공했습니다. It has blocked the most common Malware as 우리의 테스트에서 보여 주었다 소프트웨어와 함께, and we assure you that it can remove Cryptomining Virus as well as other malware hiding on your computer.
악의적 인 위협을 제거하기 위해 Gridinsoft를 사용합니다, 아래 단계를 따르십시오:
1. Gridinsoft anti-malware를 다운로드하여 시작하십시오, 아래 또는 공식 웹 사이트에서 직접 파란색 버튼을 통해 액세스 할 수 있습니다. gridinsoft.com.
2.GridInsoft 설정 파일이되면 (Setup-gridinsoft-fix.exe) 다운로드됩니다, 파일을 클릭하여 실행하십시오. Follow the installation setup wizard's instructions diligently.
3. 액세스 "스캔 탭" on the application's start screen and launch a comprehensive "전체 스캔" 전체 컴퓨터를 검사합니다. 이 포괄적 인 스캔은 메모리를 포함합니다, 스타트 업 항목, 레지스트리, 서비스, 드라이버, 그리고 모든 파일, 가능한 모든 위치에 숨겨진 맬웨어를 감지하는지 확인.
인내하십시오, as the scan duration depends on the number of files and your computer's hardware capabilities. 이 시간을 사용하여 휴식을 취하거나 다른 작업에 참석하십시오..
4. 완료되면, 방지 방지는 PC에 감지 된 모든 악성 품목 및 위협이 포함 된 자세한 보고서를 제시합니다..
5. 보고서에서 식별 된 모든 항목을 선택하고 자신있게 "지금 청소" 단추. 이 작업은 컴퓨터에서 악의적 인 파일을 안전하게 제거합니다., 더 이상의 유해한 행동을 방지하기 위해 말장 방지 프로그램의 안전한 검역 구역으로 전송.
6. 프롬프트가있는 경우, 전체 시스템 스캔 절차를 마무리하려면 컴퓨터를 다시 시작하십시오.. 이 단계는 남은 위협을 철저히 제거하는 데 중요합니다.. 재시작 후, Gridinsoft anti-malware가 열리고 메시지를 표시합니다. 스캔 완료.
Gridinsoft는 6 일 무료 평가판을 제공합니다. 즉, 소프트웨어의 모든 이점을 경험하고 시스템의 향후 악성 코드 감염을 예방하기 위해 무료로 시험 기간을 이용할 수 있습니다.. Embrace this opportunity to fortify your computer's security without any financial commitment.
Preventive Measures
- Regularly update your operating system and all applications to close security vulnerabilities.
- Review and limit administrative privileges on your system to essential users only.
- Continuously monitor and review installed programs and running processes for any unusual activity.
- Maintain regular backups of important data to external drives or cloud storage, separate from your main system.
While removing a persistent cryptomining virus can be complex, following these detailed steps will help you clean your system effectively and maintain its integrity. If the problem persists, consider consulting with a professional cybersecurity expert.
의견을 남겨주세요