How Do I Get Rid of This Cryptomining Virus?
Okay, so about a few days ago I noticed that exactly at the beginning of every hour, I would get a command prompt console open. Sometimes it would open for a second and then minimize into the background, but sometimes it would stay open and I would see it mining DAG or something from my GPU.
I went into Task Manager and found the app running it (called User.exe) opened its file location (AppData/Local) and deleted two files named User.exe and another named Profile.exe.
I went into Task Scheduler and deleted the schedule that Profile.exe (which is used to launch the command prompt, User.exe) launches every hour.
Should be fine and gone, right? Nope. While I was using my PC, it came back. Re-adds the schedule, and readds the app to AppData/Local.
I download procexp and find User.exe, and see that it uses a launch command (that I couldn’t see in properties or anywhere else) that connects user.exe to 2miners.com, using KAWPOW, uses asia-rvn.2miners.com specifically.
I downloaded Kaspersky, then MalwareBytes, and then used Windows Security when each one did nothing. Kaspersky was the only one that Identified it as a virus, both skipped it and said something about it being ‘impossible’.
I booted Windows in safe mode multiple times and deep scanned the PC, and nothing happened.
I used VirusTotal to search for it, it and give me a 0/48, when I used procexp for it, it gave me 18/48.
I searched through the registry for something but did not find anything.
I see a lot of online solutions basically saying, fresh install, nothing would help, but i can’t. I have TBs of information all integrated into this Windows system, all years old and I have no clue where I got them from, but most of them are for my editing software, for my music production, and for my small coding attempts, so reinstalling Windows is not an option for me.
What do I do? It’s so annoying having to shut it down every hour.Reddit User
If you’re dealing with a persistent cryptomining virus that reappears despite your efforts to remove it, you’re facing a challenging but solvable problem. This guide provides a step-by-step approach to thoroughly remove cryptomining malware from your system and prevent its recurrence without a full Windows reinstall.
Cryptomining Virus at Virustotal
- Isolate Your System: Disconnect from the internet to prevent the malware from communicating with its command server.
- Identify Malicious Processes: Use tools like Process Explorer to continuously monitor and note down any suspicious processes that initiate at the top of the hour.
Cryptomining Virus Removal
- Use Advanced Malware Removal Tools: Since standard antivirus tools have failed, consider using Gridinsoft Anti-Malware, which is designed to target and eliminate tough malware infections. Perform a deep scan and follow the prompts to remove any detected threats.
- Manually Remove Residual Files: Go back to AppData/Local and ensure that all files related to the User.exe and Profile.exe are permanently deleted.
- Modify Hosts File: Prevent connections to known malicious sites by adding their URLs to your hosts file:
- Navigate to
C:\Windows\System32\drivers\etc\ - Edit the hosts file to redirect the domains associated with the malware to
127.0.0.1.
- Navigate to
- Secure Task Scheduler: Revisit Task Scheduler and delete any unrecognized tasks that could be used to relaunch the malware. Secure it by setting permissions to prevent unauthorized changes.
- Examine and Edit the Registry: Use the Registry Editor with extreme caution to search for and remove any entries related to the malware. Be sure to back up the registry before making changes.
- Lock Down Firewall Rules: Set strict outbound rules on your firewall to block unrecognized applications from accessing the internet.
Remove Cryptomining Virus with Gridinsoft Anti-Malware
從那時起我們就一直在我們的系統上使用這個軟體, 而且在檢測病毒方面一直很成功. It has blocked the most common Malware as 從我們的測試中可以看出 與軟體, and we assure you that it can remove Cryptomining Virus as well as other malware hiding on your computer.
使用 Gridinsoft 刪除惡意威脅, 請依照以下步驟操作:
1. 首先下載 Gridinsoft Anti-Malware, 透過下面的藍色按鈕或直接從官方網站訪問 網格軟體.
2.一旦 Gridinsoft 安裝文件 (安裝-gridinsoft-fix.exe) 已下載, 透過點擊該檔案來執行它. Follow the installation setup wizard's instructions diligently.
3. 訪問 "掃描選項卡" on the application's start screen and launch a comprehensive "全碟掃描" 檢查您的整台計算機. 這種包容性掃描涵蓋了內存, 啟動項, 註冊表, 服務, 司機, 和所有文件, 確保它檢測到隱藏在所有可能位置的惡意軟體.
要有耐心, as the scan duration depends on the number of files and your computer's hardware capabilities. 利用這段時間放鬆或處理其他任務.
4. 完成後, 反惡意軟體將提供一份詳細報告,其中包含您 PC 上偵測到的所有惡意專案和威脅.
5. 從報告中選擇所有已識別的項目,然後放心地單擊 "立即清潔" 按鈕. 此操作將從您的電腦中安全地刪除惡意文件, 將它們轉移到反惡意軟體程式的安全隔離區,以防止任何進一步的有害行為.
6. 如果出現提示, 重新啟動電腦以完成完整的系統掃描過程. 此步驟對於確保徹底消除任何剩餘威脅至關重要. 重啟後, Gridinsoft Anti-Malware 將會開啟並顯示一則訊息,確認 掃描完成.
請記住 Gridinsoft 提供 6 天免費試用. 這意味著您可以免費利用試用期體驗軟體的全部優勢,並防止您的系統將來受到任何惡意軟體感染. Embrace this opportunity to fortify your computer's security without any financial commitment.
Preventive Measures
- Regularly update your operating system and all applications to close security vulnerabilities.
- Review and limit administrative privileges on your system to essential users only.
- Continuously monitor and review installed programs and running processes for any unusual activity.
- Maintain regular backups of important data to external drives or cloud storage, separate from your main system.
While removing a persistent cryptomining virus can be complex, following these detailed steps will help you clean your system effectively and maintain its integrity. If the problem persists, consider consulting with a professional cybersecurity expert.
Leave a Comment