Severity scale:  
  (44/100)

XMRig Miner. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Malware

XMRig is a crypto-mining Trojan that exploits CPU resources to earn Monero fractions

XMRig Miner Trojan processes

XMRig is a Monero miner[1] or Monero (XMR) CPU miner, which belongs to the group of Trojan horses. It seeks to infect PCs without being noticed and continuously run the xmrig.exe process that increases exploits system's CPU resources to mine Monero cryptocurrency. The current version of this Trojan is rewritten from scratch on C++. According to experts, it contains the only 4MB, which is why it's extremely portable.

Name XMRig
Type Trojan
Sub-type CPU miner
Related malware Wise XMRig
Danger level Medium (Can overheat hardware and end up with severe system's crash).
Distribution Freeware, malicious websites, Rig Exploit Kit.
Symptomps High CPU consumption, slow PC, unresponsive apps, random freezes, crashes, overheated hardware.
Removal options Automatic. Install Reimage and run a full scan to detect and eliminate all files related to XMRig CPU miner.

According to Check Point,[2] it is distributed via Rig Exploit Kit campaign dubbed as Slots. Unlike other malvertising campaigns, this campaign misuses secure HTTPS traffic that establishes a connection with Slots and Rig Exploit Kit. Alternatively, the XMRig Trojan can slither onto PCs during drive-by-download attacks, malicious websites or fake software updates.

Although the idea of digital currency miners is not malicious, most of them are classified as malware, Trojan or virus due to a high-risk of severe system's freezes and crashes. Long-lasting unhampered performance of XMRig miner can result in hardware failure or render the PC useless.

Once installed, XMRig virus sings itself using administrative privileges under Windows startup. Afterward, each system's boot is followed by a multiple xmrig.exe processes running on Windows Task Manager. This crypto-miner does not use CPU resource consumption limits on the systems that are infected without authorization. Consequently, CPU consumption might continuously reach 90-100% with short periods of reduction.

Most professional anti-virus programs detect the XMRig Monero miner and immunize it before it enters the system. However, it's developers update the Trojan, so that it could evade anti-virus detection and removal. That's why updating anti-virus security definitions is a crucial part of system's protection. The following are the most common XMRig Trojan detections:

Trojan.Generic.22707634
Generic.Application.CoinMiner.1.B154D33D
Gen:Variant.Ursu.11451
Trojan:Win32/Coinminer!bit
Tool.BtcMine.1143
Win64/BitCoin.Miner.CS
Trojan.BitMiner

NOTE: XMRig Monero Mining Trojan can also be used for the distribution of other cyber infections. Hackers can misuse it for demolishing system's security to increase its vulnerability. German cybersecurity experts from Dieviren.de[3] warn that the XMRig malware can spread in conjunction with rootkits or spyware. The Trojan is closely related to the following files:

Qt5Network.dll
cudart64_60.dll
d.bat
dhide.vbs
esso.bat
example32.cmd
libcrypto-1.0.0.dll
msvcr110.dll
qt5core.dll
qwindows.dll
start64.exe
system.exe

Probably one of the main symptoms of the XMRig attack is unusual system's sluggishness. Programs stop responding, freeze randomly or frequently; any data can hardly be downloaded to the system, and so on. In this case, you should open Task Manager and check if any files are sucking up CPU resources. In case CPU consumption exceeds 40%, it's advisable to scan the system with a professional anti-malware, like Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes.

Do not let hackers to connect your PC to a Monero mining botnet leaving you overboard. By keeping a crypto-mining Trojan on your PC you won't earn the smallest bit of Monero coin, but hackers will. To fix your PC's slowdowns and similar abnormal behavior, scan the system and remove XMRig as soon as possible.

Monero seekers employ multiple strategies to spread mining Trojans

By far the most typical approach used to spread Monero and other cryptocurrency miners is freeware. Hackers might append crypto-miner to any random application that is distributed both legitimate and illegal sources. Sometimes anti-virus warns people about an attempt to install miner, but outdated security tool might fail to recognize it.

You can also get infected with high-performance Monero miner when visiting websites infected with JavaScript code. Such websites can warn you about various system's infections, errors, and risks of data leakage. Such phishing scams can greet you with false claims that you are a lucky visitor and ask you to participate in a survey to claim valuable prizes. Do not fall for this trick. Once your web browser exposes to a potentially harmful website, close the website or web browser and scan the system with antivirus.

Last, but not least, this particular Monero miner can be injected into victims' PCs with the help of Rig Exploit Kit campaign “Slot.” Rig EK misuses the HTTPS protocol to spread Smoke Loader malware, which leads to the XMR miner infiltration.

Learn how to get rid of XMRig CPU Miner from Windows easily

Manual XMRig removal is hardly possible. Although the malicious files can be found on Task Manager, manually disabling them will fail, or the processes will keep reactivating themselves.

Usually, crypto-mining malware keeps related files %Windows% or %appdata%\ directories. However, these directories consist of a multitude of non-malicious files that cannot be removed. Thus, to save your time and prevent system's damage, eliminate XMRig miner with the help of Reimage or another security tool.
If you cannot launch your anti-virus, here are the steps that you should follow:

 

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove XMRig Miner, follow these steps:

Remove XMRig Miner using Safe Mode with Networking

If you cannot delete the CPU mining Trojan from your PC because it blocks your antivirus, do not fall for panic. Try to boot the system into Safe Mode with Networking and run the security software in the safe environment.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove XMRig Miner

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete XMRig Miner removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove XMRig Miner using System Restore

If the previous method did not work, try the alternative method:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of XMRig Miner. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that XMRig Miner removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from XMRig Miner and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References

Removal guides in other languages