XMRig Miner Trojan - How to remove

XMRig (WaterMiner) Miner Trojan refers to a high performance Monero (XMR) miner with the official full Windows support. Currently, more and more miners are being created. One of the most recent ones is Crypto-Loot miner. The XMRig miner itself is created by respectable developers and people can start using it after obtaining the necessary binary and git tree from GitHub.

WaterMiner is a malware infection which functions as a modified version of a legitimate miner XMRig. These discoveries surfaced after a mod of a popular game of Grand Theft Auto (GTA) was noticed to include a miner (Modified video games on Russian forum tainted with WaterMiner crypto miner). The malware was allegedly implanted by a Russian hacker who distributed this creation in forums of his native language. The person responsible is presumably hiding behind a nickname of Martin Opc0d3r.

Legitimate and virus versions of XMRIG Miner

If you antivirus engine detects XMRig Miner virus it is important to decide if it is legitimate version or not.

The Monero is the currency that this miner mines. It is interesting because of 2 reasons. The first one is that it provides more anonymity than more popular Bitcoin or Ethereum. The second reason is that is can be mined on PC effectively and does not require investment in special hardware. This is very profitable if you don’t have to pay for electricity and hardware yourself, as the PC is owned by someone else like it is in cases of infection.

Basically, Antiviruses are lazy when talking about crypto mining. It is much simpler to detect various crypto algorithms, including XMRIG, than to detect malware that distributes them. And the code that mines Monero is the same in both.

Thus, If you computer is used for mining Monero, you can ignore your antivirus detection. However, if you don’t know what is crypto coin mining, you can be sure that your PC is infected and you should scan with antivirus.

XMRig Miner Trojan is more evasive and stealthy

The malicious XMRig Miner or WaterMiner are created so they would be more difficult to detect. The Trojan looks for running Windows Task Manager (or a similar service) which shows the current usage of CPU resources. The clever hacker designed this malware to shut down as soon as Task Manager is launched. Modification complicates the situation that infected users will find themselves in.

XMRig Miner Trojan

The appearance of XMRig Miner can be indicated as clear evidence that crypto-mining is becoming a topic that has to be discussed and learned. With this evasive Trojan, we are convinced that similar threats will be even more stealthy in the future. If users are not using specific AdBlockers or other tricks to prevent crypto-mining, their operating systems could become infected automatically (as soon as tainted websites are visited).

The XMRig Miner malware was transmitted via GTA mod called “Arbuz” which was shaped as a RAR archive file. It was available on a popular Russian service called Yandex.Disk. Once the rogue mod was downloaded, it functioned as a downloader for the actual WaterMiner Trojan.

This open source software can be utilized by almost anyone that wishes to mine cryptocurrencies through their computers. In some cases, website-owners implant codes of crypto-miners into their domains for the purpose of replacing annoying online adverts. Then, visitors’ CPU resources mine cryptocurrencies for website owners. CoinHive miner is also exploited by hackers that attempt to secretively spread mining-Trojans into operating systems and generate crypto-currencies without the computer owners’ permissions.

If your operating system is currently infected with a WaterMiner Trojan (#), the CPU processing power should reach very high percentage numbers.

XMRIG miner

Therefore, computer devices will function very slow, programs will take longer to launch and you will notice very frequent freezes. The miner should be delivered in a AudioHD.exe or Zmrig32.exe files which will mine crypto-currency of Monero while using the resources of the infected computers.

How is it possible to get rid of XMRig Miner Trojan?

You won’t be able to find out about the presence of WaterMiner by looking at the CPU resourcesr. Therefore, you have to look for possible indications. For instance, in Windows Registry you should find and remove Wise entry. In addition to this, please open Task Manager and look for processes like AudioHD.exe and other ones that might be related to XMRig. Winserv.exe process should also be concluded.

Prevention of malware

If you are worried about your operating system and would like to have it secured from crypto-miners, we would suggest you to use AdBlockers to prevent these Trojans from being automatically inserted into your operating system. To have the best security possible, we hope you will consider getting Spyhunter which will allow you to run regular scans and determine whether your OS is influenced by more than one malicious parasite. If you notice that your operating system is acting bizarre without any explanation, it would be best to check whether it has not become influenced by potentially unwanted programs (PUPs) or malware infections.

Update 2018.02.03

The increase of XMRig And related miner trojans was related to Google Chrome store infection with fake browser extensions that either had run mining in browser or tracked full user behavior on the sites. These extensions got removed on the end of this week from the chrome store but they might return again.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *