Coin miner trojans. Horses that ride your back

Coin miner trojan is malicious software that exploits your computer’s hardware to mine cryptocurrencies. That process is extremely demanding to your CPU and GPU capacity, so you will likely get your system unusable. Coin miners are sometimes disguised as some legit apps by taking their names in the Task Manager.

How do cryptocurrency mining work?

While the currency itself is protected by encryption, the transactions are processed and validated by people known as miners. The miners obtain the necessary data from transactions on the internet and use computing power to find new, un-spent transactions. They combine the data in a “block” and use it to verify the first transaction. That verification process keeps a chain of blocks, or blocks, in chronological order. It’s those blocks that allow miners to find new transactions, which they then add to their chain, and process those transactions for their own profit1.

Cryptocurrency mining farm

Here is how cryptomining farm looks like

Note that although some miners collect rewards (mined coins) for their work, it’s very common that they do this with the aim of generating more money by selling them for a higher price on the various cryptocurrency exchanges.

Why does mining take so much PC power?

Cryptocurrency mining requires a lot of computing power because it relies on solving very complex mathematical equations to be rewarded with the mined coins. When a PC or GPU is used to solve these equations, it’s used to generate heat. The resulting heat will exhaust the cooling system, rendering the PC or GPU unusable. Or the heat from the PC will start damaging the motherboard.

Coin miner virus Task Manager 100% CPU

Coin miner virus in the Task Manager

It’s not unusual for gamers to play over 100 hours a week on their PC, and you’re probably not too surprised by this if you’ve seen their PCs overworked. Adding cryptocurrency mining will result in the same. By the time you sit down to your evening gaming session, your system will have already spent most of the day idling and taking electricity to the detriment of the CPU, GPU, and motherboard.

How do fraudsters make money on coin miner trojans?

You probably heard about cryptocurrency mining farms. They consist of tens and hundreds of systems with a specific software onboard. The configuration of these computers is also unusual: the main accent is done on GPU. Since solving the equations I have mentioned above is a pretty hard job that requires multithreading, graphic cards are better than CPUs at this point.

Cybercriminals who create and distribute coin miners act otherwise. They make their farm from “normal” computers, that are about to be used by their owners in a regular way. PCs infected with the coin miner virus are connected to a “mining farm” that consists of the same infected computers. Because not every system has a GPU (especially laptops), the mining on the infected system is conducted on the CPU2. Sure, it makes the process slower and applies the risk of receiving nothing because you just miss solving the equation in time. Exactly, that’s why crooks prefer Monero and DarkCoin to Ethereum or Bitcoin – first ones are just easier to mine.

How did I get the coin miner virus on my computer?

If you downloaded legitimate software that ran alongside cryptocurrency mining, you would not have been affected. Even if you downloaded the program in the first place, you’d stay alarmed – free software is one of the most beloved disguises for mining viruses. Exactly, coin mining malware is classified as trojan viruses because they rarely act without the disguise.

The trojans can change a legitimate program to let it mine the cryptocurrency without any suspicions. Sometimes the malware will include software that’s designed to be used to adjust your operating system’s clock, timing functions, and display settings to suit cryptocurrency mining purposes. Through the last 6 months, there was a lot of cases when coin miner viruses were embedded into browser extensions.

Monero price detection correlation graph

The strict correlation between the Monero (XMR) price and number of coin miner detections

Be wary of any program that requests you to install update files or driver updates. It may well contain coin miners onboard. Banners on the Internet are also a hazard – it is very easy to embed a link to a miner virus downloading into it. Exactly, the extremely high activity of adware is one of the reasons why coin miners in browser plugins became so widespread. It is pretty hard to catch such a virus, fortunately, its removal is pretty easy. Your anti-malware software may also detect malware that’s attempting to inject cryptocurrency miners into your system.

How to remove coin miner from my PC?

Coin miner trojan makes a lot of changes in your operating system. Networking settings, power management configurations, user profile privileges – all these things are often touched by coin miners. Manually, you may only delete the exact virus. However, system recovery is not only about malware removal. For making your system really cleaned up, you need to use a proper anti-malware program. GridinSoft Anti-Malware is exactly one that will either clean your system up and make it work well3.

Nonetheless, any antivirus software will struggle to work properly if the CPU is overloaded. To let the security tool operate correctly, you need to reboot your system into Safe Mode with Networking. This system mode means no startup apps launching in the background. Coin miner virus is not an exclusion.

Reboot your Windows in Safe Mode with Networking

Don’t be afraid of its name – it is just a specific Windows mode4. In this mode, your system does not launch all startup apps, and also the vast majority of services. Hence, the ransomware will not be able to stop your attempts to remove it. Press the Start button, then Power, and choose Reboot while holding the Shift button on your keyboard. That will turn on the Troubleshooting mode.

Reboot PC in the Safe Mode

After booting into the Troubleshooting screen, pic the Troubleshoot -> Advanced options -> Startup Settings. There, you need to press the key on your keyboard that corresponds to the number of Safe Mode with Networking options. It differs from one Windows version to another, so I cannot predict which one it will be in your case.

Reboot into Safe Mode with Networking

Remove the coin miner virus with GridinSoft Anti-Malware

Now, when the computer is launched without any malware running in the background, you are good to download the removal tool. My choice for ransomware removal is GridinSoft Anti-Malware5. That anti-virus tool is able to deal with spyware in less than 10 minutes, and recover the system elements that malware changed during its activity.

Download and install GridinSoft Anti-Malware. After the installation, you can activate a free 6-day trial period, in which all functions of a licensed program will be available for you. Specify your email and check it for the activation key.

When you activated the free trial, launch the Full scan. It will check each corner of your system, so the spyware would not be able to hide.

Scan GridinSoft Anti-Malware

When the scan is finished, click the Clean Up button to remove the virus from your PC. It will take less than 10 seconds.

Clean Now GridinSoft Anti-Malware

  1. More detailed information about crypto mining and cryptocurrencies on Investopedia.
  2. Detailed information on how coin mining viruses exploit the infected systems.
  3. Our review on GridinSoft Anti-Malware.
  4. Official Microsoft guide at booting into the Safe Mode
  5. Our review on GridinSoft Anti-Malware