How to remove Miner malware

Coin hive virus

What is Miner virus

Miner is a program for calculating bitcoins or other crypto-currencies. This technology is legitimate, which you can read more about here. But scammers do not use their computers, but workstations of unsuspecting users. Among all the variety of malicious software, viruses-miners are gaining popularity. Unlike other types of viruses, BitcoinMiner (also known as Bitcoin Mining or Miner) does not attempt to damage operating system files or take control of it. It also does not apply to file encryptors and trojans. Miner uses the user's personal computer as a means of extracting the crypto currency. Thus, attackers extract bitcoins by cryptographic calculations, using for this purpose the infected computers of their victims. Over time, viruses of this type have evolved greatly, and to notice their presence in the system is more and more complex. In rare cases, the virus simply blocks access to the system, demanding ransom in the bitcoins of the user, as it was in one of the medical centers in the US, when all the main computers of the institution blocked the virus miner. Processes of executable virus files are hidden in the system, have similar names to the system processes of the operating system, so it is so difficult to determine. Cases of infection are recorded around the world, including in Russia, where it reached about 25-30% of the country's users. However, leading anti-virus software companies, such as Kaspersky Lab, deny a significant threat from this type of virus.


The main feature of the miner work is the consumption of system resources for its calculations. From this it follows that the power consumption and heat dissipation of the computer also grows, loading the system sometimes to the maximum. Recently, the miners are programmed to minimize the consumption of computer resources, so that there would not be a noticeable drop in overall performance, or created with an algorithm for using only the power of the video card. In either case, the presence of the miner can be replaced by the system's idle state. You can check this in the same Task Manager on the Performance tab. But it's better to use the process explorer program, since many viruses can be masked when the Task Manager starts. You can download Process Explorer from the official Microsoft website here. Similarly, the work of the virus can be prescribed at a certain time, when the user is not in place.


The current generation of miners is based on two types of viruses: Vnlgp Miner and CPU Miner, which, respectively, are programmed to use the graphics processor of the video card or the CPU. In some cases, additional program algorithms are also possible, allowing you to download other types of viruses yourself.

Methods of infection with the miner virus

As in most other cases, a virus of this type is distributed through links and notifications that the user has inadvertently switched over. All sorts of pop-up ads, unclear notices, tempting offers about products or services - all this may be a point of beginning of infection of the computer. Another source of infection may be repacking games or programs on torrent trackers from little-known authors.


There is also such a thing as "Zero Day Vulnerability" ("0day" or "zero day"). This is a loophole in the operating system, which is not yet eliminated by the developers. Hackers are constantly looking for such loopholes, allowing you to embed malicious code, bypassing the Firewall, antiviruses and other security systems. For example, some types of viruses are masked for updates to Flash Player, operating system drivers, or for operating system updates. Developers of the operating system are constantly working on the search for such vulnerabilities.


Quite unexpected was the manifestation of the symptoms of the miner and from the torrent client's uTorrent program. Since recently, it has acquired a software called EpicScale. The developer himself claims that this application is associated with charity and quite harmless. A detailed study led to the fact that uTorrent began to consume much more system resources, conducting suspicious activity in the background. Moreover, completely removing EpicScale is also not very simple - after uninstalling some of the program files still remain on the hard disk.

Symptoms of infection by Bitcoin Miner

Increased power consumption and performance degradation are not the only possible symptoms. In the processes of the Task Manager, processes such as sgminer.exe, SGM.exe, or Engine.exe, which significantly load the processor, can also hang. It is also worth checking the folders Ethash, hodl, and ETH located on the system drive at Users - AppData - Local. These folders can occupy more than one gigabyte when the computer is actively used by the miner.

How to remove Miner virus

Powerful antispyware programs, such as Plumbytes Anti-Malware, Kaspersky Virus Removal Tool and SpyHunter - will not be an exception this time, and will perfectly cope with the task. Well, if you need to manually remove the malicious program - the following instructions will help. If you decide to use the antivirus utility, try any of the above.

Restore the system from the backups

Already classic, the way to remove the virus through the System Restore Center - can help in this case. A rollback to the condition preceding infection will be highly applicable. All you need is to get to the System Recovery Center and select the desired point.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Scan the system in the Safe mode

The next option is to remove the virus using third-party utilities in Safe Mode. You can do this by going into safe mode with support for network drivers. Boot into this mode, you must start any browser and download an antivirus program from it. Then update the anti-virus database and run the scan.

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Additional Removal Methods

Also, in some cases, it is possible to manually delete the virus processes themselves. Often such is AppDatabtc.exe and Systemminer.exe. To begin with, you should dig into the registry. You can launch the Registry Editor through the Command line by typing regedit.exe. Going to the address HKEY_CURRENT_USER - Software - Microsoft - Windows - CurrentVersion - Run, you must delete the value% AppData% btc.exe in the btc section, and then delete the executable files of the AppDatabtc.exe and Systemminer.exe virus, only before that you need to show the hidden files and folder according to the following instructions:

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Online web miners

Miners can be not only in the classic performance as a program on the user's computer. Further development of this type of virus entailed the appearance of the site The site is a whole service for the production of bitcoins directly through the browser of their victims. Pop-up ads from Coin-hive are nothing more than a java script, which is built into the site and is the link between the victim's computer and the site-miner. Thus, Coin-hive, having such scripts on the sites, extracts crypto currency with the help of all those who visit these sites. A striking example of such a scheme was the famous torrent tracker Pirate Bay, which instead of earning on advertising began to use such a clever method of enrichment at the expense of others. Symptoms of work are the same - a drop in performance when you visit the site, excessive load on the processor, long opening pages of sites. Also, scammers often repackage installers of well-known programs into their installers. At the first start, you are offered "normal" installation and installation manually. At the same time, in the first and seemingly innocuous point of the "normal" installation, any hacker program or utility hides, for the installation that the user gave permission, simply by selecting this item.


Fortunately, now you can easily protect yourself from Coin-hive by installing an extension for your Adblock browser. However, it's never impossible to check the presence of suspicious programs in the "Add or Remove Programs" section. In the list of extensions for the browser, too, it does not hurt to check for unnecessary and questionable extensions. Typically, the extension or program associated with this malware has a similar name - Coin-hive. Programs to combat malicious software will also help find Coin-hive. The same SpyHunter will cope with it perfectly. More details about online scanners and coin hive in particular, you can read in this article: Coin hive removal.

Video about online miner


As in most cases with the warning of this virus - it is worthwhile to take a closer look at the transitions to unknown links and the use of questionable programs. Attractive advertising or a picture conceals the danger of being infected with very dangerous malicious programs. Be careful!




Written by KateRealta



How to remove CPU miner-virus Miner virus removal guide Miner virus removal technics

Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code




What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

White Ops unveiled the biggest botnet ever, called Methbot

White Ops cyber-security company revealed the largest botnet in history, called Methbot. In this article you’ll find full information about the net, its width and possible methods to shut it down.


This website uses cookies to improve your experience