Eliminando el malware de minería de criptomonedas
Eliminando el malware de minería de criptomonedas
I once observed my CPU performing better when Task Manager or Resource Monitor was active. A discussion was started, and it was advised that the issue might stem from background processes. However, I remained concerned due to unusually high power usage. Someone recommended using Process Lasso, which confirmed the malware wasn’t detected or closing properly—something was consuming about 30% CPU in cmd.exe. HWiNFO and other tools displayed 32% CPU usage, with full utilization on the first ten cores of both processors. When I opened resmon or Task Manager, the load vanished instantly. Within ten seconds, the CPU returned to around 30%. I’ve tried Defender, Malwarebytes, Avast Free, Kaspersky, and Bitdefender—none found anything. Removing cmd.exe wouldn’t be feasible, as it’s essential for system functions. I’m considering a full Windows reinstall, but there are many drives and network shares involved. I can’t simply wipe everything off. Without any antivirus alerts, it seems the malware is quite stealthy. It appears this behavior spreads easily across devices on the same network. I’m at my limits—please offer guidance. Windows 10 x64, latest update needed.
You need a Sysrescuecd image, boot into Linux, then execute ClamAV and RKHunter. Install them if necessary. Verify their signature files before scanning. Stay offline after removing the malware, repeat on all other devices in your network. After clearing all traces, make it a routine to run these tools. [edit] RKHunter appears outdated; consider checking https://github.com/rfxn/linux-malware-detect. No guarantees provided!
Does it display the command-line parameters? That would essentially reveal its origin. As usual, I suggest using Autoruns to examine startup items.
It avoids showing up in process explorer and exits after opening. Further investigation suggests it matches the same malware found at the provided Microsoft link. Removing it using the suggested tools and creating a custom patch file are being considered.
I’d run a command to list processes since malware often exploits CMD. That way, it won’t terminate itself. You’ve already discovered the solution—great job!
I've tested several antivirus and antimalware solutions. Malwarebytes has been reliable for years, identifying crypto-mining threats on multiple machines, especially when other programs missed them. If you haven't tried it, give it a go. Otherwise, if it doesn’t detect anything, consider backing up important files and performing a clean install after wiping the drives to ensure complete removal.
So far, I think I've located the malware. I've been waiting a long time for the offline scan to complete before I can return to Windows and eliminate it.
The documents were hidden in C:/ProgramData/Coresys64, pretending to be ordinary Windows files. A tool named DoesNotBelong (Furtivex) relocated them to a quarantine folder under the root directory and let me remove all of them. This was the sole antivirus that successfully located and deleted the miner; none of the popular ones worked. It also scanned the registry and C: drive, removing unwanted items. I strongly suggest using it for anyone facing this problem in the future.