How to remove XMRig virus
Written by Tomas Meskauskas on (updated)
What is "XMRig"?
XMRig is a legitimate open-source application that allows utilization of system CPU resources to mine cryptocurrency. Cyber criminals often misuse these tools to generate revenue in malicious ways. Here, we look at malware that combines a backdoor-tool called EmPyre with XMRig and allows cyber criminals to exploit infected systems to mine cryptocurrency.
More about the malicious campaign
This malware claims to be Adobe Zii, a tool used to 'crack' Adobe software and bypass activation. Once opened, this malware executes a shell script designed to download another script written in the Python programming language. The Python script is named "sample.app" in an attempt to give the impression that it is the genuine Adobe Zii tool.
Once excecuted, "sample.app" performs a number of actions. Firstly, it checks whether the Little Snitch application (firewall) is installed. If so, the script terminates itself and the infection stops. If present, Little Snitch would block the connection of the first shell script and the "sample.app" would not have been downloaded in the first place.
Therefore, this check is somewhat redundant. Injection of the EmPyre backdoor follows - this allows execution of various commands remotely. Once the backdoor is opened, a command that downloads and runs XMRig miner is executed, however, this may not be the only problem you face.
As mentioned, EmPyre performs many actions on the infected system. Therefore, criminals might infiltrate other viruses into the system, thus putting your data and privacy at risk.
As mentioned above, XMRig employs system CPUs to mine cryptocurrency. This is essentially a process by which computers solve various mathematical problems. For each problem solved, a reward (a fraction of Monero coin) is given. The more powerful the hardware, the more revenue is generated.
Therefore, the mining process is costly, since powerful hardware is expensive. To address this, cyber criminals employ the computers of regular users. An average home computer is a bad choice for cryptomining, since the electricity cost is equivalent or higher than any revenue generated.
Nevertheless, when thousands of computers are connected free of charge, the income becomes high. Cryptomining poses risks and problems for regular users. It can utilize up to 100% of hardware resources, making the system virtually unusable or causing it to crash (which can lead to permanent data loss [due to unsaved documents, and so on]).
Furthermore, fully-loaded hardware generates excessive heat. Therefore, within certain circumstances (high room temperatures, bad cooling systems, etc.) the hardware might overheat, leading to significant financial loss. Furthermore, these actions are taken without users' consent and all revenue is received by cyber criminals, whilst victims receive nothing in return.
If you have recently tried to crack Adobe software using the Adobe Zii tool and have noticed a significant reduction in system performance, you should immediately scan it with a reputable anti-virus/anti-spyware suite and eliminate all detected threats.
We also strongly recommend that you never take part in software piracy, since, not only is this illegal, but you are also putting yourself at risk of various threats. Most "tools" that supposedly help to bypass software activation are malicious and harmful to the system - using them can lead to high-risk system infections and serious privacy issues.
Name | XMRig CPU Miner |
Threat Type | Mac malware, Mac virus |
Symptoms | Your Mac became slower than normal, you see unwanted pop-up ads, you get redirected to shady websites. |
Distribution methods | Deceptive pop-up ads, free software installers (bundling), fake flash player installers, torrent file downloads. |
Damage | Internet browsing tracking (potential privacy issues), displaying of unwanted ads, redirects to shady websites, loss of private information. |
Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Examples of other miners
There are many viruses that misuse the XMRig tool to mine cryptocurrency without users' consent. For example, KingMiner, Winstar, and so on. The developers are different and the viruses might also differ slightly differ, however, all have the same purpose and cause identical problems. Therefore, you should eliminate them immediately.
How did unwanted applications install on my computer?
As mentioned above, problems begin with malware that claims to be an Adobe Zii crack. Therefore, users who attempt software privacy are at risk of this system infection. Disguised malware opens a EmPyre backdoor, which is used to infiltrate XMRig into the system. Disguising viruses is a popular malware distribution method.
Cyber criminals often proliferate these disguised viruses using spam email campaigns and various unofficial software download sources. Spam campaigns deliver deceptive email messages encouraging users to open attachments that are presented as legitimate. In fact, once opened, these files (e.g., MS Office documents, PDF files, and similar) download and install malware.
Peer-to-peer (P2P) networks (e.g., torrents, eMule, etc.), freeware download websites, free file hosting sites, and similar third party download sources are used to present malicious programs as legitimate software. This often tricks users into downloading and installing malware. Lack of knowledge of these threats and careless behavior are the main reasons for computer infections.
How to avoid installation of unwanted applications?
Caution is the key to computer safety. Therefore, pay attention when browsing the internet and downloading/installing software. Think twice before opening email attachments. Files that seem irrelevant and those received from suspicious/unrecognizable email addresses should never be opened.
Furthermore, download software from official sources only, using direct download links. Third party downloaders/installers often include rogue apps, and thus these tools should never be used.
Have a reputable anti-virus/anti-spyware suite installed and running - these tools can detect and eliminate malware before it harms the system. If your computer is already infected with rogue apps, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.
Fake Adobe Zii tool downloading the malicious Python script:
Pop-up asking for permission to execute shell commands:
Malicious processes ("xmrig", "ScriptMonitor", "Adobe Zii") in Mac Activity Monitor:
Update 24 February 2023: Cybercriminals employ a malicious version of Final Cut Pro, which is spread via torrents to mine cryptocurrencies on compromised devices. Most antivirus software fails to detect this version.
Nevertheless, it is crucial to note that this malware cannot override the Gatekeeper safeguards. Therefore, it does not present an unrestricted hazard to macOS users.
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is "XMRig"?
- STEP 1. Remove PUA related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove XMRig virus using Combo Cleaner:
Potentially unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Frequently Asked Questions (FAQ)
My computer is infected with malware, should I format my storage device to get rid of it?
Formatting your storage device will erase all data, including the malware that may be present on your computer. However, formatting should not be the first step in removing malware from your computer. Install and run a reputable antivirus or anti-malware program to scan your system and remove the malware.
What are the biggest issues that malware can cause?
Malware can cause issues such as data theft, slow computer performance, identity theft, data, and monetary loss, system crashes, additional infections, and more.
What is the purpose of crypto-mining malware?
The purpose of crypto-mining malware is to use the processing power of infected computers or devices to mine cryptocurrency, such as Bitcoin, Ethereum, or Monero, without the user's knowledge or consent.
How did a malware infiltrate my computer?
Malware can infiltrate your computer in a variety of ways. Some common methods include email attachments, phishing scams, and downloading software or files from untrusted sources. Malware can also be spread through infected websites, social media, or instant messaging applications.
Will Combo Cleaner protect me from malware?
Combo Cleaner has the capability to detect and eliminate almost all known malware infections. However, it's important to note that sophisticated malware often hides deep within the system, so running a full system scan is necessary to ensure complete removal.
▼ Show Discussion