XMRig Virus (Mac)

Also Known As: XMRig CPU Miner
Type: Mac Virus
Distribution: Low
Damage level: Severe

How to remove "XMRig" from Mac?

What is "XMRig"?

XMRig is a legitimate open-source application that allows utilization of system CPU resources to mine cryptocurrency. Cyber criminals often misuse these tools to generate revenue in malicious ways. Here, we look at malware that combines a backdoor-tool called EmPyre with XMRig and allows cyber criminals to exploit infected systems to mine cryptocurrency.

Malicious Python script used to open EmPyre backdoor

This malware claims to be Adobe Zii, a tool used to 'crack' Adobe software and bypass activation. Once opened, this malware executes a shell script designed to download another script written in the Python programming language. The Python script is named "sample.app" in an attempt to give the impression that it is the genuine Adobe Zii tool. Once excecuted, "sample.app" performs a number of actions. Firstly, it checks whether the Little Snitch application (firewall) is installed. If so, the script terminates itself and the infection stops. If present, Little Snitch would block the connection of the first shell script and the "sample.app" would not have been downloaded in the first place. Therefore, this check is somewhat redundant. Injection of the EmPyre backdoor follows - this allows execution of various commands remotely. Once the backdoor is opened, a command that downloads and runs XMRig miner is executed, however, this may not be the only problem you face. As mentioned, EmPyre performs many actions on the infected system. Therefore, criminals might infiltrate other viruses into the system, thus putting your data and privacy at risk.

As mentioned above, XMRig employs system CPUs to mine cryptocurrency. This is essentially a process by which computers solve various mathematical problems. For each problem solved, a reward (a fraction of Monero coin) is given. The more powerful the hardware, the more revenue is generated. Therefore, the mining process is costly, since powerful hardware is expensive. To address this, cyber criminals employ the computers of regular users. An average home computer is a bad choice for cryptomining, since the electricity cost is equivalent or higher than any revenue generated. Nevertheless, when thousands of computers are connected free of charge, the income becomes high. Cryptomining poses risks and problems for regular users. It can utilize up to 100% of hardware resources, making the system virtually unusable or causing it to crash (which can lead to permanent data loss [due to unsaved documents, and so on]). Furthermore, fully-loaded hardware generates excessive heat. Therefore, within certain circumstances (high room temperatures, bad cooling systems, etc.) the hardware might overheat, leading to significant financial loss. Furthermore, these actions are taken without users' consent and all revenue is received by cyber criminals, whilst victims receive nothing in return. If you have recently tried to crack Adobe software using the Adobe Zii tool and have noticed a significant reduction in system performance, you should immediately scan it with a reputable anti-virus/anti-spyware suite and eliminate all detected threats. We also strongly recommend that you never take part in software piracy, since, not only is this illegal, but you are also putting yourself at risk of various threats. Most "tools" that supposedly help to bypass software activation are malicious and harmful to the system - using them can lead to high-risk system infections and serious privacy issues.

There are many viruses that misuse the XMRig tool to mine cryptocurrency without users' consent. For example, KingMiner, Winstar, and so on. The developers are different and the viruses might also differ slightly differ, however, all have the same purpose and cause identical problems. Therefore, you should eliminate them immediately.

How did potentially unwanted applications install on my computer?

As mentioned above, problems begin with malware that claims to be an Adobe Zii crack. Therefore, users who attempt software privacy are at risk of this system infection. Disguised malware opens a EmPyre backdoor, which is used to infiltrate XMRig into the system. Disguising viruses is a popular malware distribution method. Cyber criminals often proliferate these disguised viruses using spam email campaigns and various unofficial software download sources. Spam campaigns deliver deceptive email messages encouraging users to open attachments that are presented as legitimate. In fact, once opened, these files (e.g., MS Office documents, PDF files, and similar) download and install malware. Peer-to-peer (P2P) networks (e.g., torrents, eMule, etc.), freeware download websites, free file hosting sites, and similar third party download sources are used to present malicious programs as legitimate software. This often tricks users into downloading and installing malware. Lack of knowledge of these threats and careless behavior are the main reasons for computer infections.

How to avoid installation of potentially unwanted applications?

Caution is the key to computer safety. Therefore, pay attention when browsing the internet and downloading/installing software. Think twice before opening email attachments. Files that seem irrelevant and those received from suspicious/unrecognizable email addresses should never be opened. Furthermore, download software from official sources only, using direct download links. Third party downloaders/installers often include rogue apps, and thus these tools should never be used. Have a reputable anti-virus/anti-spyware suite installed and running - these tools can detect and eliminate malware before it harms the system. If your computer is already infected with PUAs, we recommend running a scan with Spyhunter for Windows to automatically eliminate them.

Fake Adobe Zii tool downloading the malicious Python script:

Fake Adobe Zii downloading python script

Pop-up asking for permission to execute shell commands:

Pop-up asking for a permission to execute shell commands

Malicious processes ("xmrig", "ScriptMonitor", "Adobe Zii") in Mac Activity Monitor:

XMRig miner processes in Activity Monitor

Instant automatic removal of XMRig CPU Miner: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of XMRig CPU Miner. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Video showing how to remove XMRig virus using Combo Cleaner:

Potentially unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

mac browser hijacker removal from applications folder

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove xmrig cpu miner related files and folders:

Finder go to folder command

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

step1Check for adware-generated files in the /Library/LaunchAgents folder:

removing adware from launch agents folder step 1

In the Go to Folder... bar, type: /Library/LaunchAgents

removing adware from launch agents folder step 2
In the “LaunchAgents” folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - “installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”, etc. Adware commonly installs several files with the same string.

step2Check for adware generated files in the /Library/Application Support folder:

removing adware from application support folder step 1

In the Go to Folder... bar, type: /Library/Application Support

removing adware from application support folder step 2
In the “Application Support” folder, look for any recently-added suspicious folders. For example, “MplayerX” or “NicePlayer”, and move these folders to the Trash.

step3Check for adware-generated files in the ~/Library/LaunchAgents folder:

removing adware from ~launch agents folder step 1


In the Go to Folder bar, type: ~/Library/LaunchAgents

removing adware from ~launch agents folder step 2

In the “LaunchAgents” folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - “installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”, etc. Adware commonly installs several files with the same string.

step4Check for adware-generated files in the /Library/LaunchDaemons folder:

removing adware from launch daemons folder step 1
In the Go to Folder... bar, type: /Library/LaunchDaemons

removing adware from launch daemons folder step 2
In the “LaunchDaemons” folder, look for recently-added suspicious files. For example “com.aoudad.net-preferences.plist”, “com.myppes.net-preferences.plist”, "com.kuklorest.net-preferences.plist”, “com.avickUpd.plist”, etc., and move them to the Trash.

step 5 Scan your Mac with Combo Cleaner:

If you have followed all the steps in the correct order you Mac should be clean of infections. To be sure your system is not infected run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file double click combocleaner.dmg installer, in the opened window drag and drop Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates it's virus definition database and click "Start Combo Scan" button.

scan-with-combo-cleaner-1

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide, otherwise it's recommended to remove any found infections before continuing.

scan-with-combo-cleaner-2

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

XMRig CPU Miner removal from Internet browsers:

safari browser iconRemove malicious extensions from Safari:

Remove xmrig cpu miner related Safari extensions:

safari browser preferences

Open Safari browser, from the menu bar, select "Safari" and click "Preferences...".

safari extensions window

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

firefox browser iconRemove malicious plug-ins from Mozilla Firefox:

Remove xmrig cpu miner related Mozilla Firefox add-ons:

accessing mozilla firefox add-ons

Open your Mozilla Firefox browser. At the top right corner of the screen, click the "Open Menu" (three horizontal lines) button. From the opened menu, choose "Add-ons".

removing malicious add-ons from mozilla firefox

Choose the "Extensions" tab and look for any recently-installed suspicious add-ons. When located, click the "Remove" button next to it/them. Note that you can safely uninstall all extensions from your Mozilla Firefox browser - none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

chrome-browser-iconRemove malicious extensions from Google Chrome:

Remove xmrig cpu miner related Google Chrome add-ons:

removing malicious google chrome extensions step 1

Open Google Chrome and click the "Chrome menu" (three horizontal lines) button located in the top-right corner of the browser window. From the drop-down menu, choose "More Tools" and select "Extensions".

removing malicious Google Chrome extensions step 2

In the "Extensions" window, look for any recently-installed suspicious add-ons. When located, click the "Trash" button next to it/them. Note that you can safely uninstall all extensions from your Google Chrome browser - none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.