SicurezzaVirus news

Remove the Cortana.exe Miner Trojan

The Cortana.exe Miner is a Trojan that uses your computer to mine for the Monero digital currency without your permission. It is not known how this particular miner Trojan is being installed, but it could be through adware bundles or other malware that downloads and installs other malware onto a computer.

When installed, the C:\Windows\servicing\chksum.exe file will be created and configured to start automatically when you login to Windows. Once launched, it will execute a PoweShell command that launches the C:\Windows\servicing\wsus.exe malware program and then continuously checks to see if the C:\Windows\servicing\starter.exe program is running. If it is not running, it will automatically start the infection as shown below.

Launch Starter.exe

The starter.exe program will then issue another PowerShell command that launches the Cortana.exe executable, which performs the actual mining of the Monero currency.

Launch Miner

The Cortana.exe miner is actually renamed XMRig executable that when started will use the mining pool at and use all of the available CPU power of the computer to mine for Monero. You can see this miner utilizing an infected computer’s CPU below.

  • Cortana.exe Miner running in Task Manager

What is particularly worrisome about this infection is that it will use the entire CPU’s processing power indefinitely. This will cause your CPU to run at very hot temperatures for extended periods of time, which could shorten the life of the CPU.

As there is no outward indication that the program is running, here is a list of symptoms that a user can use to determine if they are infected with the Cortana.exe Miner:

  • You will see the Cortana.exe process with the description Cortana Runtime using 90% or more of the CPU.
  • You will see other processes running called Starter.exe, Chksum.exe, Skype.exe, or wsus.exe running.
  • You will see PowerShell processes running in Task Manager.
  • Programs don’t launch as quickly.
  • General slowness when using the computer.

How was the Cortana.exe Miner installed on a Computer?

It is not currently known how the Cortana.exe Miner package is installed on a computer, but it could be through of malware downloading Trojans or adware bundles. If it installed by adware bundles it is important that you pay close attention to license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you immediately cancel the install and not use the free software.

As you can see, this miner steals your computer’s CPU resources and your electricity and profits from it by mining cryptocurrency. In order to make a computer operate normally again and protect the computer’s hardware, you should use the guide below to remove this Trojan for free.

Your computer should now be free of the Cortana.exe Miner Trojan program. If your current security solution allowed this program on your computer, you may want to consider purchasing the full-featured version of Malwarebytes Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below: