How to remove the Anubis "Exploit" (Monero Miner)

Since everyone mistakes Anubis as a "Bitcoin Miner"- I'll state that it mines Monero, not Bitcoin. I reversed this program entirely with one of the other Shadow developers to ensure everything was accurate and removes this program entirely. There were threads explaining to just remove "Service.exe" from "Run" which is definitely a good start and it's included in this thread, but it also runs a driver for some of those running the program.

 

So here are the informative steps on how to remove this exploit monero miner. It's very simple and shouldn't take much time at all for any of those who know how to use a computer very well.

 

- Removing the Registry Value(s) stored from Anubis.

 

1) Open the "Registry Editor"- Just type "regedit" in your windows search bar and it'll pop up.

 

2) Go to Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the file referencing "Service.exe"- Make sure the file leads to "%AppData%\Roaming" before deleting it.

 

Now since you disabled Anubis from starting up, you should go to your %AppData% folder to delete the stored files and drivers.

 

- Removing the Executable and (potentially) Driver.

 

1) Type "run" in your windows search bar and open the application then enter "%appdata%" and press the "ok" button. It'll take you to roaming. You should see the file here, it will be called "Service.exe" or "tempfile.exe"- Remove either of these.

 

(Warning: Only do this if you have a folder called "WinCFG" in your folder that wasn't there before.)

 

2) Download the file "Process Hacker" on the internet. Once installed and ran, go to "Services" and search for "WR64" or "WR64.sys" and disable and delete this- It's a driver that is ran in the monero miner.

 

3) Once disabled and deleted, go back to your "AppData" folder and delete the "WinCFG" folder.

 

And now you've successfully removed this disgusting malware from your machine completely. I might make a program to automate this entire process if anyone who ran it can't figure out how to do it via this explanation.