ComboJack Cryptojacker Removal Guide

Do you know what ComboJack Cryptojacker is?

If the devious ComboJack Cryptojacker finds its way into your operating system, it will lurk silently in the shadows and wait for you to copy anything into the clipboard. Although the infection is unknown to record passwords or other sensitive information, we cannot guarantee that it will not be used to collect such data in the future. Right now, this malware focuses on crypto-currency and digital currency-related wallet addresses. Since they are usually incredibly long and complex – made up of random characters – it is much easier for users to just copy and paste them whenever they need that. Well, unfortunately, cyber criminals have found a way to use this against users. Whenever a wallet address appears in the clipboard, it is automatically switched to represent the wallet address of cyber criminals. If you do not notice the deception right away, you might end up transferring large sums of money to cyber crooks without even meaning to. Needless to say, you want to delete ComboJack Cryptojacker in time. Better yet, you want to make sure that it does not slither in at all.

Did you recently receive a strange email message informing you that someone had forgotten their passport at the office and that you need to confirm who it belongs to? In this scenario – and various others could exist – you might be tricked into opening a file named “passport.pdf.” The file, of course, is bogus, and it is simply meant to push you into downloading a malicious RTF file with an embedded HTA file without realizing it. If you are tricked into doing that, PowerShell is used to download ComboJack Cryptojacker onto the computer. Our analysis has shown that the infection is placed in %TEMP% or %ALLUSERSPROFILE% (alternatively, %ALLUSERSPROFILE%\Application Data\) directory in the NVIDIA folder as NVDisplay.Container.exe. Needless to say, you want to remove this file. If you do not do this, it checks the clipboard every half a second to make sure that it does not miss a wallet address. ComboJack Cryptojacking malware is capable of replacing wallet addresses of Bitcoin, Monero, Ethereum, Litecoin, Qiwi, WebMoney, and Yandex Money systems. WebMoney and Yandex Money are digital payment systems that are popular in the US and Russian, while the rest are crypto-currency systems.

ComboJack Cryptojacker is very similar to another crypto-jacker, CryptoShuffler, and our research team is also looking into this malware. So far, it is known that this malware uses the same technique to redirect crypto-currency payments by modifying addresses in the clipboard. Once the wallet address is switched, the victim pastes the wrong one, and if the transaction is completed, the money is lost for good. It is not known if the creator of this malware uses spam emails to spread it, but it is likely to rely on an existing Windows vulnerability. The one exploited by ComboJack is known by code CVE-2017-8579. This vulnerability has been patched by Microsoft, which means that the infection can slither only into those systems that have not been updated in time. Needless to say, this is a reminder of just how important it is to install security updates as soon as they roll out.

Have you installed all necessary updates? If you have, you should remove ComboJack Cryptojacking malware next. Even though it is possible to erase this infection manually, all victims are advised to install security software. If anti-malware software is installed to protect your operating system, it will automatically delete the crypto-jacker, and you will not need to worry about other malicious infections again. Of course, you need to avoid spam emails, scams, unreliable downloaders, and other tools that cyber criminals could use to drop malware onto your PC.

Delete ComboJack Cryptojacker

  1. Simultaneously tap Win+E to launch Windows Explorer.
  2. Enter these directories into the bar at the top one by one to check for NVDisplay.Container.exe (if the file is found, right-click it and choose Delete):
    • %TEMP%
    • %ALLUSERSPROFILE%\Application Data\NVIDIA\
  3. Empty Recycle Bin and then use a malware scanner once more to inspect the system for leftovers.

In non-techie terms:

The malicious ComboJack Cryptojacker can invade systems that do not have the latest security updates installed on them. If vulnerabilities exist, malicious files sent using spam emails could be used to drop the infection onto the computer. Once executed, it monitors clipboard to check when crypto-currency and digital payment wallet addresses are pasted. If a compatible address is pasted, the infection immediately replaces it with one of its own so that the user would make a payment to the wrong wallet. This could be very lucrative for cyber criminals, and so users need to protect their systems against this kind of malware. It is essential to install all security updates and a security tool to guard the system against malware. If it already exists, you need to figure out how you want to remove ComboJack Cryptojacker. If you wish to do it manually, check out the guide above, but if you will install anti-malware software for protection, you might as well use it to erase the existing malware too.