How to Remove a Miner Disguised as Realtek HD: Malware Overview and Removal Guide

Introduction

A miner is a program that uses a computer's resources to mine cryptocurrency and is often installed as malware without the user's knowledge. It can cause serious damage to the system due to overheating of components, reduce its performance, and increase power consumption.

Description of Malware

It consists of a complex of logically related files. It practically does not mask itself in the system, relying more on aggressive methods of embedding in the system and resisting its removal.

Infection Paths

Installation of software, games, activators, free programs downloaded from unreliable sources. The most "beloved" distribution path is warez and non-licensed games. There have been incidents where the miner was distributed through Fitgirl repacks and/or on well-known torrent trackers. In general, it's a lottery for fans of "free software."

Using files taskhost.exe and taskhostw.exe, whose names coincide with the names of legitimate Windows files but are located in other folders.
Using the Realtek HD process - an attempt to hide behind Realtek High Definition, which in turn is the official version of a free driver package designed for correct playback of audio files for Microsoft Windows operating systems.

Common Symptoms

Blocks access to some sites by adding entries to the hosts file, allowing it to redirect requests to a nonexistent IP address. The list mainly includes sites that can help with the removal of this malware. This is not the only method of blocking links. Key symptoms: some pages do not open or the browser closes when you click on a link.
Creates specially configured folders with names that are used by some antivirus and utility programs, as well as other software (including competing malware), for their work.
Attempts to block the operation of Windows Defender by adding registry entries that are supposed to block the antivirus.
And adds files belonging to the malware to the antivirus's exclusion list.
Uses the OS functionality to block the launch of programs by filename (DisallowRun).
Applies (if the OS edition allows) AppLocker policies to restrict the execution of certain applications by path or hash.
Creates a user account named John on the victim's computer, which has administrator rights and can be used as a means of remote access to the user's system.
Sends detailed data about the victim's computer, including its location (by IP), to the attacker's server.

Removing the Miner and Restoring Computer Functionality

If you want to remove this malware and restore your computer's functionality, you can use the specially prepared AV block remover utility. This utility automatically finds and removes files and registry entries associated with this malware.

Description of the AV block remover Utility

AV block remover (AVbr) is a script based on the AVZ antivirus utility that allows you to remove a miner that blocks the installation and operation of antivirus software and access to antivirus sites. The script was created to remove a specific miner. It is updated daily.

Features of AV block remover

Removal of files and tasks created by the miner.
Removing restrictions on running files and blocking websites.
Restoring the functionality of antivirus products if available.
Restoring damaged or deleted system settings, including recreating the miner-removed "Volume Shadow Copy Service (Microsoft)" service.

Instructions for Using AV block remover

Download the utility archive from one of these links: AV block remover or from a mirror.
Extract the archive to any folder on your computer (the executable file should be in a subfolder with a random name, not on the desktop or in the Downloads folder).
Rename the file AVBR.exe (for example: AV_b_r.exe) or use a version with a random filename.
Run the renamed AVBR.exe file as an administrator.
Wait for the utility to finish; the computer will be automatically restarted.
In the utility folder, a file named AV_block_remove_date-time.log will be created. If you seek help on the forum, attach it to your post.

After restarting, your computer should be free from blocking antivirus programs. You can check this by trying to run any antivirus program or scanner.

Since the malware author actively monitors cure forums and actively makes changes to their product, we cannot guarantee 100% successful removal. If the symptoms persist (or even if they are gone), we recommend seeking help in the malware removal section on the forum. Don't forget to prepare a log archive for system analysis and attach the AV_block_remove_date-time.log file (or files if there were multiple runs).