MSASCui.exe Monero Miner Virus – How to Detect and Remove It

MSASCui.exe Monero Miner Virus – How to Detect and Remove It

Article created to show you what is the MSASCui.exe process, how to detect the MSASCui.exe miner malware and how to completely remove it from your computer system.

New miner malware which uses the same name of the original Microsoft Security process MSASCui.exe has been detected to conduct cryptocurrency mining activities on the computer of the victim. The malware attacks primarily the Video Card of the computers that are infected by it in order to mine for the cryptocurrency Monero. But there is also a probability that the malware may also elevate the usage of your CPU. All of these activities may result in your computer becoming slow in terms of performance, misbehaving and displaying error messages. If you have the MSASCui.exe process and it is not running behind the legitimate administrator users, like SYSTEM or LOCAL SERVICE, you should read this article to learn how to detect and remove the MSASCui.exe miner malware from your computer.

Threat Summary

TypeCryptoCurrency Miner
Short DescriptionRuns a fake Windows Defender process, called MSASCui.exe in the background of your computer which begins to mine for anonymous cryptocurrencies.
SymptomsSlow performance of your computer plus different types of system freezes and insufficient processing memory errors. The cooling fan(s) of your GPU may run at maximum speed.
Distribution MethodVia fake executable or malicious web links spreading infection files.
Detection Tool See If Your System Has Been Affected by MSASCui.exe


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss MSASCui.exe.

MSASCui.exe Miner- How Does It Infect Computers

In order fot he MSASCui.exe malware to slither past the protection of your computer, this malware may engage in the usage of various tools which may conceal it from the conventional antivirus protection. Such are often:

Malware obfuscation software.
Malicious injectors.
Trojan.Injectors, Downloaders or Droppers.
Malicious macros.
The infection file archived in order to obfuscate it.

In addition to software methods, the hackers who are behind the fake MSASCui.exe process malware may also use logical strategies, like mask the executable as a legitimate file, such as a fake:

  • Setup of software or games.
  • Keygen (Key generator).
  • License activation software.
  • Applications for activating games (crackfixes).
  • Offline patches or updates for software or games.

But this is just the beginning. The MSASCui.exe malware may also come in a variety of other forms that are actively sent directly to you as well. Such forms often pretend to be various imitating documents that only seem legitimate, but actually initiate the infection process. Such are often either linked in a spam message that may be sent to you via online chats, like Messenger or Viber for PC. They may include fake web links which trigger the infection when you click on them by automatically downloading and executing the infection script.

Furthermore, you may also become compromised via e-mail as well – another place where you should be more careful. The virus may come as an archived e-mail attachment on your computer system, which mimics a document of some sort. The sender of the e-mail is often masked as a legitimate type of program, like Dropbox, FedEx, DHL, PayPal, Amazon or eBay. There have also been cases of very well created e-mails that lead to third-party sites for file-sharing where the malicious file is download in order to avoid being blocked by e-mail vendors:

MSASCui.exe – Capability and Activity

MSASCui.exe process, if legitimate is the name of the process responsible for Windows Defender’s user interface. It’s original location is in:

→ C:\Program Files\Windows Defender\

However, malware authors believe that when they mask the process by executing a fake MSASCui.exe process with the same name, they will be safe, since Windows Defender cannot blacklist it’s own process. Judging by the infection rate so far, the virus has successufully infected several computers already. One Reddit user has complained that the malware has created the fake file in a fake Windows Defender folder, deeply concealed within the game TheBannerSaga2, downloaded from a third-party torrent website. The location of the file is reported to be the following:

→ C:\Users\{USERNAME}\AppData\Roaming\TheBannerSaga2\Windows Defender

In addition to this, the MSASCui.exe virus is also reported to create a scheduled task in Windows Task Scheduler, called “Winodws Defneder User Interface”, with the Monero address of the program as a parameter set directly in the task.

The main purpose when the MSASCui.exe process is ran on the victim’s computer is to connect your computer to a Monero mining pool of many miners who have conjoined their efforts. Your comptuer becomes one of the PC’s infected with the MSASCui.exe that link the mining profits done at your GPU’s expense to the cryptocurrency wallet of the cyber-criminal who is behind the MSASCui.exe virus. And since the malware may stay hidden for longer periods of time, this may result in several negative outcomes for your GPU and CPU, like they may break due to overheating, or your GPU may begin to display artefacts and may lag during gaming or other activities.

In addition to it’s main purpose, the MSASCui.exe miner malware may also create registry entries to run automatically a copy of itself once you delete the original one and also elevate it’s privileges. The malware may create registry entries in the following Windows registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The main purpose of this virus however is to run as a task that is not authorized either by the local service of Windows or by SYSTEM. It can be detected in the Task Manager running from your account or without a Username, similar to what the image below displays:

In adition to lacking the original process username, the task may also lack a description, so if you see those symptomps, you should immediately stop and remove it by first checking it’s location by right-clicking on it and choosing Open File Location then clicking with the right button of the mouse again and choosing End Process. If this does not work, try End-Process tree. After ending it, simply remove the file.

But this may not remove the MSASCui.exe miner completely since this virus may also create other tasks on your computer system, such as:

  • Steal credentials, like passwords and ID’s for logins of different online services.
  • Obtain financial information.
  • Log the keystrokes your type.
  • Update itself to remain hidden on your computer.
  • Copy itself to other folders.
  • Spread on other computers on your network.

This is why you should focus on removing this malware completely and completely securing your computer system.

How to Remove the MSASCui.exe Miner Malware from Your PC

In order to delete this miner malware completely from your computer system, you should follow the removal instructions down below, after isolating the virus by stopping it’s process and deleting it, as described above. The instructions for full removal of all the malicious files, related to this malware are divided in manual and automatic removal steps. If you lack the experience or feel unsure while performing the manual removal, experts advise using an advanced anti-malware tool in order to remove all of the malicious files, related and non-related to the MSASCui.exe miner from your computer. Such software will also make sure that your computer stays protected from programs of this type and other threats that may intrude your computer via different methods.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share