How to Fix: Remove JSCoinMiner Browser Malware (Step By Step)

Dennis Faas's picture

Infopackets Reader Bob S. writes:

" Dear Dennis,

Thanks for the article on Browser Cryptomining scams. I have a related problem. I use Firefox browser and Norton keeps telling me that I'm infected with 'JSCoinminer' for every single web page I visit - for example, eBay.com, Amazon.com and even Infopackets.com! I have tried to remove the infection using Norton, Malwarebytes and also Norton's 'Power Eraser' but the infection persists. The error message reads:

Norton blocked an attack by: Web Attack: JSCoinminer Website / An intrusion attempt by thrillingos.herokuapp.com was blocked ... Web Attack: JSCoinminer Website ... Network traffic from thrillingos.herokuapp.com matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE.

Can you please help? "

My response:

Since browser infections like this can be tricky, I asked Bob if he would like me to connect with him using my remote desktop support service. He agreed.

After launching Firefox, I tried opening a new web page and every time, Norton would alert of the JSCoinminer infection. This type of infection is similar to what we described in the "Cryptomining scams" article last week.

If you did not read the article, essentially what happens is that the browser will attempt to mine for bitcoins (or some other cryptocurrency) using mathematical expressions, which then causes the computer's central processing unit (CPU) to go into overdrive. As a result, the computer slows down to a crawl, making it near impossible to do anything. Rebooting the PC would fix the issue temporarily but as soon as you load the browser again, the CPU revs back up to 100% usage and everything is as slow as molasses.

Normally this behavior would happen only if you visit an infected web page, however in this case the malware was able to embed itself into the browser for any page visited. This is very crafty indeed!

How to Fix: Remove JSCoinMiner Browser Malware (Step By Step)

When you have a browser infection such as this and antivirus or antimalware can't get rid of it, the solution here is to either uninstall and reinstall the browser and/or reset the browser. There are a few things to note here. If you uninstall and reinstall, your user profile data will be retained (including bookmarks, cookies, etc).

In this case I believe that the browser infection is coming from a cached file within the browser. Therefore, simply uninstalling and reinstalling does not work. For the record I have also tried "resetting" browsers before, only to have similar browser infection come back. The only permanent fix was to manually delete the user profile directory as well as the program installation folder after uninstalling the browser.

In Bob's case I backed up his bookmarks, uninstalled Firefox, then manually deleted the user profile directory as well as the program folder. This ensured that when I reinstalled Firefox that none of the old data could re-infect the browser. Below I'll describe the steps I took to reset Firefox (manually).

  1. First, export your bookmarks. In Firefox, click "Bookmarks" -> "Show All Bookmarks"; the "Library" window will appear. Click "Import and Backup" from the top menu, then select "Backup" and save the bookmarks.json file to the desktop.
     
  2. Next, uninstall Firefox. Click "Start", then type in "Control Panel", then click "Uninstall Programs" or "Programs and Features", then select "Firefox" and uninstall.
     
  3. Now it's time to manually delete the program file directory. Click "Start" then type in "This PC" (for Windows 8 and 10) or click "My Computer" (for Windows 7, Vista, XP, etc). Next, double click the "C" drive and navigate to "C:\Program Files". Locate "Mozilla Firefox" folder and press DEL on your keyboard to delete it. This will delete your Mozilla firefox executable files.
     
  4. Now it's time to manually delete the user profile folder. This can be a bit tricky because some of the files may be in use due to the infection. In this case you may need to log out and sign back in, or sign in as another user. To delete the profile folder, go to "C:\Users\YOUR-USER-NAME\AppData\Roaming". Locate the "Mozilla" folder and double click it, then select the "Firefox" folder and press DEL on your keyboard. If you get an "access denied" you will have to log out and sign back in or sign in as another user to delete the folder.
     
  5. Once the user program files folder and the profile folder have been deleted, you can reinstall Firefox by downloading it from the web. To re-import your bookmarks, go to "Bookmarks" -> "Show All Bookmarks" -> "Import and Backup" -> and select "Import". Navigate to the bookmarks.json file on your desktop and select it. Your bookmarks should be restored.

I hope that helps.

Additional 1-on-1 Support: From Dennis

If all of this is over your head and you are infected with the JSCoinminer malware, I can help using my remote desktop support service. Simply contact me, briefly describing the issue and I will get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question - or even a computer problem that needs fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 5 (6 votes)