Home / Spyware Help / PCASTLE Removal Guide

PCASTLE Removal Guide

by 0 Comments

Do you know what PCASTLE is?

PCASTLE is a file-less infection, and it relies completely on PowerShell script to perform in a malicious manner. According to malware experts, vulnerable Windows operating systems in China are most likely to become targets of this dangerous infection, but Windows users everywhere need to be aware of it. Hopefully, you have time to secure your operating system and ensure protection in the future; however, if you are already fighting this malware, we are here to help. In this report, you will find tips on how to delete PCASTLE and the infections that it can execute additionally, as well as how to protect your operating system against attacks of similar and different kinds of malware in the future. If you are curious, please continue reading.

Is your operating system updated? Do you have reliable security software running? Are you cautious when online? These are the questions that you need to answer for yourself when thinking about your virtual security. According to our team, PCASTLE exploits EternalBlue and PowerShell, and it is most likely to use vulnerable flash plugins to initiate its attacks. Once a website with such a plugin is visited, malicious PowerShell script is downloaded and executed immediately. During our tests, the script was downloaded to %AppDataLocal% (as .LOG files) and %WINDIR%\System32\Config\SystemProfile\AppData\Roaming\Microsoft (a .PS1 file). Three different PowerShell scripts were used, and the attackers behind PCASTLE were able to gather information and execute a crypto-currency miner, which was also file-less. The name of this miner was Xmrig, and it was employed to mine Monero, which is one of the most popular crypto-currencies in the world.

Before Xmrig was executed, PCASTLE also collected information about the victim. Based on our findings, it looked at the version of the operating system, the architecture, the user name, the MAC (media access control) address, and active antivirus products. Once gathered, this information was silently transferred to a C&C server, where the attackers could analyze it and adjust the attack based on it. While the Trojan itself is unlikely to be noticeable, the miner might exhaust your CPU (central processing unit) power for the process of crypto-mining. This process should not be damaging to you personally, unless the system crashes due to exertion. In that cases, physical damage could also reflect upon the damage to the operating system overall. Hopefully, that does not happen, and you can remove PCASTLE and Xmrig before it.

Although PCASTLE is a file-less infection, there are components that must be deleted, and you might be able to do it manually using the guide below. Keep in mind that other threats could exist on your operating system, and that the Trojan itself could have evolved. Due to this, we cannot make promises that you would definitely have your system cleaned if you followed the steps diligently. To make sure that your system is clean after manual removal, employ a thorough malware scanner. Once you take care of that, you also need to strengthen the security of your operating system, which is not that easy to do manually. You can make things easier on yourself by installing anti-malware software that can scan the system, identify the threat, perform removal, and, of course, establish full-time, reliable protection.

Delete PCASTLE

  1. Simultaneously tap Win+E keys to access Exlorer.
  2. Enter %LocalAppData% into the field at the top.
  3. Delete malicious .log files (names should be short and contain letters and numbers).
  4. Enter %WINDIR%\System32\Config\SystemProfile\AppData\Roaming\Microsoft into the field at the top.
  5. Delete the malicious .ps1 file (the name could be random too).
  6. Enter %WINDIR%\System32\Tasks\ into the field at the top and Delete unfamiliar tasks.
  7. Enter %WINDIR%\Tasks into the field at the top and Delete unfamiliar tasks.
  8. Empty Recycle Bin.
  9. Install and run a trusted malware scanner to check for leftover threats.

In non-techie terms:

To ensure that your operating system is clean at all times, you need to implement reliable security software. Also, you need to get yourself in check. Visiting unreliable websites, downloading unfamiliar software, or keeping your system out-of-date could all lead to invasion of malware. PCASTLE is a Trojan that relies on vulnerabilities, lack of protection, and stealth to perform malicious actions. It can gather information about you, and it can also execute a miner to use your system’s resources to make money for the attackers. Without a doubt, this kind of malware must be deleted ASAP. To remove PCASTLE, you can try following the guide above, but we strongly advise employing anti-malware software. It would ensure complete removal of dangerous threats, and you would not need to think about Windows security afterward. Of course, you still have the option to delete the Trojan manually, but Windows security should be the first thing on your mind next.