Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel


When PCASTLE invades operating systems successfully, it has two main tasks. The first one is to gather and transfer information about the victim to a C&C server. The second one is to silently execute a Monero miner that can exploit the computer’s resources to help attackers make crypto-currency. It goes without saying that both the Trojan and the miner must be deleted from the infected operating system as soon as possible. Although this malware does not have a complex structure, eliminating it might not be easy, especially if you are inexperienced or lack basic knowledge about your system. Of course, whether you decide to remove PCASTLE manually or using tools, we are here to help you and answer your questions. First, read the report to get more information about the Trojan and the miner. Then, choose the removal method you are most interested in. Finally, if you have questions, leave a message in the comment section.

According to our malware experts, PCASTLE is spread via sites that have vulnerable flash plugins. Such websites might show videos or offer to play online games. If you are not careful about the sites you visit and the flash plugins you interact with, the Trojan starts its journey into your operating system. First, the malicious PowerShell script is downloaded, and it is executed as a scheduled task within your Windows operating system. The manual removal guide below shows where to find and how to delete scheduled tasks. After this, a secondary script is downloaded, and that is when the attackers receive information about the victim’s system. Our researchers inform that the threat can read the version of the operating system, its architecture, the MAC address, user’s name, domain name, and the list of running antivirus tools. Finally, the third script is downloaded, and that is when additional malware is downloaded. PCASTLE employs EternalBlue exploit and PowerShell to drop a Monero miner called Xmrig. This, of course, is done silently, and if your anti-malware tools do not pick up on this threat, you might remain oblivious for some time.

It appears that, in most cases, PCASTLE is targeted at Windows users living in China, but it does not appear to have very specific targets. At the end of the day, all information is valuable, and systems that belong to individual users are usually easier to attack. Furthermore, miners can work from most systems anyway. Once the Xmrig miner is executed, you are unlikely to notice it. However, soon, you might discover that your system is running slower than usual, that applications are not booting up quickly, or that your computer crashes without a good explanation. If you experience any of this, malware and miners need to be on your mind. First, you can open the Task Manager and check the Performance data to see at which level your CPU is performing. If Windows is idle, the CPU should not go over 10%. If you discover that that is not the case, you might have to delete a miner. This is when you should install and run a legitimate malware scanner. This tool will determine whether or not you need to remove malware. Without a doubt, you want to act fast if you discover that dangerous threats exist.

Our research team has prepared instructions that should help you delete PCASTLE from your operating system. Note that the names of the listed components could be different in your case, and the infection could have been updated by the time you are reading. Due to this, if you decide to proceed with the manual removal of PCASTLE it is a very good idea to implement a malware scanner at the end. If any leftovers exist, you want to eliminate them as soon as possible. Another option is to install an anti-malware program. This tool would automatically eliminate the Trojan, the miner, and other threats that might exist. At the same time, it would reinstate Windows protection to keep new threats from attacking it. It goes without saying that reliable Windows protection is extremely important, as without it, you will remain at risk of facing new and even more dangerous infections.


  1. Launch Windows Explorer by tapping Win+E keys on the keyboard.
  2. Enter %WINDIR%\System32\Config\SystemProfile\AppData\Roaming\Microsoft into the field at the top.
  3. Right-click the malicious file named cred.ps1 and select Delete.
  4. Enter %LocalAppData% into the field at the top.
  5. Right-click and Delete all unfamiliar .log files
  6. Enter %WINDIR%\System32\Tasks\ into the field at the top.
  7. Right-click and Delete all tasks related to the Trojan.
  8. Enter %WINDIR%\Tasks into the field at the top and then repeat step 7.
  9. Empty Recycle Bin and immediately run a system scan to find out if malware remains exist.
Download Spyware Removal Tool to Remove* PCASTLE
  • Quick & tested solution for PCASTLE removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.