We ran into a bit of a weird situation in our research. A trojan masquerades as a legitimate program. Such a thing isn’t new – security threats do it all the time, especially trojans, which is what’s happening here. What’s new here is that the Boinc Malware (as we will call it) is not a malware that presents itself as Boinc – rather it illegally installs Boinc on a computer and uses it. It’s a strange situation where the only identifier for the infection is a program we can’t really blame.
We wanted to stress this here. We don’t claim the “real” Boinc is a malware. Something else is using it, and that something is malicious.
Below we will give you the removal instructions – we tested they work.
After the instructions you can read more context on what’s going on with Boinc. Depending on where you look on the internet, you will find only confusing or false information.
SUMMARY:
| Name | Boinc (the malware) |
| Type | Browser Hijacker |
| Detection Tool |
Boinc Malware Uninstall Guide
This trojan infects only Windows devices. Here’s a quick rundown of what you’ll need to do. Don’t skip any of the steps presented here. The Boinc malware will return if you do:
- You’ll have to go in the windows Task Scheduler. The Boinc malware has created tasks that run every 15-ish minutes, and there appear to be backups which will restore it.
- You’ll have to go in Task Manager and stop any processes related to the tasks. We’ll give you names to look for, but still exercise your own judgement in case there’s something different on your PC.
- After that we’ll send you to the folders the Boinc malware hides and help you delete its files – they may be locked, and you’ll experience difficulties ddeleting them.
- Only after the steps above, you’ll have to perform some checks to make sure everything’s clean. You don’t want to have to start over again.
If the instructions don’t work properly, you missed to delete something. Just saying. Start over and be more careful. If you can’t do it, or all of this is a little bit too much for you, we recommend downloading SpyHunter. It will delete the Boinc malware for you.
But first, create a new Restore Point in Windows just in case. You will be deleting stuff that’s best left untouched under better circumstances. We created these instructions to help you, but we can’t be responsible for any damage.
If you don’t want a restore point, just scroll down a little to the next part.
Hit the Winkey and type Restore —>“Create a restore point”
Choose “Create” in the new window, type a name and click Create.
Clean the Task Scheduler from the Boinc Malware
Thee Boinc malware create tasks in the Task Scheduler that will run automatically and reinstall the virus every 15 minutes. These tasks are designed only to send you notifications, so they are clearly forced on you. First, we’ll have to disable everything that renews them.
- Press Winkey + R, type “taskschd.msc” in the “open” field, and click OK.
- Look through the tasks in the Task Scheduler Library. Go through them all – right-click each one, go to Properties > Actions, and see what action is performed by the task.
- If you see anything that runs from AppData/Roaming, it’s part of the Boinc Malware. Copy the file path it comes from (you’ll need it later), and close the properties. Then right-click the task again, and click Delete.
- Important: only delete files/folders that you are sure aren’t from your system!
The Boinc malware disguises the entries to look like Mozilla/Chrome/Windows security updates, or even just numbers. Again – look if it’s running from AppData/Roaming.
Congratulations, now that you’ve cleaned the Task Scheduler, it won’t reappear if you remove it’s files or end its processes. That was our first priority.
Delete the Boinc Malware’s Files
First, open the Start Menu and type Folder Options.
Open the first result and click on View. Enable the Show Hidden Files, Folders, and Drives option and click OK.
Several copies of BOINC are downloaded to the C:\USERNAME\AppData\Roaming folder. Once there, arrange everything by Date Modified and start looking in the most recent modified folders. Remember, this thing had tasks scheduled every 15 minutes. The names can change, but we saw in subfolders (and Roaming itself) ‘.exe‘, ‘gupdate.exe‘, ‘SecurityHealthService.exe‘, ‘trustedinstaller.exe‘, so start with these.
Delete anything that’s part of the infection in these folders. You likely can’t do much damage deleting stuff in there.
Stop the Boinc Malware’s Processes in Task Manager
Open the Task Manager by pressing Ctrl + Shift + Esc, and click the More Details option if you don’t see all processes.
- Sort the processes by CPU use and then by Memory use. Look for anything questionable and unfamiliar.
Note: I repeat, in the last step you had ‘.exe’, ‘gupdate.exe’, ‘SecurityHealthService.exe’, ‘trustedinstaller.exe’. Look for names like that in the processes. - If you spot a fake process with a different name, write it down, then right-click, open its File Location Folder, and delete the file.
- In case you are blocked from deleting the file/folder, download and install Lock Hunter (it’s a free tool), then right-click an item you can’t delete —> “What’s locking this file/folder” —> Delete it! in the next window.
- Use Lock Hunter to delete all other malware files and folders.
- Then return to the Task Manager, right-click the malicious process again, and click End Task to quit it.
All of this should be enough to remove the Boinc malware from your PC. You shouldn’t look in the control panel at all since the program isn’t listed at all. In case the guide didn’t work we can only recommend to download the anti-malware program from one of our ads.
Additional information about the Boinc Malware
What we know so far is only that BOINC is loaded to the users’ devices without their consent through a malware payload. Reports don’t seem to point at a single vector, but appear to target public wi-fi network vulnerabilities. In most cases users don’t even know they were infected until the popup notifications start.
The installers the malware uses are from the official BOINC installer 8.0.2 and are not fake, but rather the malware renames them and uses them for its own purposes.
Frankly, the entire thing is a little bit baffling, because the notifications and the way Boinc is used really don’t look profitable. My 2 cents is someone’s using this either to teach themselves how to install malware better or as a proof of concept for the vulnerabilities of a larger attack.
As of writing, there are reports that infected devices are in the thousands.
I have opened a case with EnigmaSoft because their latest version of SpyHunter 5 Pro does not detect and remove Boinc hijacker malware.
I have followed your directions and was able to manually remove the Boinc components from my Windows 10 PC. But I am also getting multiple IP issues that may be related to the same malware. Perhaps the malware has installed and/or modified task scheduler triggers that are outside the AppData/Roaming directory structure. For example, do you know anything about the Remove_NetIPsecMainModeSA Windows security association (SA) scheduled task that suspiciously (to me) runs every three minutes?