Shadowsocks Miner Trojan Removal

This article can help you to remove Shadowsocks Virus. The step by step removal works for every version of Microsoft Windows.

When one mentions the term “PC virus,” most of us imagine a Trojan horse. There is a good reason for that. Trojans are stealthy and can cause irreversible damage. Shadowsocks is the name of the latest member of the Trojan family. This dangerous Trojan is programmed to turn its victims’ computers into a crypto coin miners. The Shadowsocks enters your computer in complete silence and modifies your system’s registry and key folders. It roots deep into your OS. A simple system reboot will not stop the infection. Shadowsocks loads together with your operating system. And this is bad, very bad. To carry its malicious processes, the Trojan needs a lot of computer resources. It runs on your CPU and uses an enormous amount of virtual memory. This parasite not only can cause your PC to underperform, it may cause frequent system crashes. This outcome is definitely unwanted. You may lose important data, end up with the Blue Screen of Death or worse — hardware may get damage. The coin mining process is only profitable when you are not using your own resources. This process requires a lot of electricity. It may double, even triple your electricity bills. You paid for the hardware and the electricity. Yet, the crooks are the ones who get the revenue. Is that fair? Of course, it isn’t! They are making a mint at your expense. Do not put up with this situation! Use a powerful anti-virus app and run a full-system scan. We have also provided a detailed manual removal guide. Yet, we recommend you to use an automated solution. Shadowsocks Trojan is a complicated virus. So is its removal. If you miss one of its components, the virus will restore itself. If you delete one wrong file, you will end up with the Blue Screen of Death. The easiest and safest solution your problem is the usage of a trustworthy anti-virus app. Download one you like and clean your machine for good!

remove Shadowsocks

How did I get infected with?

Shadowsocks did not materialize by magic. Neither was your computer hacked. To reach its victims, the Trojan relies on the good old spam emails. Yes, exactly. Spam emails and other instant messages are the most common cause of Trojan infections. A little extra caution, however, can prevent this method from succeeding. Do not open messages from strangers. Check the sender’s contacts first. You can simply enter the questionable address into some search engine. If it was used for shady business, someone must have complained online. Yet, this method is not flawless. New email accounts are created every minute. So, double check the sender. Scammers tend to write on behalf of well-known organizations and companies. If you receive such a message, go to the company’s official website and compare the email addresses listed there with the one you have received a message from. If they don’t match, delete the pretender immediately. Even if you can’t find any information online, open the letter with caution. The crooks would include links and images to their letters. Don’t click on them, they may as well be corrupted. Do not download anything, not unless you are certain that the files are safe. Scan everything with an anti-virus program. Other malware distribution methods include torrents, fake software updates, and freeware bundling.

Why is this dangerous?

Shadowsocks is a nasty Trojan. It has sneaked into your machine unnoticed and took control over it. The virus does whatever it wants with your system and you suffer the consequences. This time, Shadowsocks has turned your machine into a coin miner. And this, as strange as may sound, is not that bad. There could have been far worse outcomes. The Trojan could have used your machine for illegal cyber attacks. This is still possible, by the way. As long as the Trojan remains active, the hackers can manipulate it as they please. They can command the virus to transform your PC into whatever they want. They can even start to spy on you, both physically and online. Or, they may use the Trojan to steal your files and to blackmail you. Currently, the Shadowsocks Trojan is using your computer as coin miner. This process is unpleasant and quite hazardous. It requires a lot of electricity. By using so much electricity, your PC radiates a lot of heat. If your cooling system is not officiant enough, your system will crash, at best. At worst, some component your device will get damaged. Shadowsocks is using your CPU on very hot temperatures. This, undoubtedly, will shorten your the life of your CPU, plus, it slows your PC down. Do not let this to continue any longer. The Shadowsocks virus prevents you from using your machine normally. Take immediate measures against the Trojan. The sooner it is gone, the better!

Manual Shadowsocks Removal Instructions

The Shadowsocks infection is specifically designed to make money to its creators one way or another. The specialists from various antivirus companies like Bitdefender, Kaspersky, Norton, Avast, ESET, etc. advise that there is no harmless virus.

If you perform exactly the steps below you should be able to remove the Shadowsocks infection. Please, follow the procedures in the exact order. Please, consider to print this guide or have another computer at your disposal. You will NOT need any USB sticks or CDs.

STEP 1: Track down Shadowsocks related processes in the computer memory

STEP 2: Locate Shadowsocks startup location

STEP 3: Delete Shadowsocks traces from Chrome, Firefox and Internet Explorer

STEP 4: Undo the damage done by the virus

STEP 1: Track down Shadowsocks related processes in the computer memory

  • Open your Task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Carefully review all processes and stop the suspicious ones.


  • Write down the file location for later reference.

Step 2: Locate Shadowsocks startup location

Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

Clean Shadowsocks virus from the windows registry

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


  • A dialog box should open. Type “Regedit”


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to: %appdata% folder and delete the malicious executable.

Clean your HOSTS file to avoid unwanted browser redirection

Navigate to %windir%/system32/Drivers/etc/host

If you are hacked, there will be foreign IPs addresses connected to you at the bottom. Take a look below:


Step 4: Undo the possible damage done by Shadowsocks

This particular Virus may alter your DNS settings.

Attention! this can break your internet connection. Before you change your DNS settings to use Google Public DNS for Shadowsocks, be sure to write down the current server addresses on a piece of paper.

To fix the damage done by the virus you need to do the following.

  • Click the Windows Start button to open the Start Menu, type control panel in the search box and select Control Panel in the results displayed above.
  • go to Network and Internet
  • then Network and Sharing Center
  • then Change Adapter Settings
  • Right-click on your active internet connection and click properties. Under the Networking tab, find Internet Protocol Version 4 (TCP/IPv4). Left click on it and then click on properties. Both options should be automatic! By default it should be set to “Obtain an IP address automatically” and the second one to “Obtain DNS server address automatically!” If they are not just change them, however if you are part of a domain network you should contact your Domain Administrator to set these settings, otherwise the internet connection will break!!!


  • Check your scheduled tasks to make sure the virus will not download itself again.

How to Permanently Remove Shadowsocks Virus (automatic) Removal Guide

Please, have in mind that once you are infected with a single virus, it compromises your whole system or network and let all doors wide open for many other infections. To make sure manual removal is successful, we recommend to use a free scanner of any professional antimalware program to identify possible virus leftovers or temporary files.

Leave a Comment