PCASTLE Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 500
Category: Trojans

PCASTLE is a Trojan infection that infects vulnerable systems and then steals personal data. Rather than being an independent infection, this Trojan might exhibit a variety of behavioral patterns, depending on what commands it receives from the C&C. Like with most Trojan infections, PCASTLE doesn’t have a GUI, so it is hard to know that it is running on your computer. Unless you run regular system scans, you won’t know that your system has been compromised only after something nasty happens. Thus, make sure you scan your PC regularly, so you could remove PCASTLE promptly.

Although spam email attachments are the most common Trojan and ransomware distribution methods, PCASTLE spreads in a slightly different way. This Trojan usually travels through vulnerable flash plug-ins. It clearly shows how important it is to keep all of your plug-ins and extensions up-to-date. Vulnerabilities are usually fixed with the latest updates, and if users fail to apply those updates, hackers who make use of PCASTLE, find how to exploit these vulnerabilities to access target systems.

Malware infections do not recognize national borders, but most of the PCASTLE infection cases have been observed in China so far. The attack downloads a PowerShell script on the target system either through a scheduled task or RunOnce registry key. There are at least three stages of this PowerShell scrip download. Eventually, the target machine is infected with XMRig. This malware is a Monero miner. Monero is a type of cryptocurrency.

Since PCASTLE is mostly used to distribute a cryptocurrency miner, this Trojan cannot steal your personal information. However, we do know that it can gather such data as your operating system version, MAC address, a list of the antivirus products that you have on your machine, the operating system architecture, username, and domain name. All of that is used to optimize your system for cryptocurrency mining.

Can PCASTLE severely damage the infected system? Well, the question is what you consider as “severe damage.” Unlike ransomware, this Trojan cannot destroy or lock up your files. However, if you have a cryptocurrency miner, it will eat all of your system’s resources. It means that your computer will become very slow, and it will take ages to perform the most ordinary tasks. On the other hand, a sudden drop in your system’s performance could be a very good indicator that you have malware programs running.

Is there anything special about XMRig miner though? Actually, yes. Unlike most of the other miners, XMRig uses algorithms that do not require a lot of resources or processing power. It means that PCASTLE and its payload can remain in the target system undetected quite longer than the usual cryptocurrency miners. Users need to look for the exact red flags to notice that something is wrong, and not every single user that tech-savvy to realize that their system has been compromised.

The best way to protect yourself from PCASTLE is to disable PowerShell, macros, and WMI if you are not using them. It would also be a good idea to acquire a program that would manage your system’s vulnerability.

Either way, it is necessary to remove PCASTLE and its payload today. In our removal guide below, we will cover the Trojan’s removal. If manual removal is not your thing, you can always terminate malicious infections with a reliable antispyware tool.

Aside from in a security application, you should also review your web browsing habits, so you could avoid the likes of PCASTLE in the future. Always keep your software up-to-date, and steer clear of suspicious websites that could be associated with malware distribution. When in doubt, do not hesitate to address a professional.

How to Remove PCASTLE

  1. Press Win+R and type %WINDIR%. Click OK.
  2. Go to System32\config\systemprofile\appdata\roaming\microsoft.
  3. Delete the cred.ps1 file and press Win+R again.
  4. Type %LocalAppData% into the Open box. Press OK.
  5. Delete these files:
  6. Run a full system scan with SpyHunter.
Download Remover for PCASTLE *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.


Your email address will not be published.


Enter the numbers in the box to the right *