Trojan.Bitcoinminer

Trojan.Bitcoinminer Description

Type: Trojan

Trojan.Bitcoinminer ScreenshotTrojan.Bitcoinminer is one of the detection names that have been associated with an executable file named 'indexer.exe' that is used to mine BitCoins and FeatherCoins. Trojan.Bitcoinminer will be installed in a hidden directory in the AppData directory on the infected computer. Trojan.Bitcoinminer will mine Bitcoins using the infected computer's resources. Cryptocurrency mining can be extremely demanding on a computer's resources, making it overheat, perform poorly and consume more power. While BitCoin mining is a legitimate activity, Trojan.Bitcoinminer is used by on artists to take advantage of a victim's computer to mine BitCoins or another cryptocurrency, then keeping the profits generated at the expense of the victim's computer. While mining BitCoins with a single computer is rarely profitable, the people that distribute Trojan.Bitcoinminer and similar Trojans will take advantage of the combined resources of numerous infected computers by mining BitCoins and keeping the proceeds. Many Trojan.Bitcoinminer infections have been spotted in Russia, Ukraine and Indonesia currently.

How Trojan.Bitcoinminer may be Delivered

The most common way in which Trojan.Bitcoinminer may enter a computer is through fake software downloads and updates. Con artists may hide threats like Trojan.Bitcoinminer inside software and media files distributed online. Victims will download them from shady websites and the install Trojan.Bitcoinminer on their computers without being aware of it. The fact is that Trojan.Bitcoinminer will not alert the victims that their computers are infected such as a notification or interfere in any way. However, Trojan.Bitcoinminer will use up more than three-quarters of the infected computer's processing power for mining cryptocurrency. Victims of the Trojan.Bitcoinminer attack will, therefore, realize that their computers run extremely slowly and become unresponsive or unstable frequently. Additionally, it is not uncommon for threats like Trojan.Bitcoinminer to conflict with the victim's computer, causing various performance issues and preventing other software from functioning properly.

The Trojan.Bitcoinminer Infection and Its Related Symptoms

There are several symptoms that may indicate that your computer has been infected with Trojan.Bitcoinminer. Computer users have reported that most software, including email clients, will become unresponsive, freeze or crash frequently. Some software, especially Internet browsers, will fail to open completely and many files will fail to load. When victims attempt to use the infected computer to view a video or listen to music, this will have stuttering or altered playback, stopping and not resulting in a functional experience frequently. One typical problem associated with Trojan.Bitcoinminer will happen when typing. Computer users may notice that their keyboard inputs have a delay, especially on word processing programs. This indicates that a large portion of the infected computer's resources is being used. These symptoms may occur if victims are attempting to use a program that requires lots of resources (for example, for rendering a high-quality video). In this case, however, it's Trojan.Bitcoinminer that is using up the system's resources to mine cryptocurrency.

General Recommendations Related to Trojan.Bitcoinminer

Victims of Trojan.Bitcoinminer may notice 'indexer.exe' listed in the Task Manager. This is almost always an indicator of a Trojan.Bitcoinminer infection and requires action from the computer user. However, 'indexer.exe' is not the only name used by this BitCoin miner. PC security researchers advise computer users to remain vigilant, since other variants of Trojan.Bitcoinminer with different file names may appear. Malware investigators recommend that computer users use a security program to remove Trojan.Bitcoinminer and other threats. If your computer continues to show symptoms, it is important to use a different anti-virus program to ensure that the Trojan.Bitcoinminer infection or any related threat has been found (in some cases, other components may prevent its removal). The following are other names by which Trojan.Bitcoinminer may be detected:

  • PUP.Optional.Bitminer
  • RDN/Generic.dx!cxt
  • Riskware.Win32.BtcMine.cnywcu
  • Tool.BtcMine.157
  • Trojan ( 0048fd0e1 )
  • Trojan.Win32.Generic!BT
  • Trojan.Win32.S.BitMiner.932352
  • W32/Trojan.PBJZ-2853
  • Win32/BitCoinMiner.AS
  • Win32/Trojan.Multi.daf

Technical Information

File System Details

Trojan.Bitcoinminer creates the following file(s):
# File Name MD5 Detection Count
1 winrmsrv.exe 462ee20e8abbbb559bd1c4f8be87b123 23,467
2 Microsoft.exe 1b40993b7b73f33325de8241e07e1e70 2,112
3 OneDrive.exe 3ff8cded67c083108ae78548778a5502 1,616
4 java13[1].dat 0eac66bb3defaa36ec657e90218a442b 539
5 wlanui.exe bd59145b8ecb0b9f25332b0de73a9397 261
6 ServiceHub.CLR.x64.exe 4a8982935d9fd546297141fc7d81bf63 164
7 m.fjk ddca9459a48f4069b0d501b3c7d04957 156
8 kbdsn1.exe b2786685ef7d2bd36100a8b68a6ace40 109
9 bridlebuddlesservice.exe 6ec1aea3abdae65a32e4780bb7eb4f85 92
10 credit-qt.exe 9ea39880dfac787d02b3bd7e6aa15697 42
11 3f70a0a3669cf11f8e4bff5d61c758bdce53baf22d9244dc0db0fe66262d7a34 b5e6b2c92cced7cbe825b5ddfd577291 40
12 overidlebuddiesservice.exe c7ae8932538274154653bcfbaf2210d0 36
13 29cf036480b6.dll 77ba4a18ef8719c2f218e87dfdcba58f 26
14 peercoin-qt.exe 6551dbd26cfd7a37039e5af7890e5ae8 21
15 zcoin-qt.exe 20f333c444ebe1d7ecdb744296b4d2ea 18
16 SRPolicySvc.exe 159da1ff5775044ce33a917582a0b3b5 17
17 sppsvc.exe 8491a3f6c096bd19310d1e899fad94f5 17
18 TiWorker.exe b63b76e6161f0a8a685a9d53ee365a51 16
19 kbdir.exe 1572cc29c54dcaf39cd1bcfd25315e00 14
20 Services.exe d9059794e2cfe43a6db03faee5860bc6 13
21 sysconfig.exe 4152bf9e1aaa428fbbcf91d133f25794 12
22 osdmnus.exe 4caf60213aebb70e4ea983a3141ef5bc 10
23 XMR Silent Miner by Tigerzplace.exe 4c624ced3b2e239cf9c6b6488c37d97e 8
24 guiminer-20110501.exe 5c40990dbae70347e37ccdd4ca10081f 6
25 Kingmaker Rise to the Throne - Collector's. Edition.exe 4dcc9bf45072c5bbb88dc5f4d55dc7f7 6
26 Desktop-64.exe 2c9550a1516bcc5590379fb0e968118b 6
27 ja.exe a06f3792c7e517bca2f7b7e519630f07 6
28 cred.ps1 55f7cc72b8eeb5813b16c23955fed4c4 1
29 bitfc2e.tmp 69a51616979d7896d8378fe517e571f8 1
More files

Registry Details

Trojan.Bitcoinminer creates the following registry entry or registry entries:
Uninstaller
bridlebuddles
Id_Buddy
IdBuddy
idle--buddy
IdleBuddy
idledbuddy
idlenessbuddy
IdlingBuddy
overidlebuddies
PQwick
{0854AE3A-3A63-4BC6-BE20-F4185D343B5A}_is1
{4A91D8B3-712F-4815-B29B-E610008C4704}
{4CF9B388-78FA-46C3-B409-196FE2CF5F20}
{BEA0F17A-FD14-4646-8138-30994D87948A}_is1
{C2AA50F8-B1B8-4A40-BC18-E6CAB19DC0ED}_is1
{EC27A18E-53F3-4434-B08D-26C3E751C50F}
{FC44DE72-60F9-4BC1-B098-D2F6B5A06187}
Directory
%ALLUSERSPROFILE%\Application Data\clr_optimization_v4.0.30318_64
%ALLUSERSPROFILE%\Application Data\clr_optimization_v4.0.52760_64
%ALLUSERSPROFILE%\Application Data\wrdjdgyrmg
%ALLUSERSPROFILE%\AudioDriver
%ALLUSERSPROFILE%\clr_optimization_v4.0.30318_64
%ALLUSERSPROFILE%\DirectX11b
%ALLUSERSPROFILE%\eizzbvEmWK
%ALLUSERSPROFILE%\Flashas
%ALLUSERSPROFILE%\Flashe
%ALLUSERSPROFILE%\flashes
%ALLUSERSPROFILE%\flashi
%ALLUSERSPROFILE%\FrameworkHostPro
%ALLUSERSPROFILE%\Guard Tool
%ALLUSERSPROFILE%\Guardm
%ALLUSERSPROFILE%\Haalety
%ALLUSERSPROFILE%\hkrfjnygtg
%ALLUSERSPROFILE%\Intel(R)Usb3.0
%ALLUSERSPROFILE%\IntelD
%ALLUSERSPROFILE%\JetMedia
%ALLUSERSPROFILE%\Logiteh
%ALLUSERSPROFILE%\lpmti
%ALLUSERSPROFILE%\mg32
%ALLUSERSPROFILE%\Micro Foundation 7
%ALLUSERSPROFILE%\MicrosoftCorporation
%ALLUSERSPROFILE%\ModuleGS
%ALLUSERSPROFILE%\PhysicalDeviceAdapter
%ALLUSERSPROFILE%\playersclub
%ALLUSERSPROFILE%\securityhealth
%ALLUSERSPROFILE%\ServiceProfiles
%ALLUSERSPROFILE%\sqlncli11imageres
%ALLUSERSPROFILE%\SRAPO64srrstr
%ALLUSERSPROFILE%\Systema Natives
%ALLUSERSPROFILE%\SystemaRev
%ALLUSERSPROFILE%\Systemfiles
%ALLUSERSPROFILE%\Task.Manager.Helper
%ALLUSERSPROFILE%\taskmnr
%ALLUSERSPROFILE%\UHASecurity
%ALLUSERSPROFILE%\wincss
%ALLUSERSPROFILE%\Windows64
%ALLUSERSPROFILE%\WindowsAppCertification
%ALLUSERSPROFILE%\wintcpautoproxysvc
%ALLUSERSPROFILE%\wrdjdgyrmg
%ALLUSERSPROFILE%\zvmimcgqez
%ALLUSERSPROFILE%\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}
%ALLUSERSPROFILE%\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}
%APPDATA%\8mFuF
%APPDATA%\Adobe32
%APPDATA%\Adobe32x64
%APPDATA%\adobe\nvv8
%APPDATA%\adobe\x64e
%APPDATA%\adobe\x64r
%APPDATA%\adobe\x64rx
%APPDATA%\Alix
%APPDATA%\AMDProcess
%APPDATA%\Aplfone
%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\cpu
%APPDATA%\AsCDPro
%AppData%\AsToolCD
%APPDATA%\AudioHDriver
%APPDATA%\Auto1Feed
%Appdata%\Avira Antivir
%APPDATA%\brhost
%APPDATA%\bvhost
%AppData%\ClearMe
%APPDATA%\com.flash.WidgetBrowser
%APPDATA%\com_shell
%APPDATA%\Defender
%APPDATA%\Dibifu_9
%APPDATA%\DPTopologyApp
%APPDATA%\Faqelo
%APPDATA%\Fujelo
%APPDATA%\Google\GoogleUpdates
%APPDATA%\IdleProcess
%APPDATA%\Ie1Servise
%APPDATA%\IeMiss2
%APPDATA%\IeServise
%APPDATA%\jetmedia
%APPDATA%\jsonminify
%APPDATA%\jswUpdate
%APPDATA%\Logiteh
%APPDATA%\Maik
%APPDATA%\mercya
%APPDATA%\Microsoft Help\hs_module
%AppData%\Microsoft\Protect\Upd64
%APPDATA%\microsoft\teamviewer
%APPDATA%\Microsoft\Windows\Start Menu\Programs\id_buddy
%APPDATA%\Microsoft\Windows\Start Menu\Programs\idle--buddy
%APPDATA%\Microsoft\Windows\Start Menu\Programs\IdleBuddy
%APPDATA%\Miicrosoft
%AppData%\MineCor
%APPDATA%\MingC
%APPDATA%\myinstall
%APPDATA%\Nanera
%APPDATA%\Olesya
%APPDATA%\OneMisc
%APPDATA%\RarZip
%APPDATA%\rundll32.exe
%APPDATA%\samika
%APPDATA%\shell\0\0\0\0\0\googlerec
%appdata%\silent
%APPDATA%\smoti2
%APPDATA%\Sorsur
%APPDATA%\sppui
%APPDATA%\Svcms
%APPDATA%\svhost
%APPDATA%\Sysfiles
%APPDATA%\System Process
%APPDATA%\Systema Natives
%APPDATA%\SystemaRev
%APPDATA%\systemdata\searcher
%APPDATA%\Taloce
%APPDATA%\TelemetricSys
%APPDATA%\uconhosts
%APPDATA%\Vatico
%APPDATA%\vbhost
%APPDATA%\Versions Watcher
%APPDATA%\vghost
%appdata%\VideoDrivers
%APPDATA%\Vive
%APPDATA%\Windows_x64_nheqminer-5c
%APPDATA%\WindowsFirewall
%APPDATA%\WindowsHelp
%APPDATA%\winrar_tools
%APPDATA%\WinZIP_32
%appdata%\wow64_microsoft-windows-vssproxystub
%APPDATA%\x11
%APPDATA%\xBooster
%APPDATA%\xmlframwork
%APPDATA%\xszman
%appdata%\zgs
%APPDATA%\ZSystemDll
%COMMONPROGRAMFILES%\myinstall
%COMMONPROGRAMFILES(x86)%\myinstall
%homedrive%\0_miner_mondero
%HOMEDRIVE%\Chrome\XMR
%HOMEDRIVE%\dapp
%HOMEDRIVE%\ness\miner
%HOMEDRIVE%\Users\Default\AppData\Roaming\System
%HOMEDRIVE%\XMR
%LOCALAPPDATA%\cypjMERAky
%LOCALAPPDATA%\ESET-NOD32
%LOCALAPPDATA%\Logiteh
%LOCALAPPDATA%\minergate-cli
%LOCALAPPDATA%\Roaming\Cache
%localappdata%\TMeter
%PROGRAMFILES%\bridlebuddles
%PROGRAMFILES%\BRTSvc
%PROGRAMFILES%\ibuddy
%PROGRAMFILES%\id_buddy
%PROGRAMFILES%\IdBuddy
%PROGRAMFILES%\idle--buddy
%PROGRAMFILES%\Idle-Buddy
%PROGRAMFILES%\IdleBuddy
%PROGRAMFILES%\idledbuddy
%PROGRAMFILES%\idlenessbuddy
%PROGRAMFILES%\idlingbuddy
%PROGRAMFILES%\inteldriverpack
%PROGRAMFILES%\Jetmedia
%PROGRAMFILES%\jsstmedia
%PROGRAMFILES%\LaCie Private Public
%PROGRAMFILES%\overidlebuddies
%PROGRAMFILES%\PQwick1.1
%PROGRAMFILES%\System Native\Main Services
%PROGRAMFILES%\Systema Natives\MServices X
%PROGRAMFILES%\SystemaRev
%PROGRAMFILES%\SystemaRev\RevServicesX
%PROGRAMFILES%\SystemNanoPacks
%PROGRAMFILES(x86)%\bridlebuddles
%PROGRAMFILES(x86)%\BRTSvc
%PROGRAMFILES(x86)%\Hardware Driver Management
%PROGRAMFILES(x86)%\ibuddy
%PROGRAMFILES(x86)%\id_buddy
%PROGRAMFILES(x86)%\IdBuddy
%PROGRAMFILES(x86)%\idle--buddy
%PROGRAMFILES(x86)%\Idle-Buddy
%PROGRAMFILES(x86)%\IdleBuddy
%PROGRAMFILES(x86)%\idledbuddy
%PROGRAMFILES(x86)%\idlenessbuddy
%PROGRAMFILES(x86)%\idlingbuddy
%PROGRAMFILES(x86)%\Jetmedia
%PROGRAMFILES(x86)%\jsstmedia
%PROGRAMFILES(x86)%\LaCie Private Public
%PROGRAMFILES(x86)%\overidlebuddies
%PROGRAMFILES(x86)%\PQwick1.1
%PROGRAMFILES(x86)%\System Native\Main Services
%PROGRAMFILES(x86)%\SystemaRev
%Public%\Avast! -Antivirus
%TEMP%\WindowsData1
%TEMP%\WindowsTask
%USERPROFILE%\Documents\TransactionServices Inc
%USERPROFILE%\OneDrive\Documents\SystemServices Inc
%USERPROFILE%\OneDrive\Documents\TransactionServices Inc
%WINDIR%\fonts\cao
%WINDIR%\HashStrem
%WINDIR%\hs_module
%windir%\pcdata
%WINDIR%\speechstracing
%WINDIR%\system32\config\systemprofile\appdata\local\bjihiwsdsu
%WINDIR%\system32\config\systemprofile\Documents\TransactionServices Inc
%WINDIR%\system32\HS\hs_module
%WINDIR%\system32\SecureBootThemes
%WINDIR%\system32\SysprepThemes
%WINDIR%\System32\Tasks\Microsoft\Windows\sysem\ssrec\a
%WINDIR%\syswow64\config\systemprofile\appdata\local\bjihiwsdsu
%WINDIR%\SysWOW64\HS\hs_module
%WINDIR%\SysWOW64\xmr64
%WINDIR%\wdms
%WINDIR%\{DE03ECBA-2A77-438C-8243-0AF592BDBB20}
File name without path
32xmrig.exe
64xmrig.exe
cpuminer-gw64.exe
cpuminer-sse2.exe
DOC001.exe
IdlingBuddy.lnk
IMG001.exe
img002.exe
nbminer.exe
nheqminer.exe
nheqminer32.exe
NsCpuCNMiner32.exe
NsCpuCNMiner64.exe
NsGpuCNMiner.exe
xmrig-amd.exe
xmrig-notls.exe
xmrig-nvidia.exe
Regexp file mask
%ALLUSERSPROFILE%\Application Data\NVIDIA_cure.exe
%ALLUSERSPROFILE%\DriversI\intel.exe
%ALLUSERSPROFILE%\esif.exe
%ALLUSERSPROFILE%\flash\msacuil.exe
%ALLUSERSPROFILE%\Framework\System.exe
%ALLUSERSPROFILE%\GS_Svc.exe
%ALLUSERSPROFILE%\Intel(R) Management\intel[RANDOM CHARACTERS].exe
%ALLUSERSPROFILE%\Intel(R) Management\run.exe
%ALLUSERSPROFILE%\Komar.exe
%ALLUSERSPROFILE%\Mbvhost.exe
%ALLUSERSPROFILE%\Microsoft\Defender\jusched_srv.exe
%ALLUSERSPROFILE%\Microsoft\Security Windows\svshost.exe
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\DOC001.exe
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe
%ALLUSERSPROFILE%\MicrosoftCare.exe
%ALLUSERSPROFILE%\NVIDIA_cure.exe
%ALLUSERSPROFILE%\olly.exe
%ALLUSERSPROFILE%\onedrive.exe
%ALLUSERSPROFILE%\Roamer.exe
%ALLUSERSPROFILE%\run[NUMBERS].exe
%ALLUSERSPROFILE%\Skype\chrome.exe
%ALLUSERSPROFILE%\Skype\msacuil.exe
%ALLUSERSPROFILE%\SQLEXPRESS_X64_86.exe
%ALLUSERSPROFILE%\System32\Logs\ShellExperienceHost.exe
%ALLUSERSPROFILE%\VsTelemetry\vshub.exe
%ALLUSERSPROFILE%\windowsservices\helper.vbs
%ALLUSERSPROFILE%\zun.exe
%APPDATA%\1.cmd
%APPDATA%\2.cmd
%APPDATA%\32.exe
%APPDATA%\Adobe\Flash Player\MediaCache\IEMonitor.exe
%APPDATA%\Adobe\Share\AMDshare.exe
%APPDATA%\Adobe\Share\Launcher.exe
%APPDATA%\Adobe\Share\NVIDIAshare.exe
%APPDATA%\Adobe\Share\Share[NUMBERS].exe
%APPDATA%\Adobe\syssl.exe
%APPDATA%\Adobe\Updater6\AdobeService.exe
%APPDATA%\Alxi\Alxi.vbs
%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\guard.exe
%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\sysclc.exe
%APPDATA%\appmgr\appmgr.exe
%APPDATA%\Architecture\member\Systemcore.exe
%APPDATA%\coinutil.dll
%APPDATA%\crmsvc.exe
%APPDATA%\DirectX\DirectX.vbs
%APPDATA%\documents\imonitor.exe
%APPDATA%\driver\driver.exe
%APPDATA%\etctool\etc.vbs
%APPDATA%\Filosof\Filosof.vbs
%APPDATA%\FireFox\launcher\Systemcore.exe
%appdata%\google\chrome\user data\spool.exe
%APPDATA%\GoogleUpdater.exe
%APPDATA%\Idle\Idle.exe
%APPDATA%\Images\image.exe
%APPDATA%\Images\images.exe
%APPDATA%\isaa.exe
%APPDATA%\Java\x86-64bits Windows\Config-DefaultMain\SysUtils SDK v2.49\svhcost.exe
%APPDATA%\Launcher_01.exe
%APPDATA%\Launcher_08.exe
%APPDATA%\libraries\MicrosoftRuntimeUpdate.vbe
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SyncCheck.exe
%APPDATA%\Mama\mama.vbs
%APPDATA%\mcrserver.exe
%APPDATA%\MicroMon\curl.exe
%APPDATA%\Microsoft\msconfig.exe
%APPDATA%\Microsoft\office\dllchost.exe
%APPDATA%\Microsoft\Windows Protect\winprotect.exe
%APPDATA%\Microsoft\Windows\CPU\taskhost.exe
%APPDATA%\Microsoft\Windows\Helper.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\AudioDriver.url
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Browge.vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Check for updates.bat
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\fBCjxCDztG.url
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\GoogleCrashHandlerws.vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\IeServise.lnk
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\key.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\miner.exe.url
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneMisc.vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\rara.vbs
%APPDATA%\Microsoft\Windows\winhost.exe
%APPDATA%\MicrosoftViewer.exe
%APPDATA%\miner-x64.exe
%APPDATA%\miner.dll
%APPDATA%\rarog.exe
%APPDATA%\Roamer.exe
%APPDATA%\RunSpeed\RunSpeed.vbs
%APPDATA%\Sasha\Sasha.vbs
%APPDATA%\SearchProtocolHosts.exe
%APPDATA%\server\minergate.exe
%APPDATA%\server\runhosts.exe
%APPDATA%\sidebar.exe
%APPDATA%\sidebar.vbs
%APPDATA%\svc\svc.exe
%APPDATA%\System\etp.exe
%APPDATA%\systemcare-ppi-ul5.dll
%APPDATA%\systemcare.exe
%APPDATA%\SystemProcess\SystemProcess.exe
%APPDATA%\taskmg.exe
%APPDATA%\TeleMetric\TeleMetric.exe
%APPDATA%\Temp\DOC001.exe
%APPDATA%\Updater\localversion.txt
%APPDATA%\Updater\Update.cmd
%APPDATA%\Valit\jukov.vbs
%APPDATA%\Valit\lera.vbs
%APPDATA%\Valit\Valit.vbs
%APPDATA%\vfc\ffmpeg\task.exe
%APPDATA%\windows-ppi-ul5.dll
%APPDATA%\WindowsApps\CPU1\intel1.exe
%APPDATA%\WindowsApps\CPU\intel.exe
%APPDATA%\WindowsApps\taskwint.exe
%APPDATA%\WindowsApps\winitex.exe
%APPDATA%\winhost.exe
%APPDATA%\winlog.exe
%APPDATA%\winlog.vbs
%APPDATA%\WinRAR\Precomp\precomp.exe
%APPDATA%\xmrig[NUMBERS].exe
%APPDATA%\Zara\zara.vbs
%COMMONPROGRAMFILES%\System\svchost.exe
%COMMONPROGRAMFILES(x86)%\new.bat
%HOMEDRIVE%\Applications\cmdsrvs.exe
%HOMEDRIVE%\Applications\Service.exe
%HOMEDRIVE%\Applications\websock.exe
%HOMEDRIVE%\ASD\cpuminer-sse2.exe
%HOMEDRIVE%\ASD\nh.exe
%HOMEDRIVE%\backupsys\pow32.bat
%HOMEDRIVE%\backupsys\system.bat
%HOMEDRIVE%\backupsys\taskmgr32.exe
%HOMEDRIVE%\backupsys\window[NUMBERS].vbs
%HOMEDRIVE%\browse\browse.exe
%HOMEDRIVE%\Browse\cmdsrvs.exe
%HOMEDRIVE%\Disk\cmdsvr.exe
%HOMEDRIVE%\Disk\securedisk.exe
%HOMEDRIVE%\Disk\WebService.exe
%HOMEDRIVE%\DOC001.exe
%HOMEDRIVE%\images.scr
%HOMEDRIVE%\intel\setup.vbs
%HOMEDRIVE%\MSOCache\svchost.exe
%HOMEDRIVE%\WindowsData\hostdl.exe
%LOCALAPPDATA%\amd\amd_accelerator.exe
%LOCALAPPDATA%\Explorer Data\msiexec64.exe
%LOCALAPPDATA%\Intel\iaa23.exe
%LOCALAPPDATA%\Intel\iap23.dll
%localappdata%\intel\iii.pl
%localappdata%\intel\iii.zip
%LOCALAPPDATA%\Intel\imgre.exe
%LOCALAPPDATA%\Intel\intelmngr.exe
%LOCALAPPDATA%\Intel\management.db
%localappdata%\intel\red.dll
%LOCALAPPDATA%\isaa.exe
%LOCALAPPDATA%\Optimizer\Optimizer.exe
%LOCALAPPDATA%\Roamer.exe
%LOCALAPPDATA%\smartstats\smassvc.exe
%LOCALAPPDATA%\SQLite\SQLManager.exe
%LOCALAPPDATA%\SQLite\wincpu.exe
%PROGRAMFILES%\SQLite\SQLManager.exe
%PROGRAMFILES(x86)%\SQLite\SQLManager.exe
%PROGRAMFILES(x86)%\SQLite\wincpu.exe
%PUBLIC%\documents\documentsindex.dll
%PUBLIC%\Libraries\wsappx.exe
%TEMP%\DrToolKrl.sys
%TEMP%\hiddengate.exe
%TEMP%\isaa.exe
%TEMP%\Kilence.exe
%TEMP%\Roamer.exe
%TEMP%\wup\wup.exe
%TEMP%\xmrig.exe
%TEMP%\ytmp\t[NUMBERS].[RANDOM CHARACTERS]
%USERPROFILE%\Documents\xmrig.exe
%USERPROFILE%\NVDisplay.exe
%WINDIR%\deftesrg.exe
%WINDIR%\fonts\conhost.exe
%WINDIR%\Fonts\MsEssentialSecurity.exe
%WINDIR%\Fonts\svchost.exe
%WINDIR%\HS_Svc.exe
%WINDIR%\IIS\crss.exe
%WINDIR%\ime\rescv.exe
%WINDIR%\inf\msief.exe
%WINDIR%\installer\patchcach\systemnt.exe
%WINDIR%\jb-JP\spools.exe
%WINDIR%\LiveKernel\SRPolicySvc.exe
%WINDIR%\mcfg\mcfg.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\gpsrv.exe
%WINDIR%\mscsuscr.exe
%WINDIR%\nv\NvProfileUpdater64.exe
%WINDIR%\nvidia\NvUpdater64.exe
%WINDIR%\scsktsvc.exe
%WINDIR%\servime.exe
%WINDIR%\Sys64\starter.exe
%WINDIR%\Sys\taskmgr.exe
%WINDIR%\System32\config\systemprofile\AppData\Roaming\Microsoft\cred.ps1
%WINDIR%\system32\dllhostex.exe
%WINDIR%\System32\drivers\etc\svchost.exe
%WINDIR%\system32\Easeware.Driver.exe
%WINDIR%\system32\MaintenancesServices.dll
%WINDIR%\System32\mcicda32.dll
%WINDIR%\system32\mcicda64.dll
%WINDIR%\system32\SecUpdateHost.exe
%WINDIR%\system32\Tasks\CPUSpeed
%WINDIR%\system32\Tasks\GPUSpeed
%WINDIR%\System32\Tasks\RestoreRevTask
%WINDIR%\System32\Tasks\UpdaterChromeApp[RANDOM CHARACTERS]
%WINDIR%\system32\TasksHostServices.exe
%WINDIR%\system32\vmichapagentsrv.dll
%WINDIR%\system32\werlfault.exe
%WINDIR%\System32\windfn.exe
%WINDIR%\system32\wmassrv.dll
%WINDIR%\system32\WUDHostServices.exe
%WINDIR%\SysWOW64\HS\Client.exe
%WINDIR%\SysWOW64\HS\HS_Svc.exe
%WINDIR%\TEMP\32x64.exe
%WINDIR%\TEMP\amdxx64.exe
%WINDIR%\TEMP\antspywares.exe
%WINDIR%\TEMP\av64n.exe
%WINDIR%\TEMP\nvi864.exe
%Windir%\temp\y1.bat
%WINDIR%\wdf\wdf.exe
%WINDIR%\window.exe
%WINDIR%\wmi\WmiPrvSE.exe
%WINDIR%\WmiPrvSE.exe
%WINDIR%\wmu2\wininit.exe
%WINDIR%\wolf\minerw{0,1}.exe
%WINDIR%\xmrig[NUMBERS].exe
Registry key
Software\Ashampoo\Ashampoo Gadge It\PQwick
SOFTWARE\IdleBuddy
SOFTWARE\idledbuddy
Software\idlenessbuddy
SOFTWARE\idlingbuddy
SOFTWARE\Jetmedia
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CPUSpeed
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GPUSpeed
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RestoreRevTask
Software\Microsoft\Windows\CurrentVersion\Run\AVAADA
Software\Microsoft\Windows\CurrentVersion\Run\PQwick
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnlgp
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zminer
SOFTWARE\Native System Provider
SOFTWARE\SystemaRev
Software\VideoDrivers
SOFTWARE\Wow6432Node\IdleBuddy
SOFTWARE\Wow6432Node\idledbuddy
SOFTWARE\Wow6432Node\idlenessbuddy
SOFTWARE\Wow6432Node\idlingbuddy
SOFTWARE\Wow6432Node\Jetmedia
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vnlgp
SOFTWARE\Wow6432Node\Native System Provider
SYSTEM\ControlSet001\Services\AdobeFlashPlayerHash
SYSTEM\ControlSet001\Services\DirectX11b
SYSTEM\ControlSet001\Services\MinerGate
SYSTEM\ControlSet001\services\NativeDesktopMediaService
SYSTEM\ControlSet002\Services\AdobeFlashPlayerHash
SYSTEM\ControlSet002\Services\DirectX11b
SYSTEM\ControlSet002\Services\MinerGate
SYSTEM\ControlSet002\services\NativeDesktopMediaService
SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerHash
SYSTEM\CurrentControlSet\Services\DirectX11b
SYSTEM\CurrentControlSet\Services\MinerGate
System\CurrentControlSet\Services\NativeDesktopMediaService

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.