Trojan.Bitcoinminer

Trojan.Bitcoinminer Description

Trojan.Bitcoinminer ScreenshotTrojan.Bitcoinminer is one of the detection names that have been associated with an executable file named 'indexer.exe' that is used to mine BitCoins and FeatherCoins. Trojan.Bitcoinminer will be installed in a hidden directory in the AppData directory on the infected computer. Trojan.Bitcoinminer will mine Bitcoins using the infected computer's resources. Cryptocurrency mining can be extremely demanding on a computer's resources, making it overheat, perform poorly and consume more power. While BitCoin mining is a legitimate activity, Trojan.Bitcoinminer is used by on artists to take advantage of a victim's computer to mine BitCoins or another cryptocurrency, then keeping the profits generated at the expense of the victim's computer. While mining BitCoins with a single computer is rarely profitable, the people that distribute Trojan.Bitcoinminer and similar Trojans will take advantage of the combined resources of numerous infected computers by mining BitCoins and keeping the proceeds. Many Trojan.Bitcoinminer infections have been spotted in Russia, Ukraine and Indonesia currently.

How Trojan.Bitcoinminer may be Delivered

The most common way in which Trojan.Bitcoinminer may enter a computer is through fake software downloads and updates. Con artists may hide threats like Trojan.Bitcoinminer inside software and media files distributed online. Victims will download them from shady websites and the install Trojan.Bitcoinminer on their computers without being aware of it. The fact is that Trojan.Bitcoinminer will not alert the victims that their computers are infected such as a notification or interfere in any way. However, Trojan.Bitcoinminer will use up more than three-quarters of the infected computer's processing power for mining cryptocurrency. Victims of the Trojan.Bitcoinminer attack will, therefore, realize that their computers run extremely slowly and become unresponsive or unstable frequently. Additionally, it is not uncommon for threats like Trojan.Bitcoinminer to conflict with the victim's computer, causing various performance issues and preventing other software from functioning properly.

The Trojan.Bitcoinminer Infection and Its Related Symptoms

There are several symptoms that may indicate that your computer has been infected with Trojan.Bitcoinminer. Computer users have reported that most software, including email clients, will become unresponsive, freeze or crash frequently. Some software, especially Internet browsers, will fail to open completely and many files will fail to load. When victims attempt to use the infected computer to view a video or listen to music, this will have stuttering or altered playback, stopping and not resulting in a functional experience frequently. One typical problem associated with Trojan.Bitcoinminer will happen when typing. Computer users may notice that their keyboard inputs have a delay, especially on word processing programs. This indicates that a large portion of the infected computer's resources is being used. These symptoms may occur if victims are attempting to use a program that requires lots of resources (for example, for rendering a high-quality video). In this case, however, it's Trojan.Bitcoinminer that is using up the system's resources to mine cryptocurrency.

General Recommendations Related to Trojan.Bitcoinminer

Victims of Trojan.Bitcoinminer may notice 'indexer.exe' listed in the Task Manager. This is almost always an indicator of a Trojan.Bitcoinminer infection and requires action from the computer user. However, 'indexer.exe' is not the only name used by this BitCoin miner. PC security researchers advise computer users to remain vigilant, since other variants of Trojan.Bitcoinminer with different file names may appear. Malware investigators recommend that computer users use a security program to remove Trojan.Bitcoinminer and other threats. If your computer continues to show symptoms, it is important to use a different anti-virus program to ensure that the Trojan.Bitcoinminer infection or any related threat has been found (in some cases, other components may prevent its removal). The following are other names by which Trojan.Bitcoinminer may be detected:

  • PUP.Optional.Bitminer
  • RDN/Generic.dx!cxt
  • Riskware.Win32.BtcMine.cnywcu
  • Tool.BtcMine.157
  • Trojan ( 0048fd0e1 )
  • Trojan.Win32.Generic!BT
  • Trojan.Win32.S.BitMiner.932352
  • W32/Trojan.PBJZ-2853
  • Win32/BitCoinMiner.AS
  • Win32/Trojan.Multi.daf

Technical Information

File System Details

Trojan.Bitcoinminer creates the following file(s):
# File Name Size MD5 Detection Count
1 %WINDIR%\system32\winrmsrv.exe\winrmsrv.exe 731,136 462ee20e8abbbb559bd1c4f8be87b123 21,163
2 %WINDIR%\Microsoft.exe\Microsoft.exe 3,082,128 1b40993b7b73f33325de8241e07e1e70 2,086
3 %SYSTEMDRIVE%\Users\Viih\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SE2TO53W\java13[1].dat\java13[1].dat 45,861 0eac66bb3defaa36ec657e90218a442b 533
4 %ALLUSERSPROFILE%\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_07c6a56c1b829eb8\wlanui.exe\wlanui.exe 1,429,504 bd59145b8ecb0b9f25332b0de73a9397 261
5 C:\Users\TB\AppData\Roaming\m.fjk 25,289,369 ddca9459a48f4069b0d501b3c7d04957 156
6 %ALLUSERSPROFILE%\Mega Tools\ServiceHub.CLR.x64.exe\ServiceHub.CLR.x64.exe 6,732,800 4a8982935d9fd546297141fc7d81bf63 151
7 %SYSTEMDRIVE%\users\admin\appdata\roaming\x86_microsoft-windows-mfplat.resources\kbdsn1.exe\kbdsn1.exe 2,378,752 b2786685ef7d2bd36100a8b68a6ace40 109
8 c:\program files (x86)\bridlebuddles\bridlebuddlesservice.exe 9,874,944 6ec1aea3abdae65a32e4780bb7eb4f85 92
9 c:\users\khokon\appdata\local\temp\temp1_windows.zip\credit-qt.exe 26,787,328 9ea39880dfac787d02b3bd7e6aa15697 42
10 %SYSTEMDRIVE%\Users\user\Desktop\4622292107165696\3f70a0a3669cf11f8e4bff5d61c758bdce53baf22d9244dc0db0fe66262d7a34\3f70a0a3669cf11f8e4bff5d61c758bdce53baf22d9244dc0db0fe66262d7a34 18,944 b5e6b2c92cced7cbe825b5ddfd577291 38
11 c:\program files (x86)\overidlebuddies\overidlebuddiesservice.exe 10,753,024 c7ae8932538274154653bcfbaf2210d0 36
12 %WINDIR%\System32\29cf036480b6.dll\29cf036480b6.dll 109,568 77ba4a18ef8719c2f218e87dfdcba58f 26
13 f:\cryptocurrency\peercoin\peercoin-qt.exe 25,915,392 6551dbd26cfd7a37039e5af7890e5ae8 21
14 d:\zcoin\zcoin-qt.exe 42,525,712 20f333c444ebe1d7ecdb744296b4d2ea 18
15 C:\Windows\LiveKernel\SRPolicySvc.exe 246,272 159da1ff5775044ce33a917582a0b3b5 17
16 C:\WINDOWS\Fonts\sppsvc.exe\sppsvc.exe 1,438,208 8491a3f6c096bd19310d1e899fad94f5 17
17 %WINDIR%\SysWOW64\TiWorker.exe\TiWorker.exe 4,597,200 b63b76e6161f0a8a685a9d53ee365a51 16
18 c:\users\andrew\appdata\roaming\msil_microsoft.hyperv.powershell.resources_31bf3856ad364e35_10.0.17134.1_ru-ru_2ce9ff82d4fb29f9\kbdir.exe 2,002,432 1572cc29c54dcaf39cd1bcfd25315e00 14
19 %SYSTEMDRIVE%\users\rasmus\appdata\roaming\wow64_microsoft-windows-n..erclasses.resources_31bf3856ad364e35_10.0.17134.1_ru-ru_ae1f6e3f46031857\messagingdatamodel2.exe\messagingdatamodel2.exe 1,335,944 67e03155971af9b64001aa6cb604efde 13
20 C:\Users\bkmbti\AppData\Local\Temp\RarSFX8\Services.exe 3,512,360 d9059794e2cfe43a6db03faee5860bc6 13
21 C:\kernel\sysconfig.exe 8,704 4152bf9e1aaa428fbbcf91d133f25794 12
22 %SYSTEMDRIVE%\Users\cadef\AppData\Roaming\osdmnuu_dir\osdmnus.exe\osdmnus.exe 7,168 4caf60213aebb70e4ea983a3141ef5bc 10
23 C:\Users\хач\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XMR Silent Miner by Tigerzplace.exe 14,211,608 4c624ced3b2e239cf9c6b6488c37d97e 8
24 %SYSTEMDRIVE%\Documents and Settings\Owner\Desktop\ONE PLACE\BItcoin Miner Guide\bitcoin miner+guide\install+setup\guiminer-20110501.exe\guiminer-20110501.exe 7,276,915 5c40990dbae70347e37ccdd4ca10081f 6
25 C:\Users\venelina\AppData\Roaming\Kingmaker Rise to the Throne - Collector's. Edition.exe\Kingmaker Rise to the Throne - Collector's. Edition.exe 987,663 4dcc9bf45072c5bbb88dc5f4d55dc7f7 6
26 C:\Wlndows\system32\Desktop-64.exe 4,578,304 2c9550a1516bcc5590379fb0e968118b 6
27 C:\ist\ja.exe 271,972,975 a06f3792c7e517bca2f7b7e519630f07 6
28 %WINDIR%\system32\config\systemprofile\appdata\roaming\microsoft\cred.ps1 3,122,543 55f7cc72b8eeb5813b16c23955fed4c4 1
29 c:\users\wayne\appdata\local\temp\bitfc2e.tmp 10,749,696 69a51616979d7896d8378fe517e571f8 1
More files

Registry Details

Trojan.Bitcoinminer creates the following registry entry or registry entries:
Uninstaller
bridlebuddles
Id_Buddy
IdBuddy
idle--buddy
IdleBuddy
idledbuddy
idlenessbuddy
IdlingBuddy
overidlebuddies
PQwick
{0854AE3A-3A63-4BC6-BE20-F4185D343B5A}_is1
{4A91D8B3-712F-4815-B29B-E610008C4704}
{4CF9B388-78FA-46C3-B409-196FE2CF5F20}
{BEA0F17A-FD14-4646-8138-30994D87948A}_is1
{C2AA50F8-B1B8-4A40-BC18-E6CAB19DC0ED}_is1
{EC27A18E-53F3-4434-B08D-26C3E751C50F}
{FC44DE72-60F9-4BC1-B098-D2F6B5A06187}
Directory
%ALLUSERSPROFILE%\Application Data\clr_optimization_v4.0.30318_64
%ALLUSERSPROFILE%\Application Data\clr_optimization_v4.0.52760_64
%ALLUSERSPROFILE%\Application Data\wrdjdgyrmg
%ALLUSERSPROFILE%\AudioDriver
%ALLUSERSPROFILE%\clr_optimization_v4.0.30318_64
%ALLUSERSPROFILE%\DirectX11b
%ALLUSERSPROFILE%\eizzbvEmWK
%ALLUSERSPROFILE%\Flashas
%ALLUSERSPROFILE%\Flashe
%ALLUSERSPROFILE%\flashes
%ALLUSERSPROFILE%\flashi
%ALLUSERSPROFILE%\FrameworkHostPro
%ALLUSERSPROFILE%\Guard Tool
%ALLUSERSPROFILE%\Guardm
%ALLUSERSPROFILE%\Haalety
%ALLUSERSPROFILE%\hkrfjnygtg
%ALLUSERSPROFILE%\Intel(R)Usb3.0
%ALLUSERSPROFILE%\IntelD
%ALLUSERSPROFILE%\JetMedia
%ALLUSERSPROFILE%\Logiteh
%ALLUSERSPROFILE%\lpmti
%ALLUSERSPROFILE%\mg32
%ALLUSERSPROFILE%\Micro Foundation 7
%ALLUSERSPROFILE%\MicrosoftCorporation
%ALLUSERSPROFILE%\ModuleGS
%ALLUSERSPROFILE%\PhysicalDeviceAdapter
%ALLUSERSPROFILE%\playersclub
%ALLUSERSPROFILE%\securityhealth
%ALLUSERSPROFILE%\ServiceProfiles
%ALLUSERSPROFILE%\sqlncli11imageres
%ALLUSERSPROFILE%\SRAPO64srrstr
%ALLUSERSPROFILE%\Systema Natives
%ALLUSERSPROFILE%\SystemaRev
%ALLUSERSPROFILE%\Systemfiles
%ALLUSERSPROFILE%\Task.Manager.Helper
%ALLUSERSPROFILE%\taskmnr
%ALLUSERSPROFILE%\UHASecurity
%ALLUSERSPROFILE%\wincss
%ALLUSERSPROFILE%\Windows64
%ALLUSERSPROFILE%\WindowsAppCertification
%ALLUSERSPROFILE%\wintcpautoproxysvc
%ALLUSERSPROFILE%\wrdjdgyrmg
%ALLUSERSPROFILE%\zvmimcgqez
%ALLUSERSPROFILE%\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}
%ALLUSERSPROFILE%\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}
%APPDATA%\8mFuF
%APPDATA%\Adobe32
%APPDATA%\Adobe32x64
%APPDATA%\adobe\nvv8
%APPDATA%\adobe\x64e
%APPDATA%\adobe\x64r
%APPDATA%\adobe\x64rx
%APPDATA%\Alix
%APPDATA%\AMDProcess
%APPDATA%\Aplfone
%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\cpu
%APPDATA%\AsCDPro
%AppData%\AsToolCD
%APPDATA%\AudioHDriver
%APPDATA%\Auto1Feed
%Appdata%\Avira Antivir
%APPDATA%\brhost
%APPDATA%\bvhost
%AppData%\ClearMe
%APPDATA%\com.flash.WidgetBrowser
%APPDATA%\com_shell
%APPDATA%\Defender
%APPDATA%\Dibifu_9
%APPDATA%\DPTopologyApp
%APPDATA%\Faqelo
%APPDATA%\Fujelo
%APPDATA%\Google\GoogleUpdates
%APPDATA%\IdleProcess
%APPDATA%\Ie1Servise
%APPDATA%\IeMiss2
%APPDATA%\IeServise
%APPDATA%\jetmedia
%APPDATA%\jsonminify
%APPDATA%\jswUpdate
%APPDATA%\Logiteh
%APPDATA%\Maik
%APPDATA%\mercya
%APPDATA%\Microsoft Help\hs_module
%AppData%\Microsoft\Protect\Upd64
%APPDATA%\microsoft\teamviewer
%APPDATA%\Microsoft\Windows\Start Menu\Programs\id_buddy
%APPDATA%\Microsoft\Windows\Start Menu\Programs\idle--buddy
%APPDATA%\Microsoft\Windows\Start Menu\Programs\IdleBuddy
%APPDATA%\Miicrosoft
%AppData%\MineCor
%APPDATA%\MingC
%APPDATA%\myinstall
%APPDATA%\Nanera
%APPDATA%\Olesya
%APPDATA%\OneMisc
%APPDATA%\RarZip
%APPDATA%\rundll32.exe
%APPDATA%\samika
%APPDATA%\shell\0\0\0\0\0\googlerec
%appdata%\silent
%APPDATA%\smoti2
%APPDATA%\Sorsur
%APPDATA%\sppui
%APPDATA%\Svcms
%APPDATA%\svhost
%APPDATA%\Sysfiles
%APPDATA%\System Process
%APPDATA%\Systema Natives
%APPDATA%\SystemaRev
%APPDATA%\systemdata\searcher
%APPDATA%\Taloce
%APPDATA%\TelemetricSys
%APPDATA%\uconhosts
%APPDATA%\Vatico
%APPDATA%\vbhost
%APPDATA%\Versions Watcher
%APPDATA%\vghost
%appdata%\VideoDrivers
%APPDATA%\Vive
%APPDATA%\Windows_x64_nheqminer-5c
%APPDATA%\WindowsFirewall
%APPDATA%\WindowsHelp
%APPDATA%\winrar_tools
%APPDATA%\WinZIP_32
%appdata%\wow64_microsoft-windows-vssproxystub
%APPDATA%\x11
%APPDATA%\xBooster
%APPDATA%\xmlframwork
%APPDATA%\xszman
%appdata%\zgs
%APPDATA%\ZSystemDll
%COMMONPROGRAMFILES%\myinstall
%COMMONPROGRAMFILES(x86)%\myinstall
%homedrive%\0_miner_mondero
%HOMEDRIVE%\Chrome\XMR
%HOMEDRIVE%\dapp
%HOMEDRIVE%\ness\miner
%HOMEDRIVE%\Users\Default\AppData\Roaming\System
%HOMEDRIVE%\XMR
%LOCALAPPDATA%\cypjMERAky
%LOCALAPPDATA%\ESET-NOD32
%LOCALAPPDATA%\Logiteh
%LOCALAPPDATA%\minergate-cli
%LOCALAPPDATA%\Roaming\Cache
%localappdata%\TMeter
%PROGRAMFILES%\bridlebuddles
%PROGRAMFILES%\BRTSvc
%PROGRAMFILES%\ibuddy
%PROGRAMFILES%\id_buddy
%PROGRAMFILES%\IdBuddy
%PROGRAMFILES%\idle--buddy
%PROGRAMFILES%\Idle-Buddy
%PROGRAMFILES%\IdleBuddy
%PROGRAMFILES%\idledbuddy
%PROGRAMFILES%\idlenessbuddy
%PROGRAMFILES%\idlingbuddy
%PROGRAMFILES%\inteldriverpack
%PROGRAMFILES%\Jetmedia
%PROGRAMFILES%\jsstmedia
%PROGRAMFILES%\LaCie Private Public
%PROGRAMFILES%\overidlebuddies
%PROGRAMFILES%\PQwick1.1
%PROGRAMFILES%\System Native\Main Services
%PROGRAMFILES%\Systema Natives\MServices X
%PROGRAMFILES%\SystemaRev
%PROGRAMFILES%\SystemaRev\RevServicesX
%PROGRAMFILES%\SystemNanoPacks
%PROGRAMFILES(x86)%\bridlebuddles
%PROGRAMFILES(x86)%\BRTSvc
%PROGRAMFILES(x86)%\Hardware Driver Management
%PROGRAMFILES(x86)%\ibuddy
%PROGRAMFILES(x86)%\id_buddy
%PROGRAMFILES(x86)%\IdBuddy
%PROGRAMFILES(x86)%\idle--buddy
%PROGRAMFILES(x86)%\Idle-Buddy
%PROGRAMFILES(x86)%\IdleBuddy
%PROGRAMFILES(x86)%\idledbuddy
%PROGRAMFILES(x86)%\idlenessbuddy
%PROGRAMFILES(x86)%\idlingbuddy
%PROGRAMFILES(x86)%\Jetmedia
%PROGRAMFILES(x86)%\jsstmedia
%PROGRAMFILES(x86)%\LaCie Private Public
%PROGRAMFILES(x86)%\overidlebuddies
%PROGRAMFILES(x86)%\PQwick1.1
%PROGRAMFILES(x86)%\System Native\Main Services
%PROGRAMFILES(x86)%\SystemaRev
%Public%\Avast! -Antivirus
%TEMP%\WindowsData1
%TEMP%\WindowsTask
%USERPROFILE%\Documents\TransactionServices Inc
%USERPROFILE%\OneDrive\Documents\SystemServices Inc
%USERPROFILE%\OneDrive\Documents\TransactionServices Inc
%WINDIR%\fonts\cao
%WINDIR%\HashStrem
%WINDIR%\hs_module
%windir%\pcdata
%WINDIR%\speechstracing
%WINDIR%\system32\config\systemprofile\appdata\local\bjihiwsdsu
%WINDIR%\system32\config\systemprofile\Documents\TransactionServices Inc
%WINDIR%\system32\HS\hs_module
%WINDIR%\system32\SecureBootThemes
%WINDIR%\system32\SysprepThemes
%WINDIR%\System32\Tasks\Microsoft\Windows\sysem\ssrec\a
%WINDIR%\syswow64\config\systemprofile\appdata\local\bjihiwsdsu
%WINDIR%\SysWOW64\HS\hs_module
%WINDIR%\SysWOW64\xmr64
%WINDIR%\wdms
%WINDIR%\{DE03ECBA-2A77-438C-8243-0AF592BDBB20}
File name without path
32xmrig.exe
64xmrig.exe
cpuminer-gw64.exe
cpuminer-sse2.exe
DOC001.exe
IdlingBuddy.lnk
IMG001.exe
img002.exe
nbminer.exe
nheqminer.exe
nheqminer32.exe
NsCpuCNMiner32.exe
NsCpuCNMiner64.exe
NsGpuCNMiner.exe
xmrig-amd.exe
xmrig-notls.exe
xmrig-nvidia.exe
Regexp file mask
%ALLUSERSPROFILE%\Application Data\NVIDIA_cure.exe
%ALLUSERSPROFILE%\DriversI\intel.exe
%ALLUSERSPROFILE%\esif.exe
%ALLUSERSPROFILE%\flash\msacuil.exe
%ALLUSERSPROFILE%\Framework\System.exe
%ALLUSERSPROFILE%\GS_Svc.exe
%ALLUSERSPROFILE%\Intel(R) Management\intel[RANDOM CHARACTERS].exe
%ALLUSERSPROFILE%\Intel(R) Management\run.exe
%ALLUSERSPROFILE%\Komar.exe
%ALLUSERSPROFILE%\Mbvhost.exe
%ALLUSERSPROFILE%\Microsoft\Defender\jusched_srv.exe
%ALLUSERSPROFILE%\Microsoft\Security Windows\svshost.exe
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\DOC001.exe
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe
%ALLUSERSPROFILE%\MicrosoftCare.exe
%ALLUSERSPROFILE%\NVIDIA_cure.exe
%ALLUSERSPROFILE%\olly.exe
%ALLUSERSPROFILE%\onedrive.exe
%ALLUSERSPROFILE%\Roamer.exe
%ALLUSERSPROFILE%\run[NUMBERS].exe
%ALLUSERSPROFILE%\Skype\chrome.exe
%ALLUSERSPROFILE%\Skype\msacuil.exe
%ALLUSERSPROFILE%\SQLEXPRESS_X64_86.exe
%ALLUSERSPROFILE%\System32\Logs\ShellExperienceHost.exe
%ALLUSERSPROFILE%\VsTelemetry\vshub.exe
%ALLUSERSPROFILE%\windowsservices\helper.vbs
%ALLUSERSPROFILE%\zun.exe
%APPDATA%\1.cmd
%APPDATA%\2.cmd
%APPDATA%\32.exe
%APPDATA%\Adobe\Flash Player\MediaCache\IEMonitor.exe
%APPDATA%\Adobe\Share\AMDshare.exe
%APPDATA%\Adobe\Share\Launcher.exe
%APPDATA%\Adobe\Share\NVIDIAshare.exe
%APPDATA%\Adobe\Share\Share[NUMBERS].exe
%APPDATA%\Adobe\syssl.exe
%APPDATA%\Adobe\Updater6\AdobeService.exe
%APPDATA%\Alxi\Alxi.vbs
%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\guard.exe
%appdata%\appcontainer\storage\microsoft.microsoftedge_8wekyb3d8bbwe\children\001\internet settings\sysclc.exe
%APPDATA%\appmgr\appmgr.exe
%APPDATA%\Architecture\member\Systemcore.exe
%APPDATA%\coinutil.dll
%APPDATA%\crmsvc.exe
%APPDATA%\DirectX\DirectX.vbs
%APPDATA%\documents\imonitor.exe
%APPDATA%\driver\driver.exe
%APPDATA%\etctool\etc.vbs
%APPDATA%\Filosof\Filosof.vbs
%APPDATA%\FireFox\launcher\Systemcore.exe
%appdata%\google\chrome\user data\spool.exe
%APPDATA%\GoogleUpdater.exe
%APPDATA%\Idle\Idle.exe
%APPDATA%\Images\image.exe
%APPDATA%\Images\images.exe
%APPDATA%\isaa.exe
%APPDATA%\Java\x86-64bits Windows\Config-DefaultMain\SysUtils SDK v2.49\svhcost.exe
%APPDATA%\Launcher_01.exe
%APPDATA%\Launcher_08.exe
%APPDATA%\libraries\MicrosoftRuntimeUpdate.vbe
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\SyncCheck.exe
%APPDATA%\Mama\mama.vbs
%APPDATA%\mcrserver.exe
%APPDATA%\MicroMon\curl.exe
%APPDATA%\Microsoft\msconfig.exe
%APPDATA%\Microsoft\office\dllchost.exe
%APPDATA%\Microsoft\Windows Protect\winprotect.exe
%APPDATA%\Microsoft\Windows\CPU\taskhost.exe
%APPDATA%\Microsoft\Windows\Helper.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\AudioDriver.url
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Browge.vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Check for updates.bat
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\fBCjxCDztG.url
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\GoogleCrashHandlerws.vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\IeServise.lnk
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\key.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\miner.exe.url
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneMisc.vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\rara.vbs
%APPDATA%\Microsoft\Windows\winhost.exe
%APPDATA%\MicrosoftViewer.exe
%APPDATA%\miner-x64.exe
%APPDATA%\miner.dll
%APPDATA%\rarog.exe
%APPDATA%\Roamer.exe
%APPDATA%\RunSpeed\RunSpeed.vbs
%APPDATA%\Sasha\Sasha.vbs
%APPDATA%\SearchProtocolHosts.exe
%APPDATA%\server\minergate.exe
%APPDATA%\server\runhosts.exe
%APPDATA%\sidebar.exe
%APPDATA%\sidebar.vbs
%APPDATA%\svc\svc.exe
%APPDATA%\System\etp.exe
%APPDATA%\systemcare-ppi-ul5.dll
%APPDATA%\systemcare.exe
%APPDATA%\SystemProcess\SystemProcess.exe
%APPDATA%\taskmg.exe
%APPDATA%\TeleMetric\TeleMetric.exe
%APPDATA%\Temp\DOC001.exe
%APPDATA%\Updater\localversion.txt
%APPDATA%\Updater\Update.cmd
%APPDATA%\Valit\jukov.vbs
%APPDATA%\Valit\lera.vbs
%APPDATA%\Valit\Valit.vbs
%APPDATA%\vfc\ffmpeg\task.exe
%APPDATA%\windows-ppi-ul5.dll
%APPDATA%\WindowsApps\CPU1\intel1.exe
%APPDATA%\WindowsApps\CPU\intel.exe
%APPDATA%\WindowsApps\taskwint.exe
%APPDATA%\WindowsApps\winitex.exe
%APPDATA%\winhost.exe
%APPDATA%\winlog.exe
%APPDATA%\winlog.vbs
%APPDATA%\WinRAR\Precomp\precomp.exe
%APPDATA%\xmrig[NUMBERS].exe
%APPDATA%\Zara\zara.vbs
%COMMONPROGRAMFILES%\System\svchost.exe
%COMMONPROGRAMFILES(x86)%\new.bat
%HOMEDRIVE%\Applications\cmdsrvs.exe
%HOMEDRIVE%\Applications\Service.exe
%HOMEDRIVE%\Applications\websock.exe
%HOMEDRIVE%\ASD\cpuminer-sse2.exe
%HOMEDRIVE%\ASD\nh.exe
%HOMEDRIVE%\backupsys\pow32.bat
%HOMEDRIVE%\backupsys\system.bat
%HOMEDRIVE%\backupsys\taskmgr32.exe
%HOMEDRIVE%\backupsys\window[NUMBERS].vbs
%HOMEDRIVE%\browse\browse.exe
%HOMEDRIVE%\Browse\cmdsrvs.exe
%HOMEDRIVE%\Disk\cmdsvr.exe
%HOMEDRIVE%\Disk\securedisk.exe
%HOMEDRIVE%\Disk\WebService.exe
%HOMEDRIVE%\DOC001.exe
%HOMEDRIVE%\images.scr
%HOMEDRIVE%\intel\setup.vbs
%HOMEDRIVE%\MSOCache\svchost.exe
%HOMEDRIVE%\WindowsData\hostdl.exe
%LOCALAPPDATA%\amd\amd_accelerator.exe
%LOCALAPPDATA%\Explorer Data\msiexec64.exe
%LOCALAPPDATA%\Intel\iaa23.exe
%LOCALAPPDATA%\Intel\iap23.dll
%localappdata%\intel\iii.pl
%localappdata%\intel\iii.zip
%LOCALAPPDATA%\Intel\imgre.exe
%LOCALAPPDATA%\Intel\intelmngr.exe
%LOCALAPPDATA%\Intel\management.db
%localappdata%\intel\red.dll
%LOCALAPPDATA%\isaa.exe
%LOCALAPPDATA%\Optimizer\Optimizer.exe
%LOCALAPPDATA%\Roamer.exe
%LOCALAPPDATA%\smartstats\smassvc.exe
%LOCALAPPDATA%\SQLite\SQLManager.exe
%LOCALAPPDATA%\SQLite\wincpu.exe
%PROGRAMFILES%\SQLite\SQLManager.exe
%PROGRAMFILES(x86)%\SQLite\SQLManager.exe
%PROGRAMFILES(x86)%\SQLite\wincpu.exe
%PUBLIC%\documents\documentsindex.dll
%PUBLIC%\Libraries\wsappx.exe
%TEMP%\DrToolKrl.sys
%TEMP%\hiddengate.exe
%TEMP%\isaa.exe
%TEMP%\Kilence.exe
%TEMP%\Roamer.exe
%TEMP%\wup\wup.exe
%TEMP%\xmrig.exe
%TEMP%\ytmp\t[NUMBERS].[RANDOM CHARACTERS]
%USERPROFILE%\Documents\xmrig.exe
%USERPROFILE%\NVDisplay.exe
%WINDIR%\deftesrg.exe
%WINDIR%\fonts\conhost.exe
%WINDIR%\Fonts\MsEssentialSecurity.exe
%WINDIR%\Fonts\svchost.exe
%WINDIR%\HS_Svc.exe
%WINDIR%\IIS\crss.exe
%WINDIR%\ime\rescv.exe
%WINDIR%\inf\msief.exe
%WINDIR%\installer\patchcach\systemnt.exe
%WINDIR%\jb-JP\spools.exe
%WINDIR%\LiveKernel\SRPolicySvc.exe
%WINDIR%\mcfg\mcfg.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\gpsrv.exe
%WINDIR%\mscsuscr.exe
%WINDIR%\nv\NvProfileUpdater64.exe
%WINDIR%\nvidia\NvUpdater64.exe
%WINDIR%\scsktsvc.exe
%WINDIR%\servime.exe
%WINDIR%\Sys64\starter.exe
%WINDIR%\Sys\taskmgr.exe
%WINDIR%\System32\config\systemprofile\AppData\Roaming\Microsoft\cred.ps1
%WINDIR%\system32\dllhostex.exe
%WINDIR%\System32\drivers\etc\svchost.exe
%WINDIR%\system32\Easeware.Driver.exe
%WINDIR%\system32\MaintenancesServices.dll
%WINDIR%\System32\mcicda32.dll
%WINDIR%\system32\mcicda64.dll
%WINDIR%\system32\SecUpdateHost.exe
%WINDIR%\system32\Tasks\CPUSpeed
%WINDIR%\system32\Tasks\GPUSpeed
%WINDIR%\System32\Tasks\RestoreRevTask
%WINDIR%\System32\Tasks\UpdaterChromeApp[RANDOM CHARACTERS]
%WINDIR%\system32\TasksHostServices.exe
%WINDIR%\system32\vmichapagentsrv.dll
%WINDIR%\system32\werlfault.exe
%WINDIR%\System32\windfn.exe
%WINDIR%\system32\wmassrv.dll
%WINDIR%\system32\WUDHostServices.exe
%WINDIR%\SysWOW64\HS\Client.exe
%WINDIR%\SysWOW64\HS\HS_Svc.exe
%WINDIR%\TEMP\32x64.exe
%WINDIR%\TEMP\amdxx64.exe
%WINDIR%\TEMP\antspywares.exe
%WINDIR%\TEMP\av64n.exe
%WINDIR%\TEMP\nvi864.exe
%Windir%\temp\y1.bat
%WINDIR%\wdf\wdf.exe
%WINDIR%\window.exe
%WINDIR%\wmi\WmiPrvSE.exe
%WINDIR%\WmiPrvSE.exe
%WINDIR%\wmu2\wininit.exe
%WINDIR%\wolf\minerw{0,1}.exe
%WINDIR%\xmrig[NUMBERS].exe
Registry key
Software\Ashampoo\Ashampoo Gadge It\PQwick
SOFTWARE\IdleBuddy
SOFTWARE\idledbuddy
Software\idlenessbuddy
SOFTWARE\idlingbuddy
SOFTWARE\Jetmedia
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CPUSpeed
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GPUSpeed
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RestoreRevTask
Software\Microsoft\Windows\CurrentVersion\Run\AVAADA
Software\Microsoft\Windows\CurrentVersion\Run\PQwick
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnlgp
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zminer
SOFTWARE\Native System Provider
SOFTWARE\SystemaRev
Software\VideoDrivers
SOFTWARE\Wow6432Node\IdleBuddy
SOFTWARE\Wow6432Node\idledbuddy
SOFTWARE\Wow6432Node\idlenessbuddy
SOFTWARE\Wow6432Node\idlingbuddy
SOFTWARE\Wow6432Node\Jetmedia
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vnlgp
SOFTWARE\Wow6432Node\Native System Provider
SYSTEM\ControlSet001\Services\AdobeFlashPlayerHash
SYSTEM\ControlSet001\Services\DirectX11b
SYSTEM\ControlSet001\Services\MinerGate
SYSTEM\ControlSet001\services\NativeDesktopMediaService
SYSTEM\ControlSet002\Services\AdobeFlashPlayerHash
SYSTEM\ControlSet002\Services\DirectX11b
SYSTEM\ControlSet002\Services\MinerGate
SYSTEM\ControlSet002\services\NativeDesktopMediaService
SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerHash
SYSTEM\CurrentControlSet\Services\DirectX11b
SYSTEM\CurrentControlSet\Services\MinerGate
System\CurrentControlSet\Services\NativeDesktopMediaService

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.