#en

Prologue

I’m using Microsoft Windows 8.1 as my operating system. Several days ago, I was told by Windows Defender that a malware was detected and removed. I thought it was KMSpico, which can activate my OS and Microsoft Office illegally, that is removed. This kind of things happened a lot before but I didn’t think it would happen again this time because I had add KMSpico to the exception list of Window Defender so that it would be trusted. Then I checked the detected and quarantined item named Trojan:Win32/CoinMner with details that:

Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
file:C:\Users\dqwyy\AppData\Local\Temp\nvd\zed.exe
Get more information about this item online.

Detected by Windows Defender

Symptom

This trojan/malware/virus surprises and annoys me a lot and reminds me of the symptom of my computer. Everytime I am away form my laptop and leave it on, the CPU fan will spin very fast and be noisy as if it’s running many programs. I would never realize that my CUP even GPU were used for Bitcoin mining (or other blockchain digital currency) by trojan if it didn’t detected by Windows Defender. And everytime I move my mouse or press any key on keyboard, the CPU fan turns to silent. Here is a thread written in Traditional Chinese about this symptom: zed.exe是什麼東西? (What is zed.exe?)

So we can know that this trojan is very tricky. It begins to use my CUP for Bitcoin mining when I am away but it kills the process immediately when I am back so that I can’t find it at Task Manager. In order to prove the conjecture, I ran such a bat file and left my laptop alone and waited.

1
2
3
4
5
6
7
title zed.exe and alpha.exe Process Monitor
:loop
echo %TIME% >> MonitorLog.txt
tasklist /FI "IMAGENAME eq zed.exe" >> MonitorLog.txt
tasklist /FI "IMAGENAME eq alpha.exe" >> MonitorLog.txt
choice /T 60 /D Y
goto loop

About ten minutes later, the symptom occured. I waited for more ten minutes and then moved my mouse and checked the log file that was generated by the bat file and got:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
18:33:38.89
INFO: No tasks are running which match the specified criteria.
INFO: No tasks are running which match the specified criteria.
18:34:41.92
INFO: No tasks are running which match the specified criteria.
INFO: No tasks are running which match the specified criteria.
18:35:42.10
INFO: No tasks are running which match the specified criteria.
INFO: No tasks are running which match the specified criteria.
18:36:42.30
INFO: No tasks are running which match the specified criteria.
INFO: No tasks are running which match the specified criteria.
18:37:44.66
INFO: No tasks are running which match the specified criteria.
INFO: No tasks are running which match the specified criteria.
18:38:44.86
INFO: No tasks are running which match the specified criteria.
INFO: No tasks are running which match the specified criteria.
18:39:45.05
INFO: No tasks are running which match the specified criteria.
INFO: No tasks are running which match the specified criteria.
18:40:47.27
INFO: No tasks are running which match the specified criteria.
INFO: No tasks are running which match the specified criteria.
18:41:47.46
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,312,572 K
INFO: No tasks are running which match the specified criteria.
18:42:47.78
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,315,408 K
INFO: No tasks are running which match the specified criteria.
18:43:52.57
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,316,156 K
INFO: No tasks are running which match the specified criteria.
18:44:58.01
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,315,604 K
INFO: No tasks are running which match the specified criteria.
18:45:58.30
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,316,380 K
INFO: No tasks are running which match the specified criteria.
18:47:03.03
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,315,744 K
INFO: No tasks are running which match the specified criteria.
18:48:07.36
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,316,536 K
INFO: No tasks are running which match the specified criteria.
18:49:07.69
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,316,076 K
INFO: No tasks are running which match the specified criteria.
18:50:11.70
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,315,664 K
INFO: No tasks are running which match the specified criteria.
18:51:17.30
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,316,284 K
INFO: No tasks are running which match the specified criteria.
18:52:17.63
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
zed.exe 3436 Console 1 1,315,940 K
INFO: No tasks are running which match the specified criteria.

Therefore, the conjecture is true. According to log, zed.exe will be launched when you are away but alpha.exe will not. So you may want to know why I mention alpha.exe since it isn’t detected by Windows Defender. To be honest, I didn’t know about alpha.exe before I read this thread on Bleeping Computer: Infected by the “zed.exe” malware/virus


Here is the Mbar-log (it seem that he also found a trojan, “alpha.exe”)

So alpha.exe is located at %TEMP%\ati, zed.exe is located at %TEMP%\nvd. Then I try running alpha.exe and zed.exe by myself.

For %TEMP%\ati\alpha.exe, I got a log file:

1
2
3
4
5
6
7
15:55:32:469 9fc args:
15:55:32:474 9fc
15:55:32:481 9fc 赏屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯突
15:55:32:490 9fc ? Claymore's ZCash AMD GPU Miner v12.6 ?
15:55:32:495 9fc 韧屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯图
15:55:32:540 9fc
15:55:32:747 9fc ZEC: No pools specified! Specify at least one valid pool in "-zpool" parameter.

For %TEMP%\nvd\zed.exe, I saw these on the cmd screen:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
==================== www.nicehash.com ====================
Equihash CPU&GPU Miner for NiceHash v0.5c
Thanks to Zcash developers for providing base of the code.
Special thanks to tromp, xenoncat and djeZo for providing
optimized CPU and CUDA equihash solvers.
==================== www.nicehash.com ====================
Setting log level to 2
[15:55:42][0x00000a84] Using SSE2: YES
[15:55:42][0x00000a84] Using AVX: YES
[15:55:42][0x00000a84] Using AVX2: YES
[15:55:42][0x00001678] stratum | Starting miner
[15:55:42][0x00001678] stratum | Connecting to stratum server equihash.eu.nicehash.com:3357
[15:55:43][0x00001678] stratum | Connected!
[15:55:44][0x00001678] stratum | Subscribed to stratum server
[15:55:44][0x00001678] miner | Extranonce is 6800002f24
[15:55:45][0x00001678] stratum | Authorized worker 34HKWdzLxWBduUfJE9JxaFhoXnfC6gmePG
[15:55:45][0x00001678] stratum | Target set to 0001e1e1e1e00000000000000000000000000000000000000000000000000000
[15:55:45][0x00001678] stratum | ZcashMiner::parseJob(): Invalid or unsupportedblock header version
[15:55:45][0x00001678] stratum | Reconnecting in 3 seconds...
[15:55:48][0x00001678] stratum | Connecting to stratum server equihash.eu.nicehash.com:3357
[15:55:48][0x00001678] stratum | Connected!
[15:55:48][0x00001678] stratum | Subscribed to stratum server
[15:55:48][0x00001678] miner | Extranonce is 7bc7c6f782
[15:55:49][0x00001678] stratum | Authorized worker 34HKWdzLxWBduUfJE9JxaFhoXnfC6gmePG
[15:55:50][0x00001678] stratum | Target set to 0001e1e1e1e00000000000000000000000000000000000000000000000000000
[15:55:50][0x00001678] stratum | Received new job #0000008f8160b3f0
[15:55:53][0x00000a84] Speed [15 sec]: 0 I/s, 0 Sols/s
[15:56:03][0x00000a84] Speed [15 sec]: 0 I/s, 0 Sols/s
[15:56:14][0x00000a84] Speed [15 sec]: 0 I/s, 0 Sols/s
[15:56:24][0x00000a84] Speed [15 sec]: 0 I/s, 0 Sols/s
[15:56:34][0x00000a84] Speed [15 sec]: 0 I/s, 0 Sols/s
[15:56:37][0x00001678] stratum | Received new job #0000008f81614b9e
[15:56:37][0x00001678] stratum | Received new job #0000008f816169ac
[15:56:45][0x00000a84] Speed [15 sec]: 0 I/s, 0 Sols/s
[15:56:45][0x00001678] stratum | Received new job #0000008f8161dff2
[15:56:55][0x00000a84] Speed [15 sec]: 0 I/s, 0 Sols/s
[15:56:57][0x00001678] stratum | Received new job #0000008f81623282
[15:57:05][0x00000a84] Speed [15 sec]: 0 I/s, 0 Sols/s
[15:57:16][0x00000a84] Speed [15 sec]: 0 I/s, 0 Sols/s

Obviously these two exe files are Bitcoin mining programs.

Solutions

I use no antivirus software but Windows Defender. In fact, Windows Defender does delete zed.exe for me. However, zed.exe will come back and begin to use my CUP for mining once I am away form my laptop. When I come back, zed.exe kills itself and Windows Defender detects and quarantine/delete it. Definitely, this is useless. I try to delete the whole folders %TEMP%\ati and %TEMP%\nvd but they come back again and again. Neither I nor Windows Defender manages to find the root of the trojan to remove it completely. THAT SUCKS.

Later I had an idea after reading some related posts. I created blank text files and replaced the files in %TEMP%\ati and %TEMP%\nvd by renaming.

nvd before

nvd after.png

Then I ran the bat file to monitor the processes again and left my laptop alone. One hour later I checked the log and it showed that the zed.exe didn’t come back. I also hope that it will never come back.

Maybe you want to know how to remove the trojan completely. To be honest, so do I. Maybe you can refer to these thread on Bleeping Computer:

You can Google “zed.exe” for more informations and solutions, good luck.

If you find better solutions, please feel free to tell me by leaving a comment under this article or contacting me directly. I also provide the trojan files for computer experts. I renamed the file name extensions to make them become a little safe and achived them as zip files.

Folder Mega Download Link Decryption Key
ati https://mega.nz/#!QBl0SSTT !5RN52g4hVk2chGcd-U5gxFgU5hf7LN94LrkM5iACbAo
nvd https://mega.nz/#!pU9EQArL !K-23DsK5wzYke8bKlprXacD6b7dnGePyA-8tQ_BJJt0
#en