## Prologue

I’m using Microsoft Windows 8.1 as my operating system. Several days ago, I was told by Windows Defender that a malware was detected and removed. I thought it was KMSpico, which can activate my OS and Microsoft Office illegally, that is removed. This kind of things happened a lot before but I didn’t think it would happen again this time because I had add KMSpico to the exception list of Window Defender so that it would be trusted. Then I checked the detected and quarantined item named Trojan:Win32/CoinMner with details that:

Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
file:C:\Users\dqwyy\AppData\Local\Temp\nvd\zed.exe

## Symptom

This trojan/malware/virus surprises and annoys me a lot and reminds me of the symptom of my computer. Everytime I am away form my laptop and leave it on, the CPU fan will spin very fast and be noisy as if it’s running many programs. I would never realize that my CUP even GPU were used for Bitcoin mining (or other blockchain digital currency) by trojan if it didn’t detected by Windows Defender. And everytime I move my mouse or press any key on keyboard, the CPU fan turns to silent. Here is a thread written in Traditional Chinese about this symptom: zed.exe是什麼東西？ (What is zed.exe?)

So we can know that this trojan is very tricky. It begins to use my CUP for Bitcoin mining when I am away but it kills the process immediately when I am back so that I can’t find it at Task Manager. In order to prove the conjecture, I ran such a bat file and left my laptop alone and waited.

About ten minutes later, the symptom occured. I waited for more ten minutes and then moved my mouse and checked the log file that was generated by the bat file and got:

Therefore, the conjecture is true. According to log, zed.exe will be launched when you are away but alpha.exe will not. So you may want to know why I mention alpha.exe since it isn’t detected by Windows Defender. To be honest, I didn’t know about alpha.exe before I read this thread on Bleeping Computer: Infected by the “zed.exe” malware/virus

Here is the Mbar-log (it seem that he also found a trojan, “alpha.exe”)

So alpha.exe is located at %TEMP%\ati, zed.exe is located at %TEMP%\nvd. Then I try running alpha.exe and zed.exe by myself.

For %TEMP%\ati\alpha.exe, I got a log file:

For %TEMP%\nvd\zed.exe, I saw these on the cmd screen:

Obviously these two exe files are Bitcoin mining programs.

## Solutions

I use no antivirus software but Windows Defender. In fact, Windows Defender does delete zed.exe for me. However, zed.exe will come back and begin to use my CUP for mining once I am away form my laptop. When I come back, zed.exe kills itself and Windows Defender detects and quarantine/delete it. Definitely, this is useless. I try to delete the whole folders %TEMP%\ati and %TEMP%\nvd but they come back again and again. Neither I nor Windows Defender manages to find the root of the trojan to remove it completely. THAT SUCKS.

Later I had an idea after reading some related posts. I created blank text files and replaced the files in %TEMP%\ati and %TEMP%\nvd by renaming.

Then I ran the bat file to monitor the processes again and left my laptop alone. One hour later I checked the log and it showed that the zed.exe didn’t come back. I also hope that it will never come back.

Maybe you want to know how to remove the trojan completely. To be honest, so do I. Maybe you can refer to these thread on Bleeping Computer:

ati https://mega.nz/#!QBl0SSTT !5RN52g4hVk2chGcd-U5gxFgU5hf7LN94LrkM5iACbAo
nvd https://mega.nz/#!pU9EQArL !K-23DsK5wzYke8bKlprXacD6b7dnGePyA-8tQ_BJJt0