Examine this registry file

[Mar]

So I caught a few "bitcoin miners" after one decided to start maxing out my cpu. cgminer.exe, cudaminer.exe, and minerd.exe (the one that maxed the cpu). I removed them and everything related to them including folders and registry files while in safe mode, and malwarebytes nailed a trojan calling itself Windows Explorer.

I restarted with the network unplugged and something that seemed to be related to a game my brother downloaded, "Papers, Please", started automatically and tried to connect to the intardweeb to download and install who knows what, probably everything I just removed (I was very amused when it complained to me that it couldn't connect).

Went into safe mode again and wiped all traces of that game that I could find. Then I put my learning cap on for a few moments and discovered msconfig and the startup tab. 3 things stood out: "Power Start", "Windows Explorer", and "Windows Search", all of which were manufactured by Unknown and had odd commands and locations compared to the rest of the list. All three command some kind of gibberish in C:\Windows\Installer\{seemingly random numbers/letters}\_random number/letters.exe. I found the location folder for each (empty) but know nothing of C:\Windows\Installer. I disabled them of course.

So I went to the registry again keying some of those random numbers/letters and found what seems to me the information displayed under the startup tab of msconfig. As far as I can tell they're just shortcuts leading to nowhere now after my rampage through the file system, but I wanted to show it to you guys in case there's info leading to more stuff I need to delete.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Power Start.lnk]
"path"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Power Start.lnk"
"backup"="C:\\Windows\\pss\\Power Start.lnk.CommonStartup"
"location"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
"backupExtension"=".CommonStartup"
"command"="C:\\Windows\\Installer\\{E546FCA2-D36A-4AB1-B7C7-EB5FE5BA2B77}\\_2ADCF42E1BE5987D12027F.exe /NOCONSOLE /SILENT \"%windir%\\power.bat\""
"item"="Power Start"
"YEAR"=dword:000007de
"MONTH"=dword:0000000a
"DAY"=dword:0000001e
"HOUR"=dword:00000006
"MINUTE"=dword:0000001f
"SECOND"=dword:0000000d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Windows Explorer.lnk]
"path"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Windows Explorer.lnk"
"backup"="C:\\Windows\\pss\\Windows Explorer.lnk.CommonStartup"
"location"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
"backupExtension"=".CommonStartup"
"command"="C:\\Windows\\Installer\\{E546FCA2-D36A-4AB1-B7C7-EB5FE5BA2B77}\\_52A3D7FF1AAE001BB104F5.exe "
"item"="Windows Explorer"
"YEAR"=dword:000007de
"MONTH"=dword:0000000a
"DAY"=dword:0000001e
"HOUR"=dword:00000006
"MINUTE"=dword:0000001f
"SECOND"=dword:0000000d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Windows Search.lnk]
"path"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Windows Search.lnk"
"backup"="C:\\Windows\\pss\\Windows Search.lnk.CommonStartup"
"location"="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
"backupExtension"=".CommonStartup"
"command"="C:\\Windows\\Installer\\{E546FCA2-D36A-4AB1-B7C7-EB5FE5BA2B77}\\_1CDCC5BF21B5A7ABFFB7F8.exe "
"item"="Windows Search"
"YEAR"=dword:000007de
"MONTH"=dword:0000000a
"DAY"=dword:0000001e
"HOUR"=dword:00000006
"MINUTE"=dword:0000001f
"SECOND"=dword:0000000d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ProfilerU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ProfilerU"
"hkey"="HKLM"
"command"="C:\\Program Files\\SmartTechnology\\Software\\ProfilerU.exe"
"inimapping"="0"
"YEAR"=dword:000007de
"MONTH"=dword:0000000a
"DAY"=dword:0000001e
"HOUR"=dword:00000006
"MINUTE"=dword:00000020
"SECOND"=dword:0000002e

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SaiMfd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SaiMfd"
"hkey"="HKLM"
"command"="C:\\Program Files\\SmartTechnology\\Software\\SaiMfd.exe"
"inimapping"="0"
"YEAR"=dword:000007de
"MONTH"=dword:0000000a
"DAY"=dword:0000001e
"HOUR"=dword:00000006
"MINUTE"=dword:00000020
"SECOND"=dword:0000002e

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000002

By the way, does anybody know what this bitcoin mining business is all about?

[FLS]

You might want to revert to a restore point prior to the game download.

[Mar]

Too long ago, might as well reformat, but I really don't want to. I can't say for sure that's where it came from anyway.

Rig's running normally with no activity from anything I don't recognize, just wondering if that registry file tells anyone anything.