Thanks for the great information. Although it is impossible to find and document everything (due to 0days) it would certainly be helpful to list the findings and sources in a single place (like this thread, but if OP is amenable, maybe a new one with just the list of software found to be infected - if there is enough data). It is not just the wallets, but many mining softwares are (possibly wrongly) categorized as viruses. But there are always some new forks, updates and binaries being released with claim for better efficiency/performance. While this may be true, it would also be easy to inject code in such software. While it sounds like a tall order, it'd be helpful to have something like that scrutinized, because that that sounds like another vector of attack that could be exploited, and in effect render the machine with all the wallets in attackers hands - assuming both are on same machine. (I usually only have wallet address on any rig, and wallet on another machine(s))