A little heads up,
Recently I found xptMiner was being silently installed on my windows wallet/miner PC. After unpacking with UPX and digging around the DLL I've found its mining (prime?) with the following credentials on YPool,

-u x12121212121212.15992C5B5E80 -p E64001AE8673
-u x12121212121212.319302B4FC9B -p 8EAD3FED8A47

A DLL downloads the miner from Dropbox using these 2 URLs:
https://dl.dropboxusercontent.com/s/ae4kr9qozv9h7qu/wmpnetwk64.bin
https://dl.dropboxusercontent.com/s/deyrqj982z2nvmq/wmpnetwk32.bin

Hides its self in "\Users\{USERNAME}\AppData\Roaming\Microsoft\Windows\Recent" as 2 files "wmpnetwk.dll" and "wmpnetwk.exe" with a registry key to auto start the DLL as the EXE seems to be an untouched version of xptMiner that gets executed with a command line with the above usernames and passwords. The files can't be seen in explorer but they are visible from a Command Prompt(cmd).
Still cant find where the DLL is coming from despite removing it twice manually already and doing scans with various tools, so probably just going to restore an image of the OS to take care of rootkit/installer and be done with it.

Edit: seems a friend has it on one of his as-well.