Mendoza (also known by the non-specific name of Trojan.Dropper) is malware on Microsoft Windows that creates a large security hole on the user's computer. It uses a keylogger to steal the user's sensitive data and downloads adware that generates numerous popup adverts. The trojan itself also has some adware-like behaviors (such as changing the user's home page and default search engine).

Method of Infection

Some websites trick the user by displaying deceptive pop-up ads that may appear as regular Windows notifications with links which look like "Yes" and "No" buttons. No matter which "button" that the user clicks on, Mendoza will install on the user's computer through a backdoor and will infect the user's system without their knowledge or consent.


Mendoza changes the user's computer's desktop background, hijacks the user's browser, spies on the user, and replaces system files (all without the user's knowledge or permission). It can also re-install itself even after it is removed by antivirus software.



  • Mendoza.exe
  • Mendoza1.exe
  • numbsoftnew.exe
  • OEM.exe
  • visfx500new.exe
  • wd7gi8nnew.exe
  • senh.exe
  • sysrtmvs.exe
  • search[2].exe
  • cftmon.exe

Other files

  • aouei

Registry keys

  • Windows\CurrentVersion\Emitt
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"