Remove miner program from server

Hi everyone,

I found a bitcoin miner on a windows server and cannot figure out how to delete it.

Its shows up under the processes as ric_minerd.exe and will consume all available CPU.

Has anyone else seen this before and know how to remove it? I cant find it anywhere on the C drive
miner.PNG
ttriggsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tetraukCommented:
first job is to find the exe itself,  i would grab process explorer from technet https://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx to figure out the location of the file

then look for its startup trigger

check out your services, search the registry for the exe name, check both the user and all user startup folders, run a full virus scan.

once you found the startup trigger, remove all applicable files.

if its not a virus then you could well be looking at a staff member installing it, change all server passwords and maybe look at some auditing of users actions on the server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gabriel CliftonNet AdminCommented:
A quick search gave me this, I have not seen it yet, but I truly hope it helps and I will follow the steps to help prevent it. http://expressnewmedia.com/how-to-remove-mng_minerd-exe-in-task-manager-new-malware-using-brute-force-on-rdp-enable-computers/
bbjones3Commented:
agree with the above, and I would further suggest to run msconfig from the run menu on the server and look for that bitminer process from the startup tab or services tab and disable it if present then reboot. Use process explorer to find the executable and its path to delete it. Change all the passwords for privileged accounts as further secure measure.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.