smss.exe in C:\WINDOWS\Fonts\ialbmcnded\ at 50% CPU

We had our 2003 freeze windows, with movable mouse. One hard restart later and all is fine, but we have

smss.exe in C:\WINDOWS\Fonts\ialbmcnded\

Using about 50% of the CPU time available.

I checked with BitDefender and the file is clean, and it does seem as legitimate win process.

Is this a restart verification of some kind, or a very smart virus?
Who is Participating?
ste5anConnect With a Mentor Senior DeveloperCommented:
As it is Windows Server 2003: When did you run a complete health check of the hardware?

Otherwise: Do you or any logged in user work with SQL Server, while this is happening?

If no, then you should run more than one AV scan using different scanners.
If yes, then you should run a repair installation or reinstall SQL Server Management Studio.

The things which makes me suspicious:

There should be no executable in Fonts\ and below. SSMS.exe is normally installed under C:\Program Files (x86)\Microsoft SQL Server\. This and the 50%, look for harvesters (BitCoin etc).
mrmutAuthor Commented:
It is definitely a crypto-miner.

Installation vector seems to be a hole in RDP protocol.

We will switch to VPN asap.

Thank you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.