Found a crypto mining process - how do I get rid of it?

Question

Noticed some minor performance decrease, decided to install the process explorer described here: https://security.stackexchange.com/questions/76100/how-to-find-processes-that-are-hidden-from-task-manager

Found a hidden process taking 80% of CPU and impersonating notepad.exe, with this command line:

"C:\windows\notepad.exe" -c "C:\ProgramData\fWyfnSWdrs\cfgi"

Checked that folder, found something that looked like config files, one cant open, used by process, others have this (I've removed user guid):

{"algo": "cryptonight",
"background": false,
"colors": true,
"retries": 5,
"retry-pause": 5,
"syslog": false,
"print-time": 60,
"av": 0,
"safe": false,
"cpu-priority": null,
"cpu-affinity": null,
"threads": 8,
"pools": [

    {
        "url": "185.144.29.36:5450",
        "user": <GUID HERE, REMOVED BY ME>,
        "pass": "x",
        "keepalive": false,
        "nicehash": false,
        "variant": 1
    }
],
"api": {
    "port": 0,
    "access-token": null,
    "worker-id": null
}
}

Some googling and this looks like cryptocurrency mining setup. Tried to kill process - it comes back immediately. Checked register for the folder name and windows services - cant find what starts it.

Tried a couple of other antiviruses - they don't pick it up.

I don't want to "nuke it from orbit" since this machine is nothing special, enough would be to just make it stop.

How do I find what starts this and kill it?

I would also like to know how I got it, the config files are from 20 days ago, checked my installations and cannot see anything from that time. Any tips/links on how to figure this out are appreciated.

Answer 1

If after killing a process it is re-created then the best course of action is to identify which process has re-created it.

One way to do this is to use Process Explorer from Sysinternals/Microsoft to establish which is the parent process. However, if the parent process is also being terminated to understand this relationship, then using Process Monitor to record the parent/child relationship over time would be good option. For example:

1. Download Process Monitor and start it capturing.
2. Kill the process, either from Task Manager or using Process Explorer.
3. Wait for the process to be re-created.
4. Stop Process Monitor capturing (Ctrl-E or click on the magnifying glass icon).
5. Ctrl-T or 'Tools' - 'Process Tree' will display a process tree you can use to find the process in question and identify the process that created it.

Notes: If the parent process is always running, watching in case the child process exits/is killed before re-launching it and likewise the child watches the parent. One trick that may be helpful is to use Process Explorer to suspend the parent and child process before killing them both. This may then enable you do delete the files.

Answer 2

If a process was killed, then start again, the only option that you have is to KILL it to it's core.

You can figure the location of the app by Opening the file location, and deleting it. If it failed, because of the file is being opened, you can try to kill it and quickly try to delete/rename it.

If this still fails, the only option you have is to go to safe mode, and then deleting the file itself.

BUT... Just to be sure everything is alright, try opening "run" and type msconfig, go to services, "Hide all microsoft services" and kill any services that looks suspicious to you.

Also look into the startup tab. Then go to the file location and delete those yourself, if you found one.

But this goes without saying that your PC is already compromised.

I would scare you by saying Hackers has got your computer under their control, but no, seriously, once they've add a backdoor, you should reinstall your PC. I wont say your safe after doing that, but what can we do about it. We cant just throw our PC away.

You should get a decent antivirus before this happen. That way, in a way you can prevent this from happening again.

-Chibi