How to remove Mng_minerd.exe, Ric_minerd.exe and XMR minerd.exe malware visible in Task Manager – New malware using brute force on RDP enabled computers (UPDATED)

Jump to: [How it works] – [How to remove it] – [How to prevent it]

As of this April 2015, a new malware has emerged, using old tricks in the book. Most antivirus are having trouble spotting it so far.  The main process that can be spotted via a quick check in your computer “Task Manager”.  See if your [CPU] is running at 98%, or so. Sort the processes by CPU% and check if this entry is running. ***Read all updated info and comments, as this virus seems to morph every few months, but one important fix has, so far prevented most re-infection, changing the default external RDP port.***



How does it work

Part 1 – The malware uses infected computers to “brute force” (wiki) its way through poorly secured RDP enabled computers. Once a computer infected, it runs through a list of defined public IP addresses, requesting an RDP session. Once a computer respond, it then proceeds to try guessing the password for a commonly active (and powerful) user A.K.A. default “Administrator“. (For computers and servers on a domain, it seems to get through via the “local” administrator and bypassing the Domain security already set)

***[UPDATE – the malware also has 2x lists of common usernames if the Administrator user fails. User List 1 & User List 2]

The malware is equipped with a pre-defined list of the 500 most common passwords (click here to see the list), as well as, running a basic random password trial an error script (that could take forever to crack, except when you have multiple computers infected and working at it). Once the password for the Administrator user as been found. Even if a Terminal Server is on a domain, the malware will attempt to go through the “local” Administrator, which can be access using [ \\Administrator ] (the equivalent of PC-NAME\Administrator)

Part 2 – The malware download its install files in [C:\Windows\download] in a .CAB format. The malware then proceed to work on its list of public IP addresses to test, as well as, start a Rogue Bitcoin mining process called [mng_minerd.exe]. [UPDATE: it also creates 2x local Administrators [Updater & ntsec_admin]

Part 3 – If at any time the process is killed and the file deleted, the malware will regenerate itself on the next reboot, or at a “scheduled” time.

– – – – – – – – – –

How to remove it for good (alternate cleaning method follows after)

The removal process is pretty straight forward for an experience IT technician, but caution is advised. Contact a professional if you are not familiar with some of the tools or steps describe below.

1- First of all, disabled RDP connection on the computer OR change RDP port setting in your router (and RDP listening port in the computer, if the router lack functionality to “Port Forward” a specific external port to specific internal port)

2- Create a Restore Point (just good habit)

3- In “Task Manager” – kill 2x processes -> mng_minerd.exe  AND  command.exe

4- Delete the following folder and files:
[UPDATE]—->Variant of the malware may include these folders:

5- Using [Autoruns] from Systernals tools: “uncheck” then delete the entry for “updater.cmd” in the [Scheduled Task] tab
6 – Run Eset Online scanner (use the “clean” option offered by the Eset tool, reboot computer and check for any files and folders left over to delete)

7(plan A)-  Remove the 2x Administrator users via the Control Panel / Active Directory: UPDATER & NTSEC_ADMIN (IMPORTANT, read plan B if malware regenerate after a couple cleaning attempts)

7(plan B)- [UPDATED FIX]…so far
The step described above seem to work for the [mng_minerd] version of the malware when caught and cleaned early on. But in some cases, a more aggressive version of the malware seem to regenerate around 11am the next day. One of the common clue, is the mining process in [Task Manager] is named [ric_minerd.exe] or [xmr minerd]

7.1=>Once the basic clean is done but before restarting the computer…

7.2=>Via [Task Manager], insure that all users are logged off and no active process are running via one of the rogue Admin accounts (updater & ntsec_admin)

7.3=>Open the Active Directory and reset the password on the two rogue admin accounts

7.4=>Then, disable RDP rights on each rogue account (double click on user, one of the TAB has the option to be checked off) – also disable RDP rights on any legitimate user that are not for RDP purpose. Ex: copier, fax, etc (any user that may have a function within the network but does not require RDP privileges)

7.5=>Finally, disable the two rogue admin accounts (updater & ntsec_admin), BUT do not remove/delete them! The reason being that the malware tries to regenerate itself using the same name. Leaving the disabled account in place, Windows will not allow to recreate users with the same name, nor can the malware “re-enable” those accounts.

8 – [UPDATE Feb/26/2016] – Some infected computers may have a malware dropper file, as well, named [scclient.exe] in [Windows\System32] folder. (Thanks to Anthony Quaresima that pointed that out in the comments below) In most cases, it is possible to rename the file to something like SSCLIENT_EXE.BAK and move to it a “quarantine” folder of your choice, as a backup.
(A variant has shown this files instead-> C:\Windows\SysWOW64\SubDir\client.exe )

We’ve had some issue on one computer, where the file was being used and/or tied in Microsoft Exchange services. (After a restart, we were able to rename and move the file, but further testing will be needed to insure Microsoft Exchange is not affected afterward. Thread CAREFULLY is this specific situation. Verified that you have a solid backup image of your server at that point.)

**Run an SFC /SCANNOW at this point to repair any Windows corruptions.

If anything is missed or overlooked, the malware will most likely resurface around 11am the next day. After 48 hours without any odd process in Task Manager, rogue folder nor files being downloaded, the fix has most likely worked. It would be advisable to review the machine again 2 weeks later, for good measure .

The fix is not perfect yet, for the affected computers (until most Antivirus can see it and clean it automatically), but with the all security upgrades suggested below, that hopefully have been implemented, it would be less likely that the same malware would find its way back in, even using a different name or alias.

– – – – – – – – – –

Alternate removal technique
(Thanks to Mick Fagre from
**can be modified to suit the variant your are dealing with**


security_attributes_scheme_JPG security_group_scheme_JPG


->Used a LONG password of nonsense characters for the password. Blocked changing and stored encrypted.
->Due to the Group & OU Settings these accounts have ZERO rights to change their own settings and so they can NEVER be re-enabled accept by the Administrator.

**(for a more secure option, “uncheck” ->Store password using reversible encryption)

Batch file to clean infection folders (C:\Windows\Updater.CMD)

**Still having problems with the virus coming back? shoot me an email at: [email protected] and I may be able to assist via phone and remote desktop assistance.

– – – – – – – – – –

How to prevent future attacks of this type

Now some basic steps will help prevent any further attacks of this type.

1- As described in the clean up process, the router (and possibly the computer) RDP port settings should be changed to something different from the “default” port 3389.
Here is a list of the some commonly used ports (click here). If you router cannot specifically forward an external port to the internal one in the computer, a registry edit can facilitate the changes. Example: Set the router to Port Forward RDP to computer IP and through RegEdit change the RDP listening port to the same “22445” (See article on [] with instructions, click here for external link)

2- ***[UPDATED] Create a new Administrator user account via “Control Panel” on home computers. For a server in a Domain environment, make a “Copy” of the current Administrator user in your Active Directory, and use an less common format. Example : company.admin . At last, disable the original default “Administrator” user in the Active Directory (***Caution, disabling the original Domain Administrator user, may break some permission, services and/or settings managed by this user, only proceed if you are very familiar with your Domain/Organization setup)

***ALSO check for any user/username that have RDP privileges, as the malware will attempt to use alternatives from the 2x list linked above. Any username listed above should be renamed to something more complex ( ex: username.lastname ) Also consider any user in the Active Directory with a function within the network, but does not require RDP privileges. EX: copier, fax, email only users, etc.

***DOMAIN CONTROLLER and TERMINAL SERVER additional notes: In the case of servers, often the computer “local” Administrator user can be overlooked once the Domain Administrator takes over. IF the RDP Policies are not set correctly, the “local” administrator can still be exploited if it had a weak password at the initial setup and/or if it is left active after the Domain Administrator is set in place. To access this user, just use the RDP IP address and enter username like this: [ \\Administrator ] (which is the equivalent of [PC-NAME\Administrator] ), effectively skipping the Domain security check.

All being said, RDP enabled computers even on Domains will need their “local” computer user checked, disabled or renamed, and strong password protected to insure a more complete protection against these type of attacks. (see common usernames & passwords lists used by this malware in this article, above)

3- As a final step, insure that your new Administrator user has a strong password, at least 12 characters, using Caps, lowercase, numbers and special character. Also check the link above with the list of the 500 most common passwords and stay away from any of those.

That is all for now, I hope this will be helpful to some of you out there. I had a hard time finding anything useful pertaining to this particular malware, prompting me to write this article.  Any questions or tweaks suggestion can be submitted via our website Contact Form.

This entry was posted in Troubleshooting and tagged , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

41 Responses to How to remove Mng_minerd.exe, Ric_minerd.exe and XMR minerd.exe malware visible in Task Manager – New malware using brute force on RDP enabled computers (UPDATED)

  1. Tony Capewell says:

    We have had this on three independent servers. The virus has evolved now as well to create another folder c:\windows\ric and the process running is called ric_mined.exe

    I have gone through all the above steps and we still get the infection albeit webroot stops it from running. The users still get created, the folders still get created but nothing runs.

  2. Sebastien B. says:

    hmmm… seems to be a variant, but using similar processes [I have updated the article with a better fix for this variant] but make sure to review the few items below again, just in case
    I would double check a few items:
    1- I would make sure to kill *minerd.exe* process, as well as *command.exe*
    2- IF possible complete as much as possible while server if offline (not on the internet)
    3- Administrator user (Local computer and Domain) should have been renamed to none standard format, Example: [abc.admin] …something harder to guess
    4- Also, any username with RDP & Admin rights should be renamed as above [Ex: name.lastname]
    5- Change RDP default port (something not too close to port: 3389)
    6- Using “Autoruns” tool from Systernals, disable [updater.cmd] in Scheduled Task TAB
    7- Delete files and folders related (checking the date of creation might offer some clues to spot other rogue files and folders)
    8- Delete Rogue Administrator users that may have been created
    9- Run Online Eset scanner

    I have successfully cleaned two different servers that did not have any re-occurrence after a month, but this “version” of the malware may operate a little differently. We will be working on cleaning a couple variants of the malware and see how we fare. Let us know, if you find more [details/differences/additional fix] on this infection and we can add it to this article. Cheerz.

  3. Anthony Quaresima says:

    Thought i’d add to this. The dropper for this is c:\windows\system32\scclient.exe. It’s called by Net.Tcp Port Sharing Service in services. On a non infected server the path is pointed to .NET 4, but on an infected service it changes the exe for the service to the scclient.exe.

  4. Aaron Handke says:

    We’re a Managed Service Provider with a larger anti-virus (not Eset unfortunately) that we’ve been working with on this for a while. One of our techs detected this threat and we found out enabling UAC to full completely renders the virus inoperable. Sad thing is, they mentioned they had another client with the same issue and neither them nor the client figured the UAC thing out. After almost 2 weeks of not hearing from our AV company they finally starting talking to us again after we enabled UAC and it does appear it went away. All traces of the virus is gone, found some .cab files in the \download folder and 1 log file in the \claymore folder (the log was empty though).

    Anthony mentioned the port sharing service, we have this but it is tied to Microsoft Exchange so it may be the legit version. We’re running the eset scanner now.

  5. Sebastien B. says:

    Thank you for the info. UAC option works but it may create a lot of extra ‘clicking’ in my experience, but it would definitely enhance your overall security. Making sure to upgrade any weak password (with CAUTION if an Admin user),etc.

    I have seen the malware, sometime partially come back due to the file ‘ssclient.exe’ in [System32] folder as mentioned in a comment above. Possibly working as a malware dropper.

    Manually disabling the 2x rogue admin accounts without deleting them is a pretty strong door stopper, until the AV companies can remove the completely the malware with its variant and the rogue users (I have not seen any antivirus that can remove admin user from a computer automatically yet.

    After you scan completes and the computer/server is rebooted, the malware usually comes back around 11am , oddly enough. Within a couple days you should be in the clear.

    I am still experimenting with permanent fixes, to be updated as soon as available.

    IT technician

  6. Aaron Handke says:


    Here’s the funny thing: After turning up UAC we left it for almost 2 weeks waiting for our AV provider to do something, by week 3 we started working on getting them into the server and for over a week we left UAC off trying to get it to run, and it STILL has not come back.

    The online scan completed, found a few PUPs (Potentially Unwanted Programs) as well as the location of the main zip file this virus came from. it was located under user folder atsu.ko in their desktop called – check for that filename as it may help others. I was able to restore the entire zip file, password protect it and am sending it off to our AV company now for analysis. Hopefully they’ll be able to figure something out.

    Good luck everyone, we’ll be keeping an eye on this link for a bit

  7. Joe Norris says:

    I have been battling with this virus for days with a client of mine, removed it every time and its come back!

    the two accounts is creates ntsec_admin and updater, were disabled yesterday after resetting password, yet this morning they are enabled once again, please help?!

  8. Sebastien B. says:

    Make sure to remove scclent.exe from System32 folder.

    And resetting the to computer ‘local’ administrator.

    Missing any of the steps stated in the article can leave a ‘door’ open.

    If it keeps giving you grief, send us a private message via our contact/request page. We can clear this malware successfully in a fairly short time.

  9. forgiven says:

    We had the ric_minerd variant on our server2012 R2 core install. The first suspicious process that we spotted was ssms.exe and it was using 100%CPU. We also had a number of “blank” processes running in task manager. Just followed your walk-through to get rid of the malware. ESET online scanner did not find anything. We will wait and see what happens tomorrow morning

  10. forgiven says:

    We also just found a folder called soloric in c:\windows. Removed the folder and all contents

  11. JRM says:

    I am being hit by a Brute Force RDP attack at the moment. They gained access several days ago using a Backup Exec service account. I have since disabled that account and blocked 3389 from outside (it’s still getting hit); however, it appears that another machine on the network picked up something, as I am now getting reports of its NetBios name attempting to login with failed credentials to the two servers that are getting attacked from the outside. This article is the closest I’ve found to what I am experiencing but I don’t see the files/folders listed on the internal machine making the RDP attempts. Any ideas or other things to look at?

  12. Pete says:

    4- Delete the following folder and files:
    >>>>>> C:\windows\tmp1.cmd <<<<<<<<<<<<<Variant of the malware may include these folders:

  13. IceMemory says:

    Recently I just removed that virus from 3 servers. Different clients, different locations.
    On one of them I had a luck and found log files (3000+) jobs received from
    some of them has SonicWall. How they pass-through SonicWall? On servers we have Symantec Endpoint we getting Intrusions Block Alerts to specific IP.

  14. Sebastien B. says:

    “ssms.exe” sounds like a variant. Let us know if you find anything else that may be different. We’ll be happy to add it to this article.

  15. Sebastien B. says:

    Hmmm…what are the symptoms that are common with this article? Maybe a different malware all together.
    Feel free to use contact us via our email, if it is easier. (screenshots, etc.)
    [email protected] [.com]

  16. Sebastien B. says:

    Hard to say, but from what we have seen of this specific malware, it takes advantage of very weak passwords, using basic codes/tricks that flies under the radar of most protection in place. When building a new server/domain, creating strong password for all users and following industry best practice can prevent the most common security gaps. (Specially when enabling RDP services on any computer)

  17. IceMemory says:

    On one of hacked servers I found ip brute force program.
    I think I figure it out. probably they scanned for RDP port and ran that software to break into

  18. Thanks to Anthony Quaresima for the Net.Tcp Port Sharing Service tip… after this miner reappeared I discovered scclient.exe hiding in C:\Windows\SysWOW64\scclient.exe and not the System32 folder

  19. David says:

    I have tried all the steps above more than once and this thing keeps coming back. The only profile that resurfaces is the Updater profile. I can immediately tell because it launches a ssms.exe that takes up 50% of my CPU process performance. I am at my wits end.

  20. Sebastien B. says:

    Sound like the SCCLIENT.exe is still running or something in the “Autoruns” entries was left active, is my guess. Let me know if you need assistance. Sébastien.

  21. Wayne C. says:

    I am having a big problem with this virus. It has actually completely taken over a DC on a domain. Once access was established the remote connection renamed the DC and brought the entire Domain down. After initially removing a large part of the virus with the help of the instructions above, the virus returned 35 days later with several new wrinkles.
    Updater.exe was now accompanied by Updarer.exe
    Scheduled tasks were created for Updater.exe and Updarer.exe
    scclient.exe showed up in SYSwow64 subfolder of Windows
    NTSEC_admin and uptdater were created as local admin accounts after the machine was somehow removed from the domain.
    Previously I had left the disabled user accounts on the domain.

    After restoring the server from a recent backup, I am still struggling to make sure that I have removed all of the components. Any new suggestions would be very helpful.

  22. Tommaso says:

    in my case, ESET also found c:\Windows\xmr\xmr_minerd.exe
    thank you

  23. Tommaso says:

    in my case ESET also fount C:\windows\xmr\xmr_minerd.exe
    thank you

  24. Dario D says:

    Just a suggestion, in c:\windows just do a search for “minerd” . I found to have multiple subfolders (xmr_minerd, natalia, etc) not listed here with replicas of the virus executable. Delete everything!

    When I first got this virus, I couldn’t get rid of it, so I simply “touched” the .exe files so that they would exist, but be empty. This stopped it, but that ended up not working anymore — the files kept regenerating (along with everything else) at 11 the next day, as mentioned in the article.

    This virus really seems to simply re-install itself no matter what, every day. So make sure you get rid of absolutely everything before rebooting, and keep an eye for the accounts. Even if I disabled/removed admin rights to those accounts, they would keep coming back.

    As crazy as it seems, if this keeps happening, I might just format my machine — I’m at my wit’s end with this one.

  25. Cool Singh says:

    I am working on a server (as an IT Tech) in a work-group environment, Windows Server 2012 R2 Standard with MacAfee Enterprise installed.
    Since about a year the server s/w is in service. There were 4 workstations connected via RDP.
    Early October 2015 I was leaving for vacation, on routine maintenance of the server I noticed 4 unaccounted admin users two of them were updater & ntsec_admin. On inspection I found out that one of the workgroup user’s (kids) have installed about 20 games on the laptop. I had to remove the laptop and disable RDP from the server, the other user was using unsecure web pages, youtube, and I had to deny access to youtube. I then inquired from one of the medical services providers (Accuro QHR), they have access to the server, if they installed these admin accounts. They were pretty upset about this.
    So I deleted these accounts via control panel user accounts, I then changed the Administrator p/w and other Administrators with strong encryption p/w.
    A week later (I was in Peru) I received a sms message that the workgroup users cannot access the printers and the scan/fax, what to do? I checked the server via RDP on my Android phone and noticed that the Administrator account has been disabled and ‘Twelve admin accounts installed on the server’. I immediately informed the manager and that to call the backup tech to do further investigations and in the mean time the server will be shut down. He (the backup Tech) further deleted 2 more accounts and did a virus scan update the MacAfee s/w. He could not find why the Administrator account is disabled after 12 hours, and he restarted the server.
    On my return I have been continuously monitoring the system. Deleting the re-emerging updater and ntsec_admin and daily enabling the Administrator account. I had been reading and contacting the Windows Server tech forums and posting questions regarding this issue and Administrator account being disabled.
    Having got neither any response nor an answer, last week, I goggled ntsec_admin and the very first article was yours and going through the article, I don’t know what to say – saviors! The problems and issues are exactly as described in this informative article.
    I have deleted and gone through all of the steps as described except one – changing the rdp port. The issue is still there, the administrator account keeps being disabled after 12 hours or so sometimes twice in a day. I am looking for to rename the Administrator account and change the password during the weekend when no one is on the server.

    Thanks a lot. Any suggestions will be appreciated.

  26. Al says:

    what is the update for this miner? last Tuesday I’m done cleaning one server and it was a success, then one of the RDP users login and the miner run again. I did the process again and for the last time one thing I found a infected folder named xmr also and delete it.

  27. Sebastien B. says:

    XMR MINERD seem to be a new variant. Make sure the RDP port has been changed to a none standard one.

  28. Sebastien B. says:

    I would have a look at the computer “local” admin, change password and disable if possible.


  29. Sebastien B. says:

    Changing the default RDP port, locking up the “local admin” user and removing the entries via “Autoruns” should cover most of the reasons for the malware to come back.
    Something has not been covered yet (from my list), is the most likely reason.

  30. Jack says:

    Thank you for this Article please leave this post up as long a possible this thing is still on the loose. Multiple user accounts multiple files and CPU at 100% was the tip off. and 3 hours later i think i may have it. To be continued…….

    Thanks Guys for all your hard work and input keep fighting the Good Fight!!!

  31. Elnino says:

    Hi Sebastien,

    My server has been infected with this malware , the user administrator password changed by malware . and this time the user administrator already inactived by malware .

    I still have one other than the administrator account , but I forgot the password for this account

    i dont know how i can login to this windows

    how I can log in windows in this condition ?

    I really need help and advice from you .


  32. Sebastien B. says:

    Usually having the Windows CD is your next best step to recover a password.
    (here are some other ideas:

  33. Sebastien B. says:

    Good luck to you and cheers 🙂

  34. Sebastien B. says:

    Sorry about the delay on reply, checking that the RDP port has been change is an important change to follow. I have seen the virus come back when not completed correctly.
    Shoot me a message or post on here if you still need assistance. Séb.

  35. Joel says:

    This article helped a lot with the TROJ_COINMINER but I had to add some additional files to the list and block the executables with Trend Micro. The engineers at Trend Micro and Malwarebytes were very helpful.

    C:\Users\UserName\AppData\Roaming\Origin\update.vbe (Search in Users for update.vbe)
    C:\windows\claymore\*.* (ssms.exe, ssms32.exe)
    C:\windows\ric\*.* (ric_minerd2.exe, tasklist_.tmp)
    C:\windows\victoria\*.* (random.exe, passwd.txt, ranges.txt, etc.)

  36. Sebastien B. says:

    Great extra info Joel. Thanks for sharing. Cheers 🙂

  37. Daniel says:

    Great info saved a bunch of headache !

  38. Trevor says:

    I got the dame infection on my DC server.
    More notes with items to be added to the list:

    Delete: C:\Windows\System32\config\systemprofile\AppData\Local\Ethash – had 6GB.

    Disabled service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\scclient\ – Just found this one today. – I have disabled it.
    I Could not find “C:\Windows\SysWOW64\scclient.exe” – do you think it gets copied then the service starts it as a System privileged service?

    The user accounts keep coming back, do you think a machine on the network could be the host. I have spent a week in hours looking through the server. The files look to be regenerating at about 11:00AM.
    I am currently creating a new user to apply the NTFS permissions to and deny all others including SYSTEM, CREATOR OWNER and Administrators.
    I have disabled the local and domain “Administrator” user account and disabled RDP.
    Ran malwarebytes, Webroot, SFC /scannow, CCleaner, MS Autoruns (very good tool).

  39. Sebastien B. says:

    Sorry about the delay to reply. The “users coming back” is usually due to a standard RDP port still in use, or the users have been deleted instead of disabled, and last I would carefully check over the entries in AUTORUNS tool for any odd entries. I have seen this malware come back with slightly different file names. Message me via the “contact” section in this website if you need more assistance. Cheers, Sébastien.

  40. Ucen MKAAL says:

    Thank You for your recent help,
    I Don’t have any permission to do any of the above , delete Updater and ssclient….
    Can i bypass this to delete the mentioned files ?
    Thank you

  41. Sebastien B. says:

    Make sure to login as Domain Admin user, as well as, running “Autoruns” tool with the option “Run as Administrator”
    Let me know if you need further assistance. Sébastien

Comments are closed.