Fake System_Idle_Process.exe (notice the Underscores)
We have a W2K8 R2 64bit server that is infected with a rather persistent mal-ware process. The process is "System_Idle_Process.exe". Please note the underscores in the process name. This is how it appears in the task manager. The legitimate System Idel Process entry does not contain the underscores.
This process consumes 98-99% of processor time effectively creating a DOS condition on the infected machine. I have discovered it's folder as C:\Windows\ltc-miner. I have been able to kill the process, which gives me contorl of the computer again. I've then deleted the C:\Windows\ltc-miner folder along with another folder that appears to be related. (C:\Windows\tanechka)
There must be a windows task setup to re-institute this bothersome bit of mal-ware, because within a few minutes, the process is active again and both folders are back (sometimes it takes a few hours, but it always comes back). In addition, the newly created "C:\windows\tanechka" folder will contain several references to the Trojan.Horse and Trojan.Gen.2 viruses which Symantec Endpoint Protection catches and quarantines. Unfortunately, Endpoint Protection is offering no help removing the underlying problem of the System_Idle_Process.exe Mal-ware.
Has anyone else run into this? Is there a known removal tool? I've been searching the net for any reference to this, but have not found anything helpful.
Thanks in advance for any help...