挖礦 svchost xmrig wmixml.dat

運氣好得不得了，又被挖礦了，而且這次完全沒有頭緒。簡單說下目前掌握的信息。
1.父進程是svchost.exe -k netsvcs。父進程svchost啟動的挖礦進程是svchost.exe。

指向的地址是http://91.121.2.76:80
直接在瀏覽器中訪問的話能看到 pool.minexmr.com 030418 online id 1101000

2.殺進程不起作用，過一會會自動啟動。
3.殺毒掃不出任何東西。
4.任務管理器進程命令行看不到任何代碼。
5.通過process expleror 工具查看內存找到了個C:\Windows\System32\wbem\xml\wmixml.dat文件，內容是xmrig的配置文件。內存中顯示的xmrig版本是2.4.3。

{
    "algo": "cryptonight",  // cryptonight (default) or cryptonight-lite
    "av": 0,                // algorithm variation, 0 auto select
    "background": false,    // true to run the miner in the background
    "colors": true,         // false to disable colored output    
    "cpu-affinity": null,   // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
    "cpu-priority": null,   // set process priority (0 idle, 2 normal to 5 highest)
    "donate-level": 5,      // donate level, mininum 1%
    "log-file": null,       // log all output to a file, example: "c:/some/path/xmrig.log"
    "max-cpu-usage": 1,    // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.  
    "print-time": 60,       // print hashrate report every N seconds
    "retries": 5,           // number of times to retry before switch to backup server
    "retry-pause": 5,       // time to pause between retries
    "safe": false,          // true to safe adjust threads and av settings for current CPU
    "threads": null,        // number of miner threads
    "pools": [
        {
            "url": "91.121.2.76:80",   // URL of mining server pool.minexmr.com
            "user": "465Qh6sTNHzf5Tmn2NHTUrJau7QYxTRPr7qwAH3va68pYNXPyqT23oAAQWdvKBEr8wCVEZWHo8ce5e1yGLNfJ3sZHSVskP9.rg299",                        // username for mining server
            "pass": "x",                       // password for mining server
            "keepalive": false,                 // send keepalived for prevent timeout (need pool support)
            "nicehash": false                  // enable nicehash/xmrig-proxy support
        }
    ],
    "api": {
        "port": 0,                             // port for the miner API https://github.com/xmrig/xmrig/wiki/API
        "access-token": null,                  // access token for API
        "worker-id": null                      // custom worker-id for API
    }
}
 

5.svchost的註冊表也看了，裏面沒有啥明顯的異常。
svchost netsvcs 註冊的服務
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
Tapisrv
Wmi
WmdmPmSp
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr

AppMgmt
iphlpsvc
seclogon
AppInfo
msiscsi
EapHost
schedule
sacsvr
winmgmt
MMCSS
browser
ProfSvc
SessionEnv
wercplsupport
hkmsvc
Themes
DsmSvc
NcaSvc
6.目前的臨時手段是把wmixml.dat這個文件刪掉，然後刪掉挖礦的svchost進程。該挖礦進程就不會再起來了。但只要把wmixml.dat文件放回來，挖礦進程就還會出現。

不知道有沒有同學遇到過一樣的問題，望不吝賜教。

又被挖礦，求解決方案