How to get rid of gfxdrv.exe and gxdrv.exe on 2003 server?

I have a serious issue on one old terminal server (2003).

I have recurring virus, coinminer it seems, which I don't know how it passes into the computer. It is quite isolated environment.

It creates either gfxdrv.exe or gxdrv.exe in windows\temp and coin mines.

Did anyone encountered this problem? I don't know how to get dir of it.

mrmutAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
First, change all passwords to log into the victim system.  Then when somebody comes to you and says "My password on the server doesn't work any more," that's probably the culprit.

In the meantime, possibly put these specific filenames into the GPO as prohibited executables?  Then it'll be stopped cold when it tries to execute and you can chase the problem at a more leisurely pace.

https://support.microsoft.com/en-us/help/324036/how-to-use-software-restriction-policies-in-windows-server-2003

This is pretty much like the perennial problem of stopping unprivileged users from installing Chrome, which is also a good reference for such problems.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/a7abcfea-8819-4680-9010-d2604a59c9bd/blocking-google-chrome-through-gpo?forum=winserverGP

https://community.spiceworks.com/topic/389016-need-help-with-gpo-to-block-exe-s-in-appdata-folder
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mrmutAuthor Commented:
What I did is created two folders without permissions, which will effectively block the files from being reinstated in the TEMP.

Is the GPO restriction system wide, or directory restricted?

Also - do you happen to know of a database of all updates for 2003 released after end of support?
0
Dr. KlahnPrincipal Software EngineerCommented:
GPO restrictions can be system-wide or path specific.  When dealing with issues like this it is probably best to make it system-wide, unless there is a valid system executable with the same name.

So far as I know there were no updates for Server 2003 after end of support ... except (a) for companies purchasing support contracts, and (b) possibly the WannaCry issue.  Perhaps another expert could speak to that topic.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

mrmutAuthor Commented:
I didn't know you could buy support for 2003? Is there a way to get these updates?

I will make sys. wide GPO tomorrow, have to go to sleep now. I was working on this for hours now (it is midnight here).
0
Dr. KlahnPrincipal Software EngineerCommented:
Regrettably, the Premium Support contract period for Server 2003 has expired.  Custom Support Agreements are available but these contracts are amazingly expensive and require a firm commitment to get off the expired platform.  And Microsoft monitors that progress.

"CSAs usually required the customer to pledge to migrate to a supported edition of a product, with contract milestones expressed as percentages of the CSA-covered systems upgraded to a newer version within a given period, say a year. Failure to meet those migration "thresholds" meant Microsoft would refuse to renew the deal or cut off support."

See also:

https://redmondmag.com/articles/2015/06/22/windows-server-2003-support.aspx

"CSA costs are tallied up based on the number of devices under support. In the first year, the per-device cost will be approximately the same as the price of the original Windows Server 2003 license, or around $600 to $700 per license for the Standard edition. In the next year, that price will double. In the third year, Microsoft doubles the second-year price."

So by 2020 it would be $2400 per device per year, with a minimum number of devices - Microsoft is very secretive about CSAs.
0
mrmutAuthor Commented:
I guess it is in their best interest to get users to a new software / hardware. I will try to see with them locally what is possible in regard to this.

Thanks for the tip tho!
0
mrmutAuthor Commented:
Thanks a lot for help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.