Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Program Running in Temp


  • Please log in to reply
22 replies to this topic

#1 A Selene

A Selene

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 07 February 2018 - 11:13 PM

Server 2003, in C:\WINDOWS\Temp is running gfxdrv.exe and it's a heavy CPU consumer.

It's unsigned and is using about 75% of the CPU.

 

Antivirus scan finds nothing wrong with it but I wonder...



BC AdBot (Login to Remove)

 


#2 SniperK4100

SniperK4100

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:00 PM

Posted 08 February 2018 - 02:26 AM

having the same problem. Started Tuesday.

 

I have delete the file from TEMP folder.

 

Don't like that I don't know the cause of the problem



#3 A Selene

A Selene
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 08 February 2018 - 02:39 AM

having the same problem. Started Tuesday.

 

I have delete the file from TEMP folder.

 

Don't like that I don't know the cause of the problem

 

I've done the same thing. Will submit for analysis in the morning. thanks.



#4 A Selene

A Selene
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 08 February 2018 - 11:23 AM

 

having the same problem. Started Tuesday.

 

I have delete the file from TEMP folder.

 

Don't like that I don't know the cause of the problem

 

I've done the same thing. Will submit for analysis in the morning. thanks.

 

 

VirusTotal results:

https://www.virustotal.com/#/file/638ea5d6bf8d6703b6a8e39622d88ad3dd75f5557fa81223b1ca861605caaeb6/detection

As I read it, 39 of 67 scan engines flag it as a malicious file.



#5 A Selene

A Selene
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 08 February 2018 - 07:43 PM

Trend Micro WFBS now pronounces this a Trojan and quarantines it.

Good show...



#6 emolatur

emolatur

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 03 March 2018 - 10:29 PM

this is a cryptominer.

 

I am less worried about what it is (ultimately harmless but throughly !#%&ing annoying) and much more worried about the implications -- specifically, somebody is getting into our servers to install the thing.

 

Mine appears to be coming back roughly weekly. First detected instance was 2/20/2018 at 7:09am. I killed the task and altered the file's permissions such that *nobody* can execute it... so on 2/27/2018 at 9:36am, gxdrv.exe appeared instead: same filename but without the 'f.'

 

My 'server' is a pretty isolated vm I use for testing things, with a clean snapshot I can easily-enough restore to... so I'm not particularly freaking out about it, but I would really like to figure out how this thing is being installed.



#7 pmosca

pmosca

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 12 March 2018 - 11:21 AM

I am having the same issue. That exe is in the same folder on a virtual Windows 2003 Server. It reappears after about a week. For example today  March 12, at 8:30AM US CST it was created. I have not been able to find how or what it is creating it. Any luck on your end? Trendmicro was detecting it as a threat last week, but the most recent one that was created is not. I confirmed it is not created when a user logs into the server. This i used as a terminal server.

 

Also, the original was gfxdrv.exe and now this most recent one is gxdrv.exe. This is an isolated server as well execpt for port 3389 RDP and only I have accessed it since the last time I had detected it. So it almost does not seem to be coming from the outside. very odd.


Edited by pmosca, 12 March 2018 - 12:15 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:00 AM

Posted 12 March 2018 - 02:05 PM

If anyone needs individual assistance with a possible malware infection, they should follow the instructions in the Malware Removal and Log Section Preparation Guide. Start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 MarkPrimo

MarkPrimo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 13 March 2018 - 09:33 AM

I am having the same issue. That exe is in the same folder on a virtual Windows 2003 Server. It reappears after about a week. For example today  March 12, at 8:30AM US CST it was created. I have not been able to find how or what it is creating it. Any luck on your end? Trendmicro was detecting it as a threat last week, but the most recent one that was created is not. I confirmed it is not created when a user logs into the server. This i used as a terminal server.

 

Also, the original was gfxdrv.exe and now this most recent one is gxdrv.exe. This is an isolated server as well execpt for port 3389 RDP and only I have accessed it since the last time I had detected it. So it almost does not seem to be coming from the outside. very odd.

Exactly the same on one of my clients. I can't figure out how it gets in. Some suspicious policy changes having to do with remote assistance group but can't determine the source. I have removed this group as we don't need it. If anyone figures out how to find the source, I am interested in knowing. I have created 2 folders with the same name after removing the 2 files gfxdrv.exe and gxdrv.exe and limited security to only a normally not used account in an attempt to disable re-creation. I already did this once with gfxdrv.exe and 12 days later this new one showed up. They show up in the windows\temp folder.



#10 A Selene

A Selene
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 13 March 2018 - 01:42 PM

 

I am having the same issue. That exe is in the same folder on a virtual Windows 2003 Server. It reappears after about a week. For example today  March 12, at 8:30AM US CST it was created. I have not been able to find how or what it is creating it. Any luck on your end? Trendmicro was detecting it as a threat last week, but the most recent one that was created is not. I confirmed it is not created when a user logs into the server. This i used as a terminal server.

 

Also, the original was gfxdrv.exe and now this most recent one is gxdrv.exe. This is an isolated server as well execpt for port 3389 RDP and only I have accessed it since the last time I had detected it. So it almost does not seem to be coming from the outside. very odd.

Exactly the same on one of my clients. I can't figure out how it gets in. Some suspicious policy changes having to do with remote assistance group but can't determine the source. I have removed this group as we don't need it. If anyone figures out how to find the source, I am interested in knowing. I have created 2 folders with the same name after removing the 2 files gfxdrv.exe and gxdrv.exe and limited security to only a normally not used account in an attempt to disable re-creation. I already did this once with gfxdrv.exe and 12 days later this new one showed up. They show up in the windows\temp folder.

 

I've been hit again by gxdrv.exe on 2/27, twice on 3/5, and again today.

It's utterly simple to kill by terminating the process in Task Manager and deleting the .exe from C:\WINDOWS\TEMP.

But it DOES come back.

I've no idea how it's getting installed either.

There's no mention of it in the registry.



#11 pmosca

pmosca

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 14 March 2018 - 01:17 PM

anyone have any luck figuring this out? It is still occurring on my system and I've tried removing all user profiles from the system. nothing in the registry. Antivirus does not detect it anymore. Any way to set auditing on to see what is creating it? I am going to try cutting it off entirely from the outside to see if it is not coming from outside the network each time. Also wondering if everyone here has their server's Windows Updates up to date? Maybe it is a known vulnerability that a Windows security update might fix? I admit, mine is not, but I will be updating it tonight.


Edited by pmosca, 14 March 2018 - 01:33 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,187 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:00 AM

Posted 14 March 2018 - 01:32 PM

Follow instructions in Post 8 so we can get it out.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 A Selene

A Selene
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 AM

Posted 14 March 2018 - 02:12 PM

anyone have any luck figuring this out? It is still occurring on my system and I've tried removing all user profiles from the system. nothing in the registry. Antivirus does not detect it anymore. Any way to set auditing on to see what is creating it? I am going to try cutting it off entirely from the outside to see if it is not coming from outside the network each time. Also wondering if everyone here has their server's Windows Updates up to date? Maybe it is a known vulnerability that a Windows security update might fix? I admit, mine is not, but I will be updating it tonight.

Here's what VirusTotal thinks of it!

 

https://www.virustotal.com/#/file/ad8b41dbd4a1873a0e63d600d29c0a68050f2a28db1e85bcb6a658a88135b339/detection
 



#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,187 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:00 AM

Posted 14 March 2018 - 02:24 PM

It's a mining Trojan that is obviously hooked in System.. See post 8 or 12
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 MarkPrimo

MarkPrimo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 14 March 2018 - 04:14 PM

Mine hasnt come back yet. But as I said, I created 2 folders with the same names as the 2 executable files and limited security to an unused account, so they cant be recreated at the same location with the same name. I am running 2003R2 fully patched but obviously new updates havent been provided for a while now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users