Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How can I ?

Posted on 2006-06-17
4
Medium Priority
?
189 Views
Last Modified: 2010-04-05
Okay for a couple of days ive had this *.exe run every 15mins from out of no where. Virus picks it up but it still returns, so im guessing that the exe is made by some other program. Ive check the proccess run almost every scanner there is and searched the site for millions of things, NOTHING... not even a hint.

So ive had an idea which requires code:

Is it possible to enclose a folder, scan it periodicaly if a file got created in it, or is being created can i see the source file for the creation of that file during runtime/after creation...

Im guessing a HOOK of some sort ?

Any ideas, suggestions apart from format (to much stuff to get back, and pc's been working great for a year till this)

Peace Scay7
0
Comment
Question by:Scay7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 28

Accepted Solution

by:
2266180 earned 1000 total points
ID: 16926370
hehe, you can use folder monitoring.  you can do it by code or just use the tool from sysinternals: http://www.sysinternals.com/Utilities/Filemon.html
since all you want is track down that exe, I guess there is no need to waste time reinventing the wheel ;)
0
 
LVL 5

Author Comment

by:Scay7
ID: 16929320
Nope ciuly, im still no smarter about where they came from... they still managed to get created even with that filemon left on through the night... (logsize 534mb)

Peace Scay7
0
 
LVL 28

Expert Comment

by:2266180
ID: 16929563
well, that mon will not disable them from being created. you will hae to gro through those logs (ouch) and see who created them.

there is of course another thing to consider: your firewall. this is usually the way worms work: they exploit some vulnerability in your system, drop a program that will be executed and spread.
try to get the network cable out of the network card before you go to sleep, and check with the antivirus and make sure you deleted all instances, then wait around 20 min (that shgould be enough ot get the 15 min period you talk about) and see if there are any more instances. if not, leave that through the night and in teh morning check for those exe. if there isn't any, it means your firewall is not configured properly or you are exposing a service that has some major vulnerability.

it is also a good idea to install a firewall with some intrusion detection and very important: application protection. the minut the work will execute the nasty program it will be caught by the application protection and you will be asked if you want to run it. and you can block it.

a very effective way to fight against worms that exploit services you need to expose, is to fight fire with fire. most worms are using a few names to create the temporary file that will be executed. create  text files with those names and put some garbage text in it and save. then take out the right for everybody. this way noonr will be able to delete/modify that file. (you can of course grant yourself right when you want to delete it since you are admin, but worms don't know that trick ;) ) so the next time when the worm tries to create that file it will fail. if it tries to execute it, it will fail since it's a text file. and after you get a patch for that service, you can then delete the files if you wish.

but first step is to identify the worm. you know the exe name that is being executed (you can check in task manageror something) so google for it. you will find the worm name and probably how to remove and even patch your system against it.

good luck with that
0
 
LVL 28

Expert Comment

by:2266180
ID: 16929573
you could also write a utility using some folder monitoring components that exist and just kill any ap that starts from that folder and maybe follows some filename pattern.
but this will not solve your problem. you need to patch your system against the threat.
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question