Solved

How can I ?

Posted on 2006-06-17
4
186 Views
Last Modified: 2010-04-05
Okay for a couple of days ive had this *.exe run every 15mins from out of no where. Virus picks it up but it still returns, so im guessing that the exe is made by some other program. Ive check the proccess run almost every scanner there is and searched the site for millions of things, NOTHING... not even a hint.

So ive had an idea which requires code:

Is it possible to enclose a folder, scan it periodicaly if a file got created in it, or is being created can i see the source file for the creation of that file during runtime/after creation...

Im guessing a HOOK of some sort ?

Any ideas, suggestions apart from format (to much stuff to get back, and pc's been working great for a year till this)

Peace Scay7
0
Comment
Question by:Scay7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 28

Accepted Solution

by:
2266180 earned 500 total points
ID: 16926370
hehe, you can use folder monitoring.  you can do it by code or just use the tool from sysinternals: http://www.sysinternals.com/Utilities/Filemon.html
since all you want is track down that exe, I guess there is no need to waste time reinventing the wheel ;)
0
 
LVL 5

Author Comment

by:Scay7
ID: 16929320
Nope ciuly, im still no smarter about where they came from... they still managed to get created even with that filemon left on through the night... (logsize 534mb)

Peace Scay7
0
 
LVL 28

Expert Comment

by:2266180
ID: 16929563
well, that mon will not disable them from being created. you will hae to gro through those logs (ouch) and see who created them.

there is of course another thing to consider: your firewall. this is usually the way worms work: they exploit some vulnerability in your system, drop a program that will be executed and spread.
try to get the network cable out of the network card before you go to sleep, and check with the antivirus and make sure you deleted all instances, then wait around 20 min (that shgould be enough ot get the 15 min period you talk about) and see if there are any more instances. if not, leave that through the night and in teh morning check for those exe. if there isn't any, it means your firewall is not configured properly or you are exposing a service that has some major vulnerability.

it is also a good idea to install a firewall with some intrusion detection and very important: application protection. the minut the work will execute the nasty program it will be caught by the application protection and you will be asked if you want to run it. and you can block it.

a very effective way to fight against worms that exploit services you need to expose, is to fight fire with fire. most worms are using a few names to create the temporary file that will be executed. create  text files with those names and put some garbage text in it and save. then take out the right for everybody. this way noonr will be able to delete/modify that file. (you can of course grant yourself right when you want to delete it since you are admin, but worms don't know that trick ;) ) so the next time when the worm tries to create that file it will fail. if it tries to execute it, it will fail since it's a text file. and after you get a patch for that service, you can then delete the files if you wish.

but first step is to identify the worm. you know the exe name that is being executed (you can check in task manageror something) so google for it. you will find the worm name and probably how to remove and even patch your system against it.

good luck with that
0
 
LVL 28

Expert Comment

by:2266180
ID: 16929573
you could also write a utility using some folder monitoring components that exist and just kill any ap that starts from that folder and maybe follows some filename pattern.
but this will not solve your problem. you need to patch your system against the threat.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question