Solved

How can I ?

Posted on 2006-06-17
4
182 Views
Last Modified: 2010-04-05
Okay for a couple of days ive had this *.exe run every 15mins from out of no where. Virus picks it up but it still returns, so im guessing that the exe is made by some other program. Ive check the proccess run almost every scanner there is and searched the site for millions of things, NOTHING... not even a hint.

So ive had an idea which requires code:

Is it possible to enclose a folder, scan it periodicaly if a file got created in it, or is being created can i see the source file for the creation of that file during runtime/after creation...

Im guessing a HOOK of some sort ?

Any ideas, suggestions apart from format (to much stuff to get back, and pc's been working great for a year till this)

Peace Scay7
0
Comment
Question by:Scay7
  • 3
4 Comments
 
LVL 28

Accepted Solution

by:
2266180 earned 500 total points
ID: 16926370
hehe, you can use folder monitoring.  you can do it by code or just use the tool from sysinternals: http://www.sysinternals.com/Utilities/Filemon.html
since all you want is track down that exe, I guess there is no need to waste time reinventing the wheel ;)
0
 
LVL 5

Author Comment

by:Scay7
ID: 16929320
Nope ciuly, im still no smarter about where they came from... they still managed to get created even with that filemon left on through the night... (logsize 534mb)

Peace Scay7
0
 
LVL 28

Expert Comment

by:2266180
ID: 16929563
well, that mon will not disable them from being created. you will hae to gro through those logs (ouch) and see who created them.

there is of course another thing to consider: your firewall. this is usually the way worms work: they exploit some vulnerability in your system, drop a program that will be executed and spread.
try to get the network cable out of the network card before you go to sleep, and check with the antivirus and make sure you deleted all instances, then wait around 20 min (that shgould be enough ot get the 15 min period you talk about) and see if there are any more instances. if not, leave that through the night and in teh morning check for those exe. if there isn't any, it means your firewall is not configured properly or you are exposing a service that has some major vulnerability.

it is also a good idea to install a firewall with some intrusion detection and very important: application protection. the minut the work will execute the nasty program it will be caught by the application protection and you will be asked if you want to run it. and you can block it.

a very effective way to fight against worms that exploit services you need to expose, is to fight fire with fire. most worms are using a few names to create the temporary file that will be executed. create  text files with those names and put some garbage text in it and save. then take out the right for everybody. this way noonr will be able to delete/modify that file. (you can of course grant yourself right when you want to delete it since you are admin, but worms don't know that trick ;) ) so the next time when the worm tries to create that file it will fail. if it tries to execute it, it will fail since it's a text file. and after you get a patch for that service, you can then delete the files if you wish.

but first step is to identify the worm. you know the exe name that is being executed (you can check in task manageror something) so google for it. you will find the worm name and probably how to remove and even patch your system against it.

good luck with that
0
 
LVL 28

Expert Comment

by:2266180
ID: 16929573
you could also write a utility using some folder monitoring components that exist and just kill any ap that starts from that folder and maybe follows some filename pattern.
but this will not solve your problem. you need to patch your system against the threat.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of questions regard threads in Delphi.   One of the more specific questions is how to show progress of the thread.   Updating a progressbar from inside a thread is a mistake. A solution to this would be to send a synchronized message to the…
Objective: - This article will help user in how to convert their numeric value become words. How to use 1. You can copy this code in your Unit as function 2. than you can perform your function by type this code The Code   (CODE) The Im…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now