How can I ?

Okay for a couple of days ive had this *.exe run every 15mins from out of no where. Virus picks it up but it still returns, so im guessing that the exe is made by some other program. Ive check the proccess run almost every scanner there is and searched the site for millions of things, NOTHING... not even a hint.

So ive had an idea which requires code:

Is it possible to enclose a folder, scan it periodicaly if a file got created in it, or is being created can i see the source file for the creation of that file during runtime/after creation...

Im guessing a HOOK of some sort ?

Any ideas, suggestions apart from format (to much stuff to get back, and pc's been working great for a year till this)

Peace Scay7
Who is Participating?
2266180Connect With a Mentor Commented:
hehe, you can use folder monitoring.  you can do it by code or just use the tool from sysinternals:
since all you want is track down that exe, I guess there is no need to waste time reinventing the wheel ;)
Scay7Author Commented:
Nope ciuly, im still no smarter about where they came from... they still managed to get created even with that filemon left on through the night... (logsize 534mb)

Peace Scay7
well, that mon will not disable them from being created. you will hae to gro through those logs (ouch) and see who created them.

there is of course another thing to consider: your firewall. this is usually the way worms work: they exploit some vulnerability in your system, drop a program that will be executed and spread.
try to get the network cable out of the network card before you go to sleep, and check with the antivirus and make sure you deleted all instances, then wait around 20 min (that shgould be enough ot get the 15 min period you talk about) and see if there are any more instances. if not, leave that through the night and in teh morning check for those exe. if there isn't any, it means your firewall is not configured properly or you are exposing a service that has some major vulnerability.

it is also a good idea to install a firewall with some intrusion detection and very important: application protection. the minut the work will execute the nasty program it will be caught by the application protection and you will be asked if you want to run it. and you can block it.

a very effective way to fight against worms that exploit services you need to expose, is to fight fire with fire. most worms are using a few names to create the temporary file that will be executed. create  text files with those names and put some garbage text in it and save. then take out the right for everybody. this way noonr will be able to delete/modify that file. (you can of course grant yourself right when you want to delete it since you are admin, but worms don't know that trick ;) ) so the next time when the worm tries to create that file it will fail. if it tries to execute it, it will fail since it's a text file. and after you get a patch for that service, you can then delete the files if you wish.

but first step is to identify the worm. you know the exe name that is being executed (you can check in task manageror something) so google for it. you will find the worm name and probably how to remove and even patch your system against it.

good luck with that
you could also write a utility using some folder monitoring components that exist and just kill any ap that starts from that folder and maybe follows some filename pattern.
but this will not solve your problem. you need to patch your system against the threat.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.