Sign in to follow this  
Followers 0
darzanmihai

Find witch process created a file?

17 posts in this topic

I have a virus that creates a autorun.inf file and a SYSTEM directory that contains a file Perfume.exe, all are hiden and when I delete them, in 1-2 seconds they are rewritten.

The question is, how could I find whitch is the process that writes this files/folders in order to kill that process?

Thx in advance!


I do not like stupid and idiot people that write idiot things...If you are one, do not write.

Share this post


Link to post
Share on other sites



wich system are you running ? win mac linux ... etc ?

if i have that problem i normaly go this way:

1. run antivir over complete harddisc

2. open task manager and close evry task that i think is not necesary and after each closed task you can test deleting the new created file if it no longer apears you know wich program created it

if system crashes just reboot and all task that you need are there again :)

hope that is not wrong .. and helped you

Share this post


Link to post
Share on other sites

@darzanmihai

this topic doesnt seem to be about autoit...

Run Hijackthis and see us log...

Normal process :

CODE

svchost.exe

firefox.exe

SciTE.exe

wmiapsrv.exe

taskmgr.exe

alg.exe

Autoit3...exe

spoolsv.exe

mDNSResponder.exe

Skype.exe

cftmon.exe

services.exe

csrss.exe

smss.exe

nvsvc32.exe

soundman.exe

RTHDCPL.exe

rundll32.exe

jqs.exe

jushed.exe

explorer.exe

System.exe

You have certainly many other process ... look at program that run on start-up

-go to start menu and click on execute

-tape msconfig

-go to start-up (or something like that next to services)

Merry xmas,

FireFox


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

@darzanmihai

this topic doesnt seem to be about autoit...

Run Hijackthis and see us log...

Normal process :

CODE

svchost.exe

firefox.exe

SciTE.exe

wmiapsrv.exe

taskmgr.exe

alg.exe

Autoit3...exe

spoolsv.exe

mDNSResponder.exe

Skype.exe

cftmon.exe

services.exe

csrss.exe

smss.exe

nvsvc32.exe

soundman.exe

RTHDCPL.exe

rundll32.exe

jqs.exe

jushed.exe

explorer.exe

System.exe

You have certainly many other process ... look at program that run on start-up

-go to start menu and click on execute

-tape msconfig

-go to start-up (or something like that next to services)

Merry xmas,

FireFox

Ok! Thx all for reply!

I have Win XP SP2 and the antivirus I have does not recognize this virus (BitDefender 2009)

This is a Autoit question, because I whant to make this in AutoIt because this could be very useful.

So, the question remains...


I do not like stupid and idiot people that write idiot things...If you are one, do not write.

Share this post


Link to post
Share on other sites

I don't know how this works...

But you could use FileMon or Process Monitor. To analyze the autostart, AutoRuns is a good start.


*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Share this post


Link to post
Share on other sites

I don't know how this works...

But you could use FileMon or Process Monitor. To analyze the autostart, AutoRuns is a good start.

I'll remember this post!

@OP

Witch Process... Is that like a warlock Process

.... lol

Its which

Merry Christmas!!!

8)


NEWHeader1.png

Share this post


Link to post
Share on other sites

I'll remember this post!

@OP

Witch Process... Is that like a warlock Process

.... lol

Its which

Merry Christmas!!!

8)

:)...you got the ideea...


I do not like stupid and idiot people that write idiot things...If you are one, do not write.

Share this post


Link to post
Share on other sites

Hi darzanmihai,

I am having the exact same problem than you. Each time I plug a USB Key in my laptop, it creates a SYSTEM folder and an autorun.inf file containing the following script:

[autorun]

open=SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe

icon=%SystemRoot%\system32\SHELL32.dll,4

action=Open folder to view files

shell\open=Open

shell\open\command=SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe

shell\open\default=1

I am currently trying to get rid this virus, but didn't find information on internet about it, apart from your message.

Just a question: are you linked somehow with China? Because I am usually based in China, and I believe I have got this virus in China, via USB keys.

Also, I have explored my running processes. They seem all normal. I have then looked at my starting programs in MSCONFIG, and have found one wich is unknown: SrtWatch.exe. I am not sure it is linked with my problem, but again, very little information is available on internet about this .exe file. Actually, the only pages I have found about it are pages in Chinese characters (that I cannot read of course). So I think maybe it has a link with my problem. Maybe this is the virus?

Does the above evokes anything to you?

Have you found something similar on your computer?

Please let me know your feedback, since you are my only lead for the moment. I'll do the same of course.

Cheers,

Stevenison

Share this post


Link to post
Share on other sites

@stevenison

Delete SrtWatch.exe from start-up and see if when you insert usb key youve not autorun.inf created :)

Cheers,

FireFox.


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

FireFox, thanks for your reply. After deleting SrtWatch.exe from start-up, the problem was still existing, so SrtWatch.exe was not the virus.

But I am happy to say that I have now resolved the problem!! Thanks to ProgAndy. ProgAndy, thank yo so much. I was totally blind with MSConfig. And you have opened my eyes with those very good tools FileMon, ProcessMonitor and Autoruns. Here is what I have done:

First of all, I had desactivated the autorun function of Windows, thanks to the Microsoft TweakUI utility that I had downloaded from:

http://download.microsoft.com/download/f/c...ySetup_ia64.exe

This was making sure that any infected USB Key (including mine) could not infect my computer anymore from now on.

Then, I have simply used the Autoruns program exclusively, the one that proAndy was mentioning in his message. With Autoruns, it was very easy to identify and locate the programs which were actuyally running in Autostart (thet could not be detected with Task Manager or MSConfig). And I found very easily Perfume.exe of course. Plus some other ones I was suspecting as well... I could erase easily the other ones, but not Perfume.exe wich was still running. So I restarted my computer in Safe mode. Then I run again Autoruns in Safe Mode. I could locate again Perfume.exe, and it was this time easy to erase since it was not running anymore (due to Safe Mode). Of course, I had previously set the recycle bin property to "not recycling", so that the virus was not recycled through the recycle bin. I have also erased all other recycled bins (their full content, including all so called system files) which were stored (probably by the virus) in Folders C:/RESTORE, C:/SYSTEM and C:/RECYCLER. After that I restarted again my computer in Normal Mode. I set back again the recycle bin property to "Recycling". Now, if I insert my infected USB keys again, I can erase the Autorun.inf file, the SYSTEM folder, the RESTORE folder, the RECYCLER folder. They don't come back anymore as they used to do before. So everything seems normal now.

Thanks to everyone. Thanks to autoitscript.com Forum. I have discovered your forum today (by searching Perfume.exe) and this has resolved my problem. And thanks to Darzanmihai, since I could not have found the Autoit Forum without you making the Perfume.exe an Autoit question. So, you were right it's been usefull !!

Share this post


Link to post
Share on other sites

@stevenison

First of all, I had desactivated the autorun function of Windows

For delete virus press F8 before windows logo and select 'mod without failure' I dont know if its exactly that in english, then only windows is started without anyexternal program :)

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

@stevenison

For delete virus press F8 before windows logo and select 'mod without failure' I dont know if its exactly that in english, then only windows is started without anyexternal program :o

"Safe Mode" is the English option that appears in the F8 menu to start without external programs, or non-essential drivers, which he said he did. he also solved his problem :)

Share this post


Link to post
Share on other sites

I am glad I could help by posting this subject. I havo no connection to China and I have also resolved my virus situation, but still...how could I use Autoit to know what process wrote a file?

Thx all for replies!


I do not like stupid and idiot people that write idiot things...If you are one, do not write.

Share this post


Link to post
Share on other sites

I am glad I could help by posting this subject. I havo no connection to China and I have also resolved my virus situation, but still...how could I use Autoit to know what process wrote a file?

Thx all for replies!

Does anyone know how could I use Autoit to know what process wrote a file?


I do not like stupid and idiot people that write idiot things...If you are one, do not write.

Share this post


Link to post
Share on other sites

No, nothing built-in does that to my knowledge... you might be able to write something to do so... but FileMon and/or ProcessExplorer mentioned above are built to do just that already.


[u]Helpful tips:[/u]If you want better answers to your questions, take the time to reproduce your issue in a small "stand alone" example script whenever possible. Also, make sure you tell us 1) what you tried, 2) what you expected to happen, and 3) what happened instead.[u]Useful links:[/u]BrettF's update to LxP's "How to AutoIt" pdfValuater's Autoit 1-2-3 Download page for the latest versions of Autoit and SciTE[quote]<glyph> For example - if you came in here asking "how do I use a jackhammer" we might ask "why do you need to use a jackhammer"<glyph> If the answer to the latter question is "to knock my grandmother's head off to let out the evil spirits that gave her cancer", then maybe the problem is actually unrelated to jackhammers[/quote]

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

...

Edited by mikiutama

Share this post


Link to post
Share on other sites

No, nothing built-in does that to my knowledge... you might be able to write something to do so... but FileMon and/or ProcessExplorer mentioned above are built to do just that already.

You are right about "FileMon and/or ProcessExplorer" but it would be very nice to do it using Autoit!...isn't it what we are all trying to do...do things using Autoit? :)

Best regards


I do not like stupid and idiot people that write idiot things...If you are one, do not write.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0