darzanmihai Posted December 25, 2008 Share Posted December 25, 2008 I have a virus that creates a autorun.inf file and a SYSTEM directory that contains a file Perfume.exe, all are hiden and when I delete them, in 1-2 seconds they are rewritten. The question is, how could I find whitch is the process that writes this files/folders in order to kill that process? Thx in advance! I do not like stupid and idiot people that write idiot things...If you are one, do not write. Link to comment Share on other sites More sharing options...
werter Posted December 25, 2008 Share Posted December 25, 2008 wich system are you running ? win mac linux ... etc ? if i have that problem i normaly go this way: 1. run antivir over complete harddisc 2. open task manager and close evry task that i think is not necesary and after each closed task you can test deleting the new created file if it no longer apears you know wich program created it if system crashes just reboot and all task that you need are there again hope that is not wrong .. and helped you Link to comment Share on other sites More sharing options...
FireFox Posted December 25, 2008 Share Posted December 25, 2008 @darzanmihai this topic doesnt seem to be about autoit... Run Hijackthis and see us log... Normal process : CODE svchost.exe firefox.exe SciTE.exe wmiapsrv.exe taskmgr.exe alg.exe Autoit3...exe spoolsv.exe mDNSResponder.exe Skype.exe cftmon.exe services.exe csrss.exe smss.exe nvsvc32.exe soundman.exe RTHDCPL.exe rundll32.exe jqs.exe jushed.exe explorer.exe System.exe You have certainly many other process ... look at program that run on start-up -go to start menu and click on execute -tape msconfig -go to start-up (or something like that next to services) Merry xmas, FireFox Link to comment Share on other sites More sharing options...
darzanmihai Posted December 25, 2008 Author Share Posted December 25, 2008 @darzanmihaithis topic doesnt seem to be about autoit...Run Hijackthis and see us log...Normal process :CODEsvchost.exefirefox.exeSciTE.exewmiapsrv.exetaskmgr.exealg.exeAutoit3...exespoolsv.exemDNSResponder.exeSkype.execftmon.exeservices.execsrss.exesmss.exenvsvc32.exesoundman.exeRTHDCPL.exerundll32.exejqs.exejushed.exeexplorer.exeSystem.exeYou have certainly many other process ... look at program that run on start-up-go to start menu and click on execute-tape msconfig-go to start-up (or something like that next to services)Merry xmas,FireFoxOk! Thx all for reply!I have Win XP SP2 and the antivirus I have does not recognize this virus (BitDefender 2009)This is a Autoit question, because I whant to make this in AutoIt because this could be very useful.So, the question remains... I do not like stupid and idiot people that write idiot things...If you are one, do not write. Link to comment Share on other sites More sharing options...
ProgAndy Posted December 25, 2008 Share Posted December 25, 2008 I don't know how this works...But you could use FileMon or Process Monitor. To analyze the autostart, AutoRuns is a good start. *GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes Link to comment Share on other sites More sharing options...
Valuater Posted December 25, 2008 Share Posted December 25, 2008 I don't know how this works...But you could use FileMon or Process Monitor. To analyze the autostart, AutoRuns is a good start.I'll remember this post!@OPWitch Process... Is that like a warlock Process.... lolIts whichMerry Christmas!!!8) Link to comment Share on other sites More sharing options...
darzanmihai Posted December 25, 2008 Author Share Posted December 25, 2008 I'll remember this post!@OPWitch Process... Is that like a warlock Process.... lolIts whichMerry Christmas!!!8)...you got the ideea... I do not like stupid and idiot people that write idiot things...If you are one, do not write. Link to comment Share on other sites More sharing options...
stevenison Posted December 26, 2008 Share Posted December 26, 2008 Hi darzanmihai, I am having the exact same problem than you. Each time I plug a USB Key in my laptop, it creates a SYSTEM folder and an autorun.inf file containing the following script: [autorun] open=SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe icon=%SystemRoot%\system32\SHELL32.dll,4 action=Open folder to view files shell\open=Open shell\open\command=SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe shell\open\default=1 I am currently trying to get rid this virus, but didn't find information on internet about it, apart from your message. Just a question: are you linked somehow with China? Because I am usually based in China, and I believe I have got this virus in China, via USB keys. Also, I have explored my running processes. They seem all normal. I have then looked at my starting programs in MSCONFIG, and have found one wich is unknown: SrtWatch.exe. I am not sure it is linked with my problem, but again, very little information is available on internet about this .exe file. Actually, the only pages I have found about it are pages in Chinese characters (that I cannot read of course). So I think maybe it has a link with my problem. Maybe this is the virus? Does the above evokes anything to you? Have you found something similar on your computer? Please let me know your feedback, since you are my only lead for the moment. I'll do the same of course. Cheers, Stevenison Link to comment Share on other sites More sharing options...
FireFox Posted December 26, 2008 Share Posted December 26, 2008 @stevenison Delete SrtWatch.exe from start-up and see if when you insert usb key youve not autorun.inf created Cheers, FireFox. Link to comment Share on other sites More sharing options...
stevenison Posted December 26, 2008 Share Posted December 26, 2008 FireFox, thanks for your reply. After deleting SrtWatch.exe from start-up, the problem was still existing, so SrtWatch.exe was not the virus.But I am happy to say that I have now resolved the problem!! Thanks to ProgAndy. ProgAndy, thank yo so much. I was totally blind with MSConfig. And you have opened my eyes with those very good tools FileMon, ProcessMonitor and Autoruns. Here is what I have done: First of all, I had desactivated the autorun function of Windows, thanks to the Microsoft TweakUI utility that I had downloaded from:http://download.microsoft.com/download/f/c...ySetup_ia64.exeThis was making sure that any infected USB Key (including mine) could not infect my computer anymore from now on.Then, I have simply used the Autoruns program exclusively, the one that proAndy was mentioning in his message. With Autoruns, it was very easy to identify and locate the programs which were actuyally running in Autostart (thet could not be detected with Task Manager or MSConfig). And I found very easily Perfume.exe of course. Plus some other ones I was suspecting as well... I could erase easily the other ones, but not Perfume.exe wich was still running. So I restarted my computer in Safe mode. Then I run again Autoruns in Safe Mode. I could locate again Perfume.exe, and it was this time easy to erase since it was not running anymore (due to Safe Mode). Of course, I had previously set the recycle bin property to "not recycling", so that the virus was not recycled through the recycle bin. I have also erased all other recycled bins (their full content, including all so called system files) which were stored (probably by the virus) in Folders C:/RESTORE, C:/SYSTEM and C:/RECYCLER. After that I restarted again my computer in Normal Mode. I set back again the recycle bin property to "Recycling". Now, if I insert my infected USB keys again, I can erase the Autorun.inf file, the SYSTEM folder, the RESTORE folder, the RECYCLER folder. They don't come back anymore as they used to do before. So everything seems normal now. Thanks to everyone. Thanks to autoitscript.com Forum. I have discovered your forum today (by searching Perfume.exe) and this has resolved my problem. And thanks to Darzanmihai, since I could not have found the Autoit Forum without you making the Perfume.exe an Autoit question. So, you were right it's been usefull !! Link to comment Share on other sites More sharing options...
FireFox Posted December 26, 2008 Share Posted December 26, 2008 @stevenisonFirst of all, I had desactivated the autorun function of WindowsFor delete virus press F8 before windows logo and select 'mod without failure' I dont know if its exactly that in english, then only windows is started without anyexternal program Link to comment Share on other sites More sharing options...
TurionAltec Posted December 26, 2008 Share Posted December 26, 2008 @stevenisonFor delete virus press F8 before windows logo and select 'mod without failure' I dont know if its exactly that in english, then only windows is started without anyexternal program "Safe Mode" is the English option that appears in the F8 menu to start without external programs, or non-essential drivers, which he said he did. he also solved his problem Link to comment Share on other sites More sharing options...
darzanmihai Posted December 28, 2008 Author Share Posted December 28, 2008 I am glad I could help by posting this subject. I havo no connection to China and I have also resolved my virus situation, but still...how could I use Autoit to know what process wrote a file? Thx all for replies! I do not like stupid and idiot people that write idiot things...If you are one, do not write. Link to comment Share on other sites More sharing options...
darzanmihai Posted December 29, 2008 Author Share Posted December 29, 2008 I am glad I could help by posting this subject. I havo no connection to China and I have also resolved my virus situation, but still...how could I use Autoit to know what process wrote a file?Thx all for replies!Does anyone know how could I use Autoit to know what process wrote a file? I do not like stupid and idiot people that write idiot things...If you are one, do not write. Link to comment Share on other sites More sharing options...
SpookMeister Posted December 29, 2008 Share Posted December 29, 2008 No, nothing built-in does that to my knowledge... you might be able to write something to do so... but FileMon and/or ProcessExplorer mentioned above are built to do just that already. [u]Helpful tips:[/u]If you want better answers to your questions, take the time to reproduce your issue in a small "stand alone" example script whenever possible. Also, make sure you tell us 1) what you tried, 2) what you expected to happen, and 3) what happened instead.[u]Useful links:[/u]BrettF's update to LxP's "How to AutoIt" pdfValuater's Autoit 1-2-3 Download page for the latest versions of Autoit and SciTE[quote]<glyph> For example - if you came in here asking "how do I use a jackhammer" we might ask "why do you need to use a jackhammer"<glyph> If the answer to the latter question is "to knock my grandmother's head off to let out the evil spirits that gave her cancer", then maybe the problem is actually unrelated to jackhammers[/quote] Link to comment Share on other sites More sharing options...
mikiutama Posted December 30, 2008 Share Posted December 30, 2008 (edited) ... Edited December 31, 2008 by mikiutama Link to comment Share on other sites More sharing options...
darzanmihai Posted January 3, 2009 Author Share Posted January 3, 2009 No, nothing built-in does that to my knowledge... you might be able to write something to do so... but FileMon and/or ProcessExplorer mentioned above are built to do just that already.You are right about "FileMon and/or ProcessExplorer" but it would be very nice to do it using Autoit!...isn't it what we are all trying to do...do things using Autoit? Best regards I do not like stupid and idiot people that write idiot things...If you are one, do not write. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now