Re: how can I trace back to find out what file has dropped a virus on my c:

In article <1146134715.210595.40440@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
google@xxxxxxxxxxxxxxxxxx says...

There is an a.bat file being dropped in my c:/ drive regularly even
after I wipe it out, and with it comes a load of spyware that I remove
regularly. Sophos and AVG both pick the a.bat up as a virus and remove
it. It will always come back though.

I would like to know if it is possible to trace back to see what
process writes the file to my hd to remove the source.

*************** REPLY SEPARATER ***************
This sounds very much like something I discovered on a machine over a year ago.
I would clean the machine up, and a series of batch files would return on the
next boot up. The hacker had created a directory C:\windows\system32\sys32 and
had stored a number of files there. One of them was a file called "hidden.exe"
which was used to hide other programs that it loaded. It also used it's own
version of "kernel32.exe". The whole thing was started with a TFTP batch file
called "o" in the windows system directory (no extension). This was used to
recover and load a backdoor program called "bling.exe", which it stored in
another new directory "C:\WINNT\SYSTEM32".

The only way I could get rid of the thing was to boot up in Safe Mode and
physically delete the files and replace with originals where necessary. To find
all the files, I searched the entire disk for files created after the infection
date (I used the command line because the XP search engine is crippled, and
doesn't return all files in all directories).

J.A. Coutts

.

Relevant Pages

  • Re: memory reading and writing
    ... And, of course, during the boot process, it's mostly ... Plus, remember that Windows uses "on demand" loading...hence, an ... This conspires to mean that once initialisation is run (which is ... "avoiding" to load things until strictly necessary... ...
    (alt.lang.asm)
  • Problems PXE installing 5.X on RLX Blade
    ... Its like its not finding or able to load the next module in the chain ... echo Loading Kernel... ... IntelBoot Agent Version 4.0.17 ... Building the boot loader arguments ...
    (freebsd-current)
  • Origin 200 Boot Problem
    ... Cannot load dkscunix. ... If I boot manually from SASH, ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ...
    (comp.sys.sgi.hardware)
  • SGI Origin 200 Boot Problem
    ... Cannot load dkscunix. ... If I boot manually from SASH, ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ...
    (comp.sys.sgi.admin)
  • RE: >0 Active Partitions<
    ... Not an XP feature to load a bootable Operating System to a USB attached ... F1, F2, or Delete will get you into Setup, or F12 for the Boot Order Menu. ... The HD is recognized w/no problem when it's attached to my ... attached to my machine and after it restarts & gets to the XP boot screen it ...
    (microsoft.public.windowsxp.perform_maintain)