There is an a.bat file being dropped in my c:/ drive regularly even
after I wipe it out, and with it comes a load of spyware that I remove
regularly. Sophos and AVG both pick the a.bat up as a virus and remove
it. It will always come back though.

I would like to know if it is possible to trace back to see what
process writes the file to my hd to remove the source.

<charliefortune> typed:
> There is an a.bat file being dropped in my c:/ drive regularly even
> after I wipe it out, and with it comes a load of spyware that I remove
> regularly. Sophos and AVG both pick the a.bat up as a virus and remove
> it. It will always come back though.
>
> I would like to know if it is possible to trace back to see what
> process writes the file to my hd to remove the source.

Have a look at FileMon from SysInternals:
http://www.sysinternals.com/Utilities/Filemon.html
--
YoKenny
See CoU at least weekly:
http://www.dozleng.com/updates/index.php?&act=calendar
I support the right to arm bears

From: "charliefortune" <(E-Mail Removed)>

| There is an a.bat file being dropped in my c:/ drive regularly even
| after I wipe it out, and with it comes a load of spyware that I remove
| regularly. Sophos and AVG both pick the a.bat up as a virus and remove
| it. It will always come back though.

| I would like to know if it is possible to trace back to see what
| process writes the file to my hd to remove the source.


What is the name of the virus that is detected in "a.bat" by Sophos and AVG ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Troj/Batten-A is what sophos calls it

On 27 Apr 2006 09:33:06 -0700, "charliefortune"
<(E-Mail Removed)> wrote:

>Troj/Batten-A is what sophos calls it

Didn't it find it in a.bat ?

Art
http://home.epix.net/~artnpeg

yes it did. it keeps coming back though. I like the FileMon tool, but
from startup it loads after the a.bat has been written, so it has no
information. Does anyone know if windows logs what is written on the hd
? I am using XP pro.

On 27 Apr 2006 14:08:11 -0700 charliefortune wrote:

> yes it did. it keeps coming back though. I like the FileMon tool, but
> from startup it loads after the a.bat has been written, so it has no
> information. Does anyone know if windows logs what is written on the hd
> ? I am using XP pro.
>
Hit F8 on boot up. This should take you to a screen with several options,
one option is to write a boot log or something similar. IIRC another
option is to boot step-by-step. See what that tells you.
--
Ernie B.

Communication: The art of moving an idea from one mind to another,
hopefully without distortion.

On 27 Apr 2006 14:08:11 -0700, "charliefortune"
<(E-Mail Removed)> wrote:

>yes it did. it keeps coming back though. I like the FileMon tool, but
>from startup it loads after the a.bat has been written, so it has no
>information. Does anyone know if windows logs what is written on the hd
>? I am using XP pro.

You have much repair work to do. Read these:

http://www.trendmicro.com/vinfo/viru...EN%2EA&VSect=T
http://www.trendmicro.com/vinfo/viru...N%2EA&VSect=Sn

Your best bet is probably to reformat and reinstall Windows.

Art
http://home.epix.net/~artnpeg

In article <(E-Mail Removed)>,
(E-Mail Removed) says...
>
>There is an a.bat file being dropped in my c:/ drive regularly even
>after I wipe it out, and with it comes a load of spyware that I remove
>regularly. Sophos and AVG both pick the a.bat up as a virus and remove
>it. It will always come back though.
>
>I would like to know if it is possible to trace back to see what
>process writes the file to my hd to remove the source.
>
*************** REPLY SEPARATER ***************
This sounds very much like something I discovered on a machine over a year ago.
I would clean the machine up, and a series of batch files would return on the
next boot up. The hacker had created a directory C:\windows\system32\sys32 and
had stored a number of files there. One of them was a file called "hidden.exe"
which was used to hide other programs that it loaded. It also used it's own
version of "kernel32.exe". The whole thing was started with a TFTP batch file
called "o" in the windows system directory (no extension). This was used to
recover and load a backdoor program called "bling.exe", which it stored in
another new directory "C:\WINNT\SYSTEM32".

The only way I could get rid of the thing was to boot up in Safe Mode and
physically delete the files and replace with originals where necessary. To find
all the files, I searched the entire disk for files created after the infection
date (I used the command line because the XP search engine is crippled, and
doesn't return all files in all directories).

J.A. Coutts

want to know what program do the drop,extract the trojan,

you should has a monitor tools,


the2avpro monitor could help you

lauch the2avpromon.exe

once a application exec,it want to extract files to system, or change
the registry,
this toold do alert,the changed you could see in the box.

keep in the mind,like avp monitor it won't send you this changes,if it
delete as viruses,then do
clean,delete ect ,if it not deleted it,then your pc harmed.andyou are
actively not know pc is not security