How can I block a specific exe file no matter what its path is?

Hi all :),

My young stepson is NOT an English speaker or PC savvy so is highly vulnerable to viruses etc. and I have done my best to protect the integrity of his PC as best I can. Friends occasionally use his PC as well so it is vulnerable.

INFO:
My stepson’s Windows XP PC has a virus/worm/trojan that is hard to kill and comes back in "C:\Documents and Settings\All Users". I think MAYBE I have FINALLY killed it (and registry entries) as it has not come back immediately this last attempt (which it tends to do)

Avira Antivirus software does find it when it tries to activate

The hidden exe file name something like dxeaslr.exe (can’t remember if that is exact name -should have written it down -sorry ) is not found in a Google search. One thing that is worrying me is that when I deleted on several occasions yesterday and it went into the recycle bin it was THEN identified by Avira Anti virus as cd1.exe (with same trojan specification) yet that is not to be seen in the recycle bin (only dxeaslr.exe)

I looked up cd1.exe and some sites suggest it is very dangerous, a few said it may be a Premium dialler trojan/worm etc. (2 suggested even an adult premium dialler??).

Anyway, whatever it is, although I MAY have removed it I fear it may be hiding and dormant (and my son knows far less than I about viruses etc.)

What I wish to do is to make entries in his PC’s Comodo Firewall to block those two .exe files should they reappear from any form of in/out internet access AND BLOCK them from running.

HOWEVER I am concerned they may reappear in different folders or paths in future without my knowledge.

My question. Can I block the exe file BY NAME ONLY (irrespective of path? without needing to provide a path or location (should it try to execute from ANY new location on his PC..

So far ONLY cd1.exe and dxeaslr.exe have been identified as problematic so I am hoping ONLY those two names are used by htis trojan if still hiding in PC.

I did switch off the virus software to see summary details of dxeaslr.exe and that suggested it was a Pidgen apps file (Ver 1.9 something I think). The supposed date of creation & last modification of the files suggest 7 years ago and 5 ago respectively.

I originally assumed it was a False Positive by Avira Anti virus BUT was suspicious and concerned so I checked a 4 month old Acronis backup tib file (which showed no sign of c:\Documents & settings\All Users\dxeaslr.exe). My ADHD stepson accesses many games sites (and whatever grabs his fancy).

Hope someone can help me protect my Stepson and his PC from himself on this issue

Thanks all

Hello and welcome to the forums.

This is a good question, i had to mess with cis (comodo internet secuity) to see if this is possible. I couldnt think of or figure out a way to do this. The hips and sandbox component of cis does use the files hash but also uses the files path. So if u were to setup a block rule for the file it would look for the file in the directory you specify with the same hash value.

Cis is most powerful at keeping your system clean so it would be best to make sure your system is clean then install cis to keep it clean. Cis will sandbox any unknown file and will protect your system if the unknown file is malicious. Have you tried using a bootable antivirus to scan your computer?
I would recommend trying a scan with kaspersky rescue disk, hitmanpro, and malwarebytes to make sure all remnants of the infection are gone.

I would also read through this guide written by another moderator (chiron) about how to configure cis to keep your system clean.

Hope this helps, feel free to ask anymore questions

Thanks

You might be able to use Groups to create a new group of Blocked files, once created using this group to create rules in Defense+ and Firewall blocking all actions.

Though if you use CIS in default setting hips are not active.

Dennis

Please ensure that the system is actually clean by following the advice I give in this article. Let me know what you find.

Thanks.

Thanks for the very helpful replies

I should have mentioned in my original Post (sorry) I use Comodo Firewall 5.10.228257.2253 (I did upgrade to 6 but too different for my personal liking also after Version 5.10.228257.2253 I started getting excessive event reporting (which although normal and safe made it more difficult in sorting wood from trees)

---

From what is being said I assume Comodo Firewall cannot deal with such a requirement. That is a great shame as it is a remarkable application. I does surprise me that with its sophistication it cannot.

I appreciate the needs to find and kill dangerous files but it is nice to be able to have a second line of defence just in case for a file that tends to be hiding or persistent without the need to know its location.

Moving on reading the articles (which I admit I do not fully understand everything (not being an expert) a lot of apps are being suggested and I wish to ask a few further questions before running any of them.

1. Do I need to run all of them (Kaspersky rescue disk, Hitmanpro, Malwarebytes, TDSSKiller, Emisoft Anti-virus, CCE’s KillSwitch, Comodo Autoruns (is this effectively the same as Sysinternals (a wholly owned subsidiary of Microsoft Corporation which I use on MY PC) Autoruns or is one or other preferable)

2. If not, which do I need to run before I can reasonably assume NO infection on my Stepson’s PC?

3. What order is preferable to run them or does it not matter?

4. Do ANY of these apps change/delete anything without first asking me to OK for each finding (or do they all report first and ask me what action I wish to take)?

I am already aware when using TDSSKiller & and Sysinternals Autoruns on MY Windows 7 (x64) PC the dangers of deleting files unless I am sure they should be and will have no unexpected consequences

I really appreciate the advice given. During the last two days the files have not yet returned so I am hopeful they are gone for good BUT I fear hidden files that lurk which are triggered by time or events, as I am sure my stepson, not speaking English, will ignore some virus warnings. I do check his PC from time to time, but not often.

I have got his Windows XP Sp3 PC working with great stability (was my former PC of 4½ years, some 18 months). I do not like adjusting or changing things on it unless necessary because Win XP being an old (but great) O/S is not as stable as Win 7.

Thanks again

This seems like a great item for the wishlist, you would have my vote.

I appreciate the needs to find and kill dangerous files but it is nice to be able to have a second line of defence just in case for a file that tends to be hiding or persistent without the need to know its location.

Moving on reading the articles (which I admit I do not fully understand everything (not being an expert) a lot of apps are being suggested and I wish to ask a few further questions before running any of them.

1. Do I need to run all of them (Kaspersky rescue disk, Hitmanpro, Malwarebytes, TDSSKiller, Emisoft Anti-virus, CCE’s KillSwitch, Comodo Autoruns (is this effectively the same as Sysinternals (a wholly owned subsidiary of Microsoft Corporation which I use on MY PC) Autoruns or is one or other preferable)

No its not necessary to run them all. I would run atleast malwarebytes (quick scan) and hitman pro. If they find any types of rootkits or virut (patching virus) then i would run kaspersky rescue disk. If they come up clean you are probably clean and to be safe you can run any of the other suggested scanners.

2) If not, which do I need to run before I can reasonably assume NO infection on my Stepson's PC?

See my above answer, also is the computer running slow or is anything abnormal happening? for example, there are random instances of iexplorer.exe running even tho you dont have internet explorer running or are you getting random redirects when surfing the internet? things like that

3) What order is preferable to run them or does it not matter?

This is no correct order to run them in, each person will have a different order based on their own experiences. The order they are listed in above actually is a good order to use them in (IMO). Just use caution when using comodo cleaning essentials it is a sensitive scanner and can sometimes give false positives so either report back here so we can help you with the results or upload them to [url=https://www.virustotal.com]virustotal[/url] to see what other antivirus find, assuming it finds anything.

4) Do ANY of these apps change/delete anything without first asking me to OK for each finding (or do they all report first and ask me what action I wish to take)?

They all report the results and ask what you want to do with each detection.

I am already aware when using TDSSKiller & and Sysinternals Autoruns on MY Windows 7 (x64) PC the dangers of deleting files[u] unless I am sure they should be and will have no unexpected consequences[/u]

I really appreciate the advice given. During the last two days the files have not yet returned so I am hopeful they are gone for good BUT I fear hidden files that lurk which are triggered by time or events, as I am sure my stepson, not speaking English, will ignore some virus warnings. I do check his PC from time to time, but not often.

I have got his Windows XP Sp3 PC working with great stability (was my former PC of 4½ years, some 18 months). I do not like adjusting or changing things on it unless necessary because Win XP being an old (but great) O/S is not as stable as Win 7.

Thanks again

Its good to hear the files have not come back but when dealing with infections you can never be to careful. If you have anymore questions let us know.

Thanks very much wasgij6 :-TU

I did run TDSSKiller yesterday whilst hoping for a reply and I am pleased to report it found nothing suspicious and neither Avira Antivirus or Comodo Firewall have been triggered in 3 days since I believe I have got rid of the files.

1. I will do as you suggest

2. It is not doing anything suspicious., My stepson has Firefox open 99% of the time so it opening would not be noticed by him. However, I have been workijg on his PC setting up my own User Account for a couple of days, cleaning up, updating software and doing an Acronis True Image backup etc. and nothing strange occurred.

With regard to running slow: That is normal as the PC is now 6 years old but as my stepson mainly uses YouTube and flash online games sites he is not really impacted (except at PC/Windows Startup where he has to wait 4+ mins from logon (loading various apps I have installed to protect PC or keep it running well)

3. Noted Thanks

4. Terrific that’s what I hoped

Your final para: Yes I 100% agree you can never be too careful (especially when a total novice is using the PC and accessing internet constantly and not able to read many of the warnings -or understand them ). I have Avira Antivirus free, Spywareblaster and Comodo Firewall all operating on his PC but they are not 100% stepson proof (nor am I ;D)

Thanks again

Can you detail all apps which start with Windows? I may be able to provide you with advice about these, to help optimize the boot, and keep the computer running quicker.

Thanks Chiron
Yes I can, but you sure its worth all your effort.

If so, what app would you like me yo use to produce the log info?

For Background info:
Originally my Stepson did not have full Administrative rights but more and more this was problematic. Consequentially, I used heavily reduced shortcuts on his Desktop and Start Menu to make it harder for him to get in. THAT WORKED and the only real risk to date seems him acquiring Malware, viruses etc.

Acronis Home True Image backups are my fail safe when the “Sh** hits the fan”. I keep several most recent.

The Motherboard is an Asus A8N-VM CSM8 (using on board Graphics) The Processor is an AMD Athlon 64 3000+ (Venice 90nm Technolgy) RAM is 2Gb Dual-Channel DDR @200mhz (3-3-3-8). (I appreciate more Ram may help but PC too old to bother increase with increased RAM) Stepson is only 10 so not worth investing YET in a faster better PC as he only uses Internet and a few offline games.

One or two apps that I load at start up are there for a reason (i.e Process Tamer) to solve Games or one or two apps issues. I also use Startup Delayer to help keep ALL the icons appearing in the System Tray rather than the Windows long term annoyance of them occasionally being active but not appearing.

The last .Bat file I run from SD tells my stepson to wait before using the PC, Because I have found that although all Windows start-up apps seem loaded Win Xp continues to load in the background and premature use on this PC results in slow use (until win XP has finished all its loading so nothing gained b y not waiting a little longer before use) or occasionally affecting something.

Regards

Hi wasgij6

I have now run Hitman Pro and Malwarebytes on both my son’s PC and mine. Mine was 100% clean.

My Stepsons was pretty clean.

a) 14 tracker/similar cookies reported. I used CCleaner to delete them all.

b) One app exe. which belonged to a learning Language app. I think a False positive but as I knew it to be a tiny extra utility with the package I deleted it to be safe.

c) An Adaware trojan was reported in a Wise installation MSI file. The installation files belonged to an old app so I deleted it.

c) A Nirsoft utility was identified but I am sure it was OK (Malwarebytes did not pre tick for suggested removal (only flagged (I assume to make sure I knew it was there). Anyway I deleted the app to be safe as not needed.

d) Finally 4 registry entries were reported and probably not need/wanted.
2 were Babylon (such a pain that toolbar app) thought I had got rid of it all years ago with great difficulty.)
2 were Funmood entries not desired so I deleted
1 was Prod.cap (Claro). a Google SEARCH suggested it to be some sort of search engine (sometimes a nuisance to users). Anyway certainly NOT wanted, so I deleted registry entry

e) Later I logged on with another user account reran Hitman Pro and was surprised to see many extra Current User registry entries for Babylon and files in a Conduit folder. I assume these were user specific hence why they now appeared).
ALL these extras were flagged as remnants and no threat. Anyway I deleted the Babylon registry entries AND the Conduit folder/files in the User’s AppData folder (which were something to do with Facebook which I will not sign up for ever).

Anyway My original OP issue files were NOT found

So my Stepson’s PC seems to be clean ( ;D for now!!!).

Seems safe then. To make sure it stays that way you can follow the advice I give in my article about How to Stay Safe While Online.

Also, if you like you can use a free program called Soluto (download here) to optimize your Windows startup. Remember that the more processes you have running the slower the computer will be, even after startup.

Let me know if you have any questions.

Thanks.

Thanks Chiron

I will download and run Soluto and I appreciate your willingness to answer further questions.
Hopefully I will not need to take you up on your kind offer

Regards

Good to hear, sounds like all that was found was adware which is easily removed. Let us know if you need anymore help.