I recently have been bothered a program known as Universa. The file seems to create exe's of the name win####.temp.exe which launch two popups known as ULWindowURL and ULWindowSeek. I've been trying everything to get rid of the stupid thing yet nothing has worked so far. I've run adaware, spy-bot, and hijack this. All are saying I'm clean, which unfortunately isn't the case. Google has only turned up others facing the same problems.
What I Know:
I opened up the offending programs from the temp folder with a hex editor. The program calls the standard window dlls and pretty much standard functions (such as GetProcAddress). The only two ones that seem to be different than just a standard windows app are the last two: OleCreate and SetTimer. What the two are being used for is pretty obvious from the description of its behavior.
Here's my idea:
I'd like to monitor the folder where these files are being installed (Windows\Temp) and record what file is creating the exe's found in this folder. Whether it be by a program that is already created or a custom job, I'd like to find out if this is possible. I know of FileSystemWatcher allows one to monitor a directory for changes. However, I have been unable to find a more powerful version which allows one to know which file/program/process made the change to the directory. Something like this, if practicle, would allow me to track down the source of my pesky problem and eliminate it. Any suggestions as to how I could go about doing this?
