Filter out SMB writes or renames

We have a fileserver that is having .xls files and .pdf files being converted to .exe files. Obviously its some kind of virus infection. I am trying to use wireshark to find the host that is writing the .exe files. Unfortuately the capture is large for just a short time. To make matters worse another group is scanning the drive for viruses. I have filter out the scanners, but I am trying to create a filter that might show a file being saved, renamed or created. I see a lot of different requests.

NT Create Andx Request seems to be a file access but no writes.

Anyone got any thoughts on how I can filter this?

I have been able to find a listing of SMB codes and meaings, found no writes in our capture related to theproblem, but the activity could have stopped. I am able to see alot of other SMB related traffic including writing to printer shares, opening of files, and folder scans, etc. I will have to setup an actual test and figure out a filter for the next time.