Find Files Using File Properties?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

phreeangel

Thread Starter
Joined
Apr 8, 2004
Messages
8
Hi

I want to do a search on my hard drive for all files that have an "unknown" creation date. Is there a freeware program that can do this? Could I use a DOS command or batch file?

Thanks
 

WhitPhil

Gone but never forgotten
Trusted Advisor
Joined
Oct 4, 2000
Messages
8,684
Off hand, I'm not aware of one, but, out of curiousity, what are you planning to do when/if you can identify these files?
 

phreeangel

Thread Starter
Joined
Apr 8, 2004
Messages
8
I believe that I have a keylogger (or something similar installed) that has been written into my Win98se operating system. I had one before that could not be found by an antivirus (or spyware) remover. I was able to discover and remove it by the fact it altered the creation date properties. I have tested this by extracting a copy of my kernel32.dll file from disc and viewing the creation date. As long as the file isn't used by my operating system the date is shown. Once I replace the kernel32.dll file with the one I extract, the file properties change to show an "unknown" creation date.

I removed the previous keylogger by finding all files with an "unknown" creation date, extracting the disc versions, booting to DOS, rebuilding the MBR and copying the extracted files to their respective directories.

I was hoping there was a freeware program that would find files by creation date because finding them previously (by right clicking file by file and writting their names on paper) was a major undertaking of time and energy (several days).

So if you can find a program that could assist me, it would be greatly appreciated.

Thanks
 

WhitPhil

Gone but never forgotten
Trusted Advisor
Joined
Oct 4, 2000
Messages
8,684
Download and run HiJackThis and copy/paste the log that it creates, back here for review.
The AV's and SpyWare apps may not find it, but HJT will show everything.
 

phreeangel

Thread Starter
Joined
Apr 8, 2004
Messages
8
Here is the log that was created by HijackThis. I should note though that I believe the keylogger has integrated into the operating system itself.

Logfile of HijackThis v1.97.7
Scan saved at 3:28:46 PM, on 4/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.altavista.com/

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL

O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [IrMon] IrMon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE

O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm

O8 - Extra context menu item: Translate - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38084.779849537

O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/static/toolbar/altavista.cab?r=1081393094
 

WhitPhil

Gone but never forgotten
Trusted Advisor
Joined
Oct 4, 2000
Messages
8,684
Nothing obvious!

Does Sygate detect outbound attempts to connect to the Network. I would "assume" that if you have a Keylogger installed, it would eventually want to "call home" with it's results.

You can also try this on line check, and see if it finds anything.

If kernel32 really is being modified, then it's size will be different than the standard one. Have you noticed a size difference? Also, in general, or a couple of examples, what other files are you finding with unknown creation dates that you were replacing?
 

phreeangel

Thread Starter
Joined
Apr 8, 2004
Messages
8
Sygate does catch numorous attempts to connect using various protocols but it does not state a program making the attempt to connect. However, I downloaded a program that monitors network activity and it shows a connect to an IP address not listed in the Sygate logs. This IP address it contacted each time I open a connection to the internet. I have tried configuring Sygate to block all contact with this IP address but it seems to not be stopping it.

This is from the logs of the IP monitoring program.

247 52.18790640 Iexplore 02930018 TDI_SEND_DATAGRAM UDP:0.0.0.0:1676 24.226.10.193:53 SUCCESS Length:30

359 87.21951840 Msimn 0298001D TDI_SEND_DATAGRAM UDP:0.0.0.0:1681 24.226.10.193:53 SUCCESS-361 Length:31

403 126.93752480 Ypager 029A0000 TDI_SEND_DATAGRAM UDP:0.0.0.0:1683 24.226.10.193:53 SUCCESS-407 Length:35

Note the same IP address being contacted by various programs. This IP address does not appear in the Sygate logs.

Also: All other windows processes running show the modified date.
 
Joined
Dec 2, 1998
Messages
2,736
Is Cogeco Cable your ISP? Looks like they're just contacting a DNS server.
 

phreeangel

Thread Starter
Joined
Apr 8, 2004
Messages
8
I looked up the IP address that I provided earlier. It is definetely Cogeco but it's not a lookup service. It's a subscriber.

I am running Win98SE w/all updates and patches, P150MMX w/32 Mb's Ram. I have Sygate Personal Firewall and Avast Anti Virus. I've installed Hijack This, Process Explorer, SpyBot, AdAware, File Monitor, and a Network Monitor (name unknown).

I have no idea how the keylogger is on my system but I am convinced that I have one from the random connects that keep occuring. Too many connects have been able to walk past the firewall and I encounter too many unexplained windows "hickups" (windows opening and closing right before my eyes, sudden unexplained disc activity, extremely slow program opening and then suddenly fine).

So if anyone knows of a program that can search for a file by the creation date - please post it here. You would certainly save me a lot of time.
 

WhitPhil

Gone but never forgotten
Trusted Advisor
Joined
Oct 4, 2000
Messages
8,684
You may want to "temporarily" install ZoneAlarm which will detect and stop outbound connections. If you do decide to do this, note the UNinstall instructions on the ZA website.

There is one other app that you can stop from running. That is C:\WINDOWS\SYSTEM\RPCSS.EXE.

It "could" be generating connections. Positive, but innocuous.

You can either just rename the file or run Regedit and in the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
look for the string: EnableRemoteConnect, and give it a value of N.
 
Joined
Nov 25, 2000
Messages
8,994
Hi,

Thats just what i was posting Whitphil,
but i was trying to post a zip of ZA ver 2
which is smaller, because ver 3 has a minor bug,
it keeps trying to connect !

Its 1.45 MB as a zip, maybe thats why i couldnt
get it to post ... ?

John :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top