1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Find Files Using File Properties?

Discussion in 'Earlier Versions of Windows' started by phreeangel, Apr 10, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. phreeangel

    phreeangel Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    8
    Hi

    I want to do a search on my hard drive for all files that have an "unknown" creation date. Is there a freeware program that can do this? Could I use a DOS command or batch file?

    Thanks
     
  2. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    Off hand, I'm not aware of one, but, out of curiousity, what are you planning to do when/if you can identify these files?
     
  3. Filewasp

    Filewasp

    Joined:
    Sep 12, 2003
    Messages:
    664
  4. phreeangel

    phreeangel Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    8
    I believe that I have a keylogger (or something similar installed) that has been written into my Win98se operating system. I had one before that could not be found by an antivirus (or spyware) remover. I was able to discover and remove it by the fact it altered the creation date properties. I have tested this by extracting a copy of my kernel32.dll file from disc and viewing the creation date. As long as the file isn't used by my operating system the date is shown. Once I replace the kernel32.dll file with the one I extract, the file properties change to show an "unknown" creation date.

    I removed the previous keylogger by finding all files with an "unknown" creation date, extracting the disc versions, booting to DOS, rebuilding the MBR and copying the extracted files to their respective directories.

    I was hoping there was a freeware program that would find files by creation date because finding them previously (by right clicking file by file and writting their names on paper) was a major undertaking of time and energy (several days).

    So if you can find a program that could assist me, it would be greatly appreciated.

    Thanks
     
  5. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    Download and run HiJackThis and copy/paste the log that it creates, back here for review.
    The AV's and SpyWare apps may not find it, but HJT will show everything.
     
  6. phreeangel

    phreeangel Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    8
    Here is the log that was created by HijackThis. I should note though that I believe the keylogger has integrated into the operating system itself.

    Logfile of HijackThis v1.97.7
    Scan saved at 3:28:46 PM, on 4/10/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.altavista.com/

    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL

    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

    O4 - HKLM\..\Run: [IrMon] IrMon.exe

    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui

    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE

    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe

    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm

    O8 - Extra context menu item: Translate - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm

    O9 - Extra button: Yahoo! Messenger (HKLM)

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38084.779849537

    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/static/toolbar/altavista.cab?r=1081393094
     
  7. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    Nothing obvious!

    Does Sygate detect outbound attempts to connect to the Network. I would "assume" that if you have a Keylogger installed, it would eventually want to "call home" with it's results.

    You can also try this on line check, and see if it finds anything.

    If kernel32 really is being modified, then it's size will be different than the standard one. Have you noticed a size difference? Also, in general, or a couple of examples, what other files are you finding with unknown creation dates that you were replacing?
     
  8. phreeangel

    phreeangel Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    8
    Sygate does catch numorous attempts to connect using various protocols but it does not state a program making the attempt to connect. However, I downloaded a program that monitors network activity and it shows a connect to an IP address not listed in the Sygate logs. This IP address it contacted each time I open a connection to the internet. I have tried configuring Sygate to block all contact with this IP address but it seems to not be stopping it.

    This is from the logs of the IP monitoring program.

    247 52.18790640 Iexplore 02930018 TDI_SEND_DATAGRAM UDP:0.0.0.0:1676 24.226.10.193:53 SUCCESS Length:30

    359 87.21951840 Msimn 0298001D TDI_SEND_DATAGRAM UDP:0.0.0.0:1681 24.226.10.193:53 SUCCESS-361 Length:31

    403 126.93752480 Ypager 029A0000 TDI_SEND_DATAGRAM UDP:0.0.0.0:1683 24.226.10.193:53 SUCCESS-407 Length:35

    Note the same IP address being contacted by various programs. This IP address does not appear in the Sygate logs.

    Also: All other windows processes running show the modified date.
     
  9. angel

    angel

    Joined:
    Dec 2, 1998
    Messages:
    2,736
    Is Cogeco Cable your ISP? Looks like they're just contacting a DNS server.
     
  10. john1

    john1

    Joined:
    Nov 25, 2000
    Messages:
    8,994
    Hi phreeangel,

    What OS are you running ?

    John :)
     
  11. phreeangel

    phreeangel Thread Starter

    Joined:
    Apr 8, 2004
    Messages:
    8
    I looked up the IP address that I provided earlier. It is definetely Cogeco but it's not a lookup service. It's a subscriber.

    I am running Win98SE w/all updates and patches, P150MMX w/32 Mb's Ram. I have Sygate Personal Firewall and Avast Anti Virus. I've installed Hijack This, Process Explorer, SpyBot, AdAware, File Monitor, and a Network Monitor (name unknown).

    I have no idea how the keylogger is on my system but I am convinced that I have one from the random connects that keep occuring. Too many connects have been able to walk past the firewall and I encounter too many unexplained windows "hickups" (windows opening and closing right before my eyes, sudden unexplained disc activity, extremely slow program opening and then suddenly fine).

    So if anyone knows of a program that can search for a file by the creation date - please post it here. You would certainly save me a lot of time.
     
  12. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    You may want to "temporarily" install ZoneAlarm which will detect and stop outbound connections. If you do decide to do this, note the UNinstall instructions on the ZA website.

    There is one other app that you can stop from running. That is C:\WINDOWS\SYSTEM\RPCSS.EXE.

    It "could" be generating connections. Positive, but innocuous.

    You can either just rename the file or run Regedit and in the key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
    look for the string: EnableRemoteConnect, and give it a value of N.
     
  13. john1

    john1

    Joined:
    Nov 25, 2000
    Messages:
    8,994
    Hi,

    Thats just what i was posting Whitphil,
    but i was trying to post a zip of ZA ver 2
    which is smaller, because ver 3 has a minor bug,
    it keeps trying to connect !

    Its 1.45 MB as a zip, maybe thats why i couldnt
    get it to post ... ?

    John :)
     
  14. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    The latest version is 4.5.0538.
     
  15. john1

    john1

    Joined:
    Nov 25, 2000
    Messages:
    8,994
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/219046

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice