[phreeangel]

Hi

I want to do a search on my hard drive for all files that have an "unknown" creation date. Is there a freeware program that can do this? Could I use a DOS command or batch file?

Thanks

 

[WhitPhil]

Off hand, I'm not aware of one, but, out of curiousity, what are you planning to do when/if you can identify these files?

 

[Filewasp]

Take a look at Agent Ransack: http://www.mythicsoft.com/agentransack/default.aspx
100% FREE

 

[phreeangel]

I believe that I have a keylogger (or something similar installed) that has been written into my Win98se operating system. I had one before that could not be found by an antivirus (or spyware) remover. I was able to discover and remove it by the fact it altered the creation date properties. I have tested this by extracting a copy of my kernel32.dll file from disc and viewing the creation date. As long as the file isn't used by my operating system the date is shown. Once I replace the kernel32.dll file with the one I extract, the file properties change to show an "unknown" creation date.

I removed the previous keylogger by finding all files with an "unknown" creation date, extracting the disc versions, booting to DOS, rebuilding the MBR and copying the extracted files to their respective directories.

I was hoping there was a freeware program that would find files by creation date because finding them previously (by right clicking file by file and writting their names on paper) was a major undertaking of time and energy (several days).

So if you can find a program that could assist me, it would be greatly appreciated.

Thanks

 

[WhitPhil]

Download and run HiJackThis and copy/paste the log that it creates, back here for review.
The AV's and SpyWare apps may not find it, but HJT will show everything.

 

[phreeangel]

Here is the log that was created by HijackThis. I should note though that I believe the keylogger has integrated into the operating system itself.

Logfile of HijackThis v1.97.7
Scan saved at 3:28:46 PM, on 4/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.altavista.com/

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL

O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [IrMon] IrMon.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE

O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm

O8 - Extra context menu item: Translate - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38084.779849537

O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/static/toolbar/altavista.cab?r=1081393094

 

[WhitPhil]

Nothing obvious!

Does Sygate detect outbound attempts to connect to the Network. I would "assume" that if you have a Keylogger installed, it would eventually want to "call home" with it's results.

You can also try this on line check, and see if it finds anything.

If kernel32 really is being modified, then it's size will be different than the standard one. Have you noticed a size difference? Also, in general, or a couple of examples, what other files are you finding with unknown creation dates that you were replacing?

 

[phreeangel]

Sygate does catch numorous attempts to connect using various protocols but it does not state a program making the attempt to connect. However, I downloaded a program that monitors network activity and it shows a connect to an IP address not listed in the Sygate logs. This IP address it contacted each time I open a connection to the internet. I have tried configuring Sygate to block all contact with this IP address but it seems to not be stopping it.

This is from the logs of the IP monitoring program.

247 52.18790640 Iexplore 02930018 TDI_SEND_DATAGRAM UDP:0.0.0.0:1676 24.226.10.193:53 SUCCESS Length:30

359 87.21951840 Msimn 0298001D TDI_SEND_DATAGRAM UDP:0.0.0.0:1681 24.226.10.193:53 SUCCESS-361 Length:31

403 126.93752480 Ypager 029A0000 TDI_SEND_DATAGRAM UDP:0.0.0.0:1683 24.226.10.193:53 SUCCESS-407 Length:35

Note the same IP address being contacted by various programs. This IP address does not appear in the Sygate logs.

Also: All other windows processes running show the modified date.

 

[angel]

Is Cogeco Cable your ISP? Looks like they're just contacting a DNS server.

 

[john1]

Hi phreeangel,

What OS are you running ?

John

 

[phreeangel]

I looked up the IP address that I provided earlier. It is definetely Cogeco but it's not a lookup service. It's a subscriber.

I am running Win98SE w/all updates and patches, P150MMX w/32 Mb's Ram. I have Sygate Personal Firewall and Avast Anti Virus. I've installed Hijack This, Process Explorer, SpyBot, AdAware, File Monitor, and a Network Monitor (name unknown).

I have no idea how the keylogger is on my system but I am convinced that I have one from the random connects that keep occuring. Too many connects have been able to walk past the firewall and I encounter too many unexplained windows "hickups" (windows opening and closing right before my eyes, sudden unexplained disc activity, extremely slow program opening and then suddenly fine).

So if anyone knows of a program that can search for a file by the creation date - please post it here. You would certainly save me a lot of time.

 

[WhitPhil]

You may want to "temporarily" install ZoneAlarm which will detect and stop outbound connections. If you do decide to do this, note the UNinstall instructions on the ZA website.

There is one other app that you can stop from running. That is C:\WINDOWS\SYSTEM\RPCSS.EXE.

It "could" be generating connections. Positive, but innocuous.

You can either just rename the file or run Regedit and in the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
look for the string: EnableRemoteConnect, and give it a value of N.

 

[john1]

Hi,

Thats just what i was posting Whitphil,
but i was trying to post a zip of ZA ver 2
which is smaller, because ver 3 has a minor bug,
it keeps trying to connect !

Its 1.45 MB as a zip, maybe thats why i couldnt
get it to post ... ?

John

 

[WhitPhil]

The latest version is 4.5.0538.

 

[john1]

Does it still want to 'phone home' ?

Ver2 is ok,
you can D/L it at
http://www.oldversion.com/

 

[WhitPhil]

I "believe" that issue has been resolved.

I would not want to install version 2. There have been a few "holes" plugged between then and now.

 

[phreeangel]

I tried to set the "Enable Remote Connect" to "N" but it was already defaulted there. I haven't tried the Zonealarm because it lacks many of the features of Sygate Personal Firewall. As a whole, do you consider Zonealarm a better firewall? Because these connects are walking right past Sygate. The Sygate graph shows network activity but if you check the logs, it lists nothing. I have cleared all logs, left the computer connected (without any open programs) and watched activity (without being logged).

Thanks for all the suggestions. I wish someone had written a program to search for files using the "created" value. It would make my next job much simpler.

BTW: I posted earlier about a bootlog startup error - missing logitech mouse driver. I located this driver, installed it, saw no noticable change, but runs just fine without the error showing up. Thank you to whom ever stated it was a logitech mouse driver.

 

[NiteHawk]

What is a "better" firewall or AV program as a very subjective thing. IF it works and blocks attempts to enter or leave your computer, it's GREAT!! IF it let's things in and out, it's CRAP. There doesn't seem to be an in between area in opinions.

That said, I would follow WhitPhil's advise and try installing Zone Alarm and see what it flags as trying to get in or out of your computer. Frequently a firewall alert is the first indication you may have a bug.

 

[phreeangel]

I currently have 13 running tasks at startup. They are as follows:

1. kernel32.dll - Unknown creation date
2. msgsrv32.exe - Unknown creation date
3. mprexe.exe - Unknown creation date
4. mmtask.tsk - Unknown creation date
5. smc.exe - Date shown
6. ashserv.exe - Date shown
7. explorer.exe - Date shown
8. taskmon.exe - Unknown creation date
9. systray.exe - Unknown creation date
10. rpcss.exe - Unknown creation date
11. wmiexe.exe - Unknown creation date
12. pstores.exe - Unknown creation date
13. ddhelp.exe - Date shown

If these files haven't been altered, why the loss of dates? Why would a file extracted from the install disc hold it's date until it is booted from?

 

[john1]

I have not found anything that will get past ZA.
ZA does not only tell you that something is trying to get out,
it will tell you what its called.

So you can do something about it.
like allow it, if its your browser.

Or not allow it if its windows media player,
or a mouse driver trying to phone home.