4
recently I found back door on my laptop. I t was generating many files with random names only 2-3 characters only. The most of them is empty. How can I find files only with 1 to 3 characters generated in the last 30 days? Thanks Arman.
Arman
Posted 2010-05-16T11:35:44.540
Reputation: 143
7
Use the search facility in Windows Explorer and use the '?' wildcard character.
Search for files names matching ?, ?? and ???. If the files have extensions, try ?.*, ??.* and ???.*.
You can also specify the created date.
If your laptop has/had a backdoor, you really should be less concerned with the files on the system and more concerned with reinstalling your laptop, as it is the only sure way to close the back door and remove any root kits.
Bryan
Posted 2010-05-16T11:35:44.540
Reputation: 1 563
2
I think that this would work:
C:\>dir /s/b ???
mgreen
Posted 2010-05-16T11:35:44.540
Reputation: 21
0
It's probably easier to find empty files generated in the last 30 days.
Go to Start menu - Search
Click When was it modified select Past month or manually pick the dates.
Click What size is it select Specify size at most 1KB
GAThrawn
Posted 2010-05-16T11:35:44.540
Reputation: 4 176
0
Using Powershell:
$date = get-date
$olddate = $date.adddays(-30)
get-childitem -path c:\ -Recurse | where-object {$_.basename.length -lt "4" -and $_.creationtime -gt $olddate}
user37369
Posted 2010-05-16T11:35:44.540
Reputation: 101
+1 nuke it from orbit. It's the only way to be sure. Don't expect anti-virus software to reliably remove all today's huge range of stealthy malware. 'Cos it won't. It'll just give you a nice false sense of security. – bobince – 2010-05-16T12:42:46.537
@Bryan: the method '??' does not find the files. but I can see in the windows/system32/ file named: 'hÏ'. – Arman – 2010-05-16T13:30:19.240
@Bryan: Well the double quotes "??" are solving the problem. Maybe it depends on locals? I am using the French WinXP. – Arman – 2010-05-16T13:32:17.193
@bobince: Yes, I agree with the clean install, but it is not always possible to reinstall all packages. – Arman – 2010-05-16T13:34:27.547
@Arman: Sorry, I didn't explain that very well, don't use any quotes as part of your search string. I've removed them from my answer and used highlighting instead. – Bryan – 2010-05-16T14:04:47.220
@bryan: without double quotes it does samle as *, it finds all files. In my case it works only with double quotes:"??". – Arman – 2010-05-16T14:43:24.583
@Arman: See picture added for clarification. Strange how it doesn't work for you. Like you say, the difference might be down to the fact you are using the French version of WinXP? – Bryan – 2010-05-17T08:19:12.000
@Bryan: Yes, you are right: with ??.??? works but I would like to find only files no extension, and without "dot" the ?? is finding all files. could you please try in your system ?? only, what is the output? You can see the result of my search: http://picasaweb.google.de/lh/photo/UDoPqQmDwrFXXIoJRk2q7w?feat=directlink
– Arman – 2010-05-17T10:12:01.360Ah, sorry, I misunderstood you. Yes my system behaves exactly the same as yours. I also need the double quotes when searching for the files without an extension. – Bryan – 2010-05-17T12:52:28.223