ChangeLog http://jpshortstuff.247fixes.com/SystemLook.txt SystemLook will recognize the following commands (also called 'contexts' by the tool): :dir :file :reg :service :process :filefind :folderfind :regfind :env :assoc :contents :comment ================== :dir This command provides similar functionality to the dir command in cmd. Supply SystemLook with a list of folders after this command and the program will enumerate the contents (files and folders) of each directory given. By default, the program will not enumerate the contents of sub-folders, this is an optional action specified by additional parameters (see below). The program will show hidden/system files and folders. After each entry, SystemLook will provide you with the attributes, creation time, and for files we will see the file size of last write/modified time as well. SystemLook will allow most environment variables to be used as part of paths, so input like %userprofile%\Desktop is perfectly acceptable. The tool will accept a trailing backslash but it is not required. Quotes are not required around paths that contain spaces. Parameters (switches): Parameters are all optional, and are specific only to the line they are appended to. Simply add any parameters you wish to use to the end of the folder (with or without a space). Since they all start with /, SystemLook will know where the folder ends and the parameters begin. /s or /sub This switch directs SystemLook to enumerate the contents of any sub-folders, and subsequently their sub-folders (much like dir /s). Please be aware that this can produce both large logs and noticeably lengthened scanning times if used on folders close to the root, so be wary of things like %systemdrive%\ /s and if something like this is required a note to your user about the increased run time may be a good idea. /tX: This is a time filter. Specify X to be a number indicating how many days back from the current time you wish SystemLook to display files from. SystemLook will check both the creation and last write/modified times, and will not display any files that have not been either created or modified with the last X days. Please note that only files are filtered, all folders are displayed. This allows the /t switch to be used with the /s switch. /nS: This is a file name filter. Specify S to be a combination of characters and wildcards (* or ?) to filter files with. Please note that SystemLook will look for exact matches - if you want to check for file names that contain a certain string you must add a * wildcard either side (for example, /ncat will display files that are called cat (no extension), /n*cat* will display files that contain the string "cat" in their name). File extensions are included in the filter, so if the extension is unknown append .* to your filter. As with the /t filter, only files are filtered, all folders are displayed. Again, this means that this switch can be used with the /s switch, as well as with the /t switch. /wS: This switch can be used when you don't know the whole name of the folder you want to look at, or if it contains dodgy characters. Make S the name of the folder that you wish to look using wildcards (?,*) where necessary and SystemLook will filter for folders that match this pattern. For example, if you have a folder that appears in a HJT log as C:\WINDOWS\FOOGAM~1, you can use the :dir command with C:\WINDOWS /wFOOGAM* to look inside it. /nodirs: This simply directs SystemLook to omit the sub-folders from being listed. This switch is ignored if the /sub switch is used. /md5: This instructs SystemLook to calculate the MD5 of every file it finds. Examples: :dir %systemdrive% (Display files and folders located at the root of the drive) %programfiles% /n*crack* (Display all files in the Program Files folder that contain the string "crack") C:\WINDOWS\system32 /n*.dll /t50 (Display all .dll files in the system32 folder, that were created or modified in the last 50 days) %userprofile%\My Documents /s /n*crack* (Display all files that contain the string "crack" in My Documents and all sub-folders) ================== :file This command takes a list of full file paths and provides various information on each one. Again, environment variables are accepted by this command. SystemLook will first report the basic information available for any file (size, creation date, MD5, modification date, file attributes), Next, the program will attempt to report the information available only for Portable Executable files, such as the file description, company, copyright data, and other items that you can find by right-clicking a files and looking at the Version tab. Examples: :file %systemroot%\notepad.exe C:\WINDOWS\system32\drivers\sehtipsa.sys ================== :reg This option takes a registry key and will list its values and sub-keys, in much the same format as a registry export. By default, it wont enumerate the contents of each sub-key. If you wish to enumerate sub-keys as well, append /s or /sub to the key path (with or without a space). The hive can be in long or short form. Examples: :reg HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Mozilla /sub ================== :service This option takes a service name (not the display name), and will enumerate various information about it, namely: Display Name Description Current Status Start-up Type Binary Name Error Control Group Safeboot Dependencies Dependant Services Error Control: This represents the action taken by the operating system if the service fails to start, and can take one of four values. Critical - Error is logged in event log. If booting normally, system is restarted into Last Known Good Configuration (LKGC). If booting into LKGC, boot fails (i.e. Operating System is unbootable if this service failure occurs consistently). Ignore - Do nothing, continue booting. Normal - Error is logged in event log and boot continues. Severe - Error is logged in event log. If booting normally, system is restarted into Last Known Good Configuration (LKGC). If booting into LKGC, boot continues. Safeboot: SystemLook will check the Safeboot keys for matches with the service name or service group. Matches will be displayed and if the match was with the group you will see (group) next to the Safeboot type. Dependencies: This is a list of all the services that must be running before this service may be started. If a group is listed, at least one service from that group must be running to start this service. Dependant Services: This is a list of all services that require this service to be running before they can be started. Some services may require Administrative privileges to check. Examples: :service NetBIOS MalwareDriver ================== :process This command will take a process name and then display the full file path to that process, the MD5 and enumerate all the modules that are loaded under that process. Examples: :process explorer.exe svchost.exe ================== :filefind This option takes a string (wildcards permitted) and searches the computer for any file names that match that string (case insensitive). Note that this checks for exact matches. Specifying userinit will return only files that are called userinit without any extension, specify userinit.* or *userinit* to see all extensions of userinit or to see all files that contain userinit in their name. Scan times shouldn't be too long with this command, but if you are doing a few of them it may be wise to add a note to your user. The program will also display file size, attributes and any creation/modified dates associated with the files it finds. Examples: :filefind *userinit* (All files that contain the string "userinit") * .exe (All .exe files that end in a space) ================== :folderfind This option takes a string (wildcards permitted) and searches the computer for any folder names that match that string (case insensitive). Note that as with :filefind this checks for exact matches, so use wildcards for partial matches. The program will also display attributes and creation dates. Examples: :folderfind *windows* (All folders that contain the string "windows") ================== :regfind This option takes a string and searches the registry for any keys, values or value data that contain the string. HKCU, HKLM, HKU and HKCC are searched, and values included are REG_SZ, REG_MULTI_SZ and REG_EXPAND_SZ. This takes a few minutes or so to complete (depending on the machine, per string) so if you are using it (especially for multiple searches) then add a note to your user. Examples: :regfind ghkjika.exe AntiVirus2009 ================== :env This option takes a string and expands any valid environment variables within it. Examples: :env %path% %userprofile%\Desktop ================== :assoc This option takes a file extension and displays the action taken when double-clicking or opening that file. Examples: :assoc .txt .exe .vbs ================== :contents This option takes a file and dumps the contents of that file to the log. This is useful for suspicious .bat, .js, .vbs (etc) files. Be careful with this as the whole file is dumped - this could give some very big logs. Examples: :contents %systemroot%\cffu.bat %programfiles%\Mozilla Firefox\{D96F1D71-4F95-443A-8AF3-541BFDBA096D}\chrome\content\overlay.xul ================== :comment SystemLook will ignore anything used in this context - up until the next command is specified. Example: :comment Make sure you copy *all* the text in this codebox. ================== Canned Speech: Please download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 * Double-click SystemLook.exe to run it. * Copy the content of the following codebox into the main textfield: SCRIPT * Click the Look button to start the scan. * When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt Please download [color=red][b]SystemLook[/b][/color] from one of the links below and save it to your [u]Desktop[/u]. [b][url=http://jpshortstuff.247fixes.com/SystemLook.exe][color=blue]Download Mirror #1[/color][/url] [url=http://images.malwareremoval.com/jpshortstuff/SystemLook.exe][color=blue]Download Mirror #2[/color][/url][/b] [list] [*]Double-click [b]SystemLook.exe[/b] to run it. [*]Copy the [u]content[/u] of the following codebox into the main textfield: [code]SCRIPT[/code] [*]Click the [b]Look[/b] button to start the scan. [*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. [/list][b]Note:[/b] The log can also be found on your Desktop entitled [b]SystemLook.txt[/b] ==================