Windows 7 system files Modified Date before Created Date

[Jula9600]

I remember reading/hearing somewhere that in many cases, malware changes the modified/creation dates on files. Does anyone know if this is true? For example, in the "properties" window;

audiodg.exe

Application(exe) file
Windows Audio Device Graph Isolation

Location: C:\Windows\System32
Size: 123 kb
Size on Disk: 124 kb

Created: Wednesday, March 09, 2011 1:47:03 AM
Modified: Saturday, November 20, 2010 8:24:26 AM
Accessed: Wednesday, March 09, 2011 1:47:03 AM


Would audiodg.exe then be considered a suspicious file? Or is this a common occurance?

[LoneWolf]

Quote:

Originally Posted by Jula9600

Would audiodg.exe then be considered a suspicious file? Or is this a common occurance?

http://www.runscanner.net/file/audiodg.exe.html

[Jula9600]

Thank you, LoneWolf, but I know already that it is a valid file. I am more concerned with hijacked system files at this point. That is why I asked about the created vs modified date, I only included audiodg as an example.

I don't want to bore anyone so I'll leave the long story out of it. But still, is it common to have Windows\System32 files with a creation date AFTER the last modified/accessed date?

[LoneWolf]

Quote:

Originally Posted by Jula9600

But still, is it common to have Windows\System32 files with a creation date AFTER the last modified/accessed date?

Sorry I have no idea. Hopefully someone will be by soon with an answer for you.

[tomazyk]

Here is a link explaining file time stamps:

http://www.techrepublic.com/article/...indows/5034280

As article explains, it is possible to end up with file that has date modified earlier then date created. It will happen when you copy file from one location to another. Date modified of new file will remain the same, but date created will be set to system date and time when copying was made.

[Jula9600]

Ahhh...thank you very much, tomazyk. So copying the file from one location to another would most likely be the cause of a creation date after modification date.

I looked up an item listed in my event log and found an old 2009 technet forum post in which someone had replied:

"It is malware that has infected your BIOS. Watch searchprotocolhost.exe and searchfilter.exe Also audiodg.exe is hijacked. The same group that wrote Waledac."

So I looked at the properties of those files in C:\Windows\System32 and saw that their last modified date is way before their created date.

searchfilter.exe and searchprotocolhost.exe show

Created: ‎Tuesday, ‎June ‎28, ‎2011, ‏‎11:24:07 PM
Modified: Wednesday, ‎May ‎04, ‎2011, ‏‎1:19:28 AM
Accessed: Tuesday, ‎June ‎28, ‎2011, ‏‎11:24:07 PM

and audiodg.exe shows

Created: Wednesday, March 09, 2011 1:47:03 AM
Modified: Saturday, November 20, 2010 8:24:26 AM
Accessed: Wednesday, March 09, 2011 1:47:03 AM

Now the strange thing is that 2010 date... I did a factory restore in 2/2011 after cleaning 3 trojans off my Windows 7 x64 laptop and it still didn't function quite right. I suspect some hidden malware somewhere on my pc so my question is, could this be a clue as to the source? If so, then I am really in trouble because theirs HUNDREDS of files (exe's and dll's) in system32 that occur within seconds/minutes of those 3 files.

Oh, one more thing. I copied and pasted the dates from the properties panel in Windows Explorer to a notepad file. Of course, when I saved the file, I declined saving in unicode format and chose to save in ASNI format. When I re-opened it today, I saw this...
--------------------
Created: ?Tuesday, ?June ?28, ?2011, ??11:24:09 PM
Modified: Wednesday, ?May ?04, ?2011, ??1:19:28 AM
Accessed: Tuesday, ?June ?28, ?2011, ??11:24:09 PM
---------------------
AND
---------------------
Wednesday, ?March ?09, ?2011, ??1:47:03 AM
?Saturday, ?November ?20, ?2010, ??8:24:26 AM
?Wednesday, ?March ?09, ?2011, ??1:47:03 AM
---------------------

Now, obviously, I didn't put the question marks there so does this indicate altered dates?

[tomazyk]

Hi Jula9600

I don't think you have to worry about those dates. I checked my audiodg.exe and date modified is earlier then date created. I can't check search files because I have search removed from Windows.

I think that cause of all this mess with dates is factory restoring. I belive that those files got copied during restoration and getting new create date stamps.

If you are not sure about your system safety, I suggest you to scan computer with online scanners or with Hitmanpro - just to be safe.

Next time you try to save txt file, try using Unicode instead of ANSI. It is just a coding problem of notepad.

Regards.

[Searching_ _ _]

Quote:

Originally Posted by jula9600

I did a factory restore in 2/2011

Could you give details about the process of your factory restore?
Did you wipe first? If yes, what method did you use?
Did you restore from media like DVD's or a restore partition on the HDD?
If it was media, was it a Windows disk or a factory image disk?
Did you reuse any saved media from before the restoration, files, documents, programs?