hi all!
i have a problem about alternate data streams
when i enter this command in console
type C:\windows\notepad.exe > C:\:example.exe
than it creates notepad.exe in root as example.exe
and as you know it is invisible file when you want to run
example.exe you must enter this command in console
start C:\:example.exe
then notepad will work
but i am not able to delete example.exe from my disk.
in sysinternal there is a program name is streams. and it can delete ads from file and folder but not from C root
is there a person who knows how i can delete this file.
iam looking forward to your solution to this prblem ::)
thx alot

Hi again SteeLRasH
Also not working via TDS SCan Console NTFS ADS Streams?
and deleting :example.exe doesn't work?
How about renaming it to something else which can be deleted much easier if that would be the problem like
from c:\
ren :example.exe example.exe (or whatever the second name would be)
Hope it helps. With your TDS scanner you should be able to find if any streams have left.

BTW make sure you check if notepad.exe is still there and working before you remove the example.

unfortunately renaming hadnt worked i tried it.
and also neither TDS nor other stream scanners don't find the C:\:example.exe.i am sure If tds detected this exe, it would delete but it didn't.

sounds strange, then in safe mode maybe? Are there streams inside to give TDS something to detect at all?
Empty code even TDS will not detect. Have all options checked and include scanning for 0 bytes files.
Just thinking, can you move the file to another location, folder you create for it maybe so it can be deleted that way?
Few more options:
there is DelLater in the DCS free tools which might solve the problem.
Also make sure all possible entries for this example.exe are deleted from the registry if those are there at all, after which it must be possible to delete it.
Hope it works for you, any of them.

-{ Quote: " quoting: Jooske link=board=18;threadid=20337;start=0#msg124144 date=1075132656]
sounds strange, then in safe mode maybe? Are there streams inside to give TDS something to detect at all?
Empty code even TDS will not detect. Have all options checked and include scanning for 0 bytes files.
Just thinking, can you move the file to another location, folder you create for it maybe so it can be deleted that way?
Few more options:
there is DelLater in the DCS free tools which might solve the problem.
Also make sure all possible entries for this example.exe are deleted from the registry if those are there at all, after which it must be possible to delete it.
Hope it works for you, any of them.
" }-


hi again but still no solution ::)

Jooske thanks for your response
but Alternate data streams cant be moved or renamed or addressed just be started via this command "start directory of stream"
so renaming,moving or dellater program isnt working on
this alternate data streams.
and whats more,even if we delete C:\windows\notepad.exe, out stream is still working as notepad.exe

thx again for your helping anyway.
If anybody knows the solution, i am always here. :)

Regards
Yigit

Hi SteeLRasH. Don't know if it works, but have you seen this?

Taken from this site (http://www.heysoft.net/Frames/f_faq_ads_en.htm).

-{ Quote: "How does somebody delete an ADS?
Let us assume you know there is a file important.exe with an ADS attached to it. The file is very important and the ADS very dangerous. You need to hold the main stream and delete the ADS. Let us assume there is no FAT drive on your network, otherwise you could move the file to this drive and than move it back again. All you need to do is:
ren important.exe temp.exe
cat temp.exe > important.exe
del temp.exe

The method above does not work when the ADS is attached to a directory. If you need to remove, for instance c:\Windows:harmful.exe without reinstalling Windows, you could use this trick. (If you use NT 5.x, you need a copy of Notepad.exe from NT 4!)
Open the ADS with Notepad:
C:\NT4Tools\Notepad.exe c:\Windows:harmful.exe
Delete the entire content of the ADS
Close notepad. It will ask whether you want to save your changes
Answer YES
Notpad will tell you that the file is empty and that it will delete it
Now you are done, the ADS is gone." }-


Hope that helps,
Jade.

thx Bowserman it works all problems in my mind has gone thx to you.

Second method is working for my problem.

-{ Quote: " quoting: SteeLRasH link=board=18;threadid=20337;start=0#msg128772 date=1076251838]
thx Bowserman it works all problems in my mind has gone thx to you.

Second method is working for my problem.
" }-


Glad that you got it sorted SteeLRasH 8).

Regards,
Jade.