Hello. I have used TDS for a week now and just found it wasn't scanning my entire drive so I reconfigured it to do so. As it scans right now it has many alarms showing these NTFS Alternate data streams. I see a couple of email addresses that I sent mail to and also a few that I didn't. What in the heck are these things? I am pretty green when it comes to this stuff; but have suspected a problem for some time now. Is there anything in there I should be concerned about? Thanks for your time.

:43:45 Trojan Defence Suite v3.2.0 (UNLICENSED)
06:43:45 [Init] Started 16-02-04 06:43:45 Eastern Standard Time (UTC: 5), Internet Time @530.38
06:43:45 [Init] Loading TDS-3 Systems ...
06:43:45 [Init] Token successfully adjusted.
06:43:45 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
06:43:45 [Init] • Plugins : OK. Loaded 13
06:43:45 [Init] • Exec Protection : Not Installed
06:43:45 [Init] WARNING: Your Radius.TD3 database needs to be updated!
06:43:45 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
06:43:45 [Init] Licensed users can use the Update facility from the TDS menu
06:43:46 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
06:43:51 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
06:43:51 [Init] • Systems Initialised [31795 references - 11432 primaries/9084 traces/11279 variants/other]
06:43:51 [Init] Radius Systems loaded. <Databases updated 11-02-2004>
06:43:51 [Init] TDS-3 Ready. <[i]Edit Canada>
06:43:51 [Tip Of The Day] Visit the TDS-3 homepage at http://tds.diamondcs.com.au regularly to check for updates.
06:43:51 [TDS] Good morning Rifleman Working early?
06:43:55 [Mutex Memory Scan] Started...
06:43:57 [Mutex Memory Scan] Finished (no trojan mutexes found).
06:43:57 [Trace Scan] Started...
06:44:06 [Trace Scan] Finished.
06:44:06 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
06:44:24 [Trace Scan] Started...
06:44:33 [Trace Scan] Finished.
06:44:42 [Memory Scan] Memory scan started, please wait a moment ...
06:44:43 [Memory Scan] Memory scan complete.
06:59:11 [Trace Scan] Started...
06:59:21 [Trace Scan] Finished.
06:59:21 [Service\Driver Scan] Scanning for services and drivers ...
06:59:24 [Service\Driver Scan] Scanned 266 services and drivers.
06:59:24 [File Scan] Scanning in C:\WINDOWS\ ...
07:00:55 [File Scan] Scanned 1613 files: 0 alarms in 90.57813 seconds (Avg 18.81 files/sec)
07:00:55 [Scan] Finished.
07:02:38 [Trace Scan] Started...
07:02:48 [Trace Scan] Finished.
07:02:48 [Service\Driver Scan] Scanning for services and drivers ...
07:02:51 [Service\Driver Scan] Scanned 266 services and drivers.
07:02:51 [File Scan] Scanning in C:\WINDOWS\ ...
07:12:16 [File Scan] Scanned 9161 files: 0 alarms in 564.0938 seconds (Avg 17.24 files/sec)
07:12:16 [File Scan] Scanning in C:\ ...
07:12:16 [NTFS ADS] Stream found - c:\aaw.exe:SummaryInformation
07:12:17 [NTFS ADS] Stream found - c:\aaw.exe:(4c8cc155-6c1e-11d1-8e41-00c04fb9386d)
07:12:18 [NTFS ADS] Stream found - c:\lrsetup.exe:SummaryInformation
07:12:18 [NTFS ADS] Stream found - c:\lrsetup.exe:(4c8cc155-6c1e-11d1-8e41-00c04fb9386d)
07:12:18 [NTFS ADS] Stream found - c:\zasetup_37_143.exe:SummaryInformation
07:12:18 [NTFS ADS] Stream found - c:\zasetup_37_143.exe:(4c8cc155-6c1e-11d1-8e41-00c04fb9386d)
07:21:15 [Script Error] ERR: Type mismatch: 'hello' (LINE: 1 COL:0)
07:31:53 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc20.exe for read access, file is locked
07:31:54 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc64.exe for read access, file is locked
07:31:54 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc65.exe for read access, file is locked
07:31:54 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc73.exe for read access, file is locked
07:31:54 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc83.exe for read access, file is locked
07:31:54 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc84.exe for read access, file is locked
07:31:55 [NTFS ADS] Stream found - c:\recycler\s-1-5-21-1644491937-1788223648-839522115-1004\dc126.exe:SummaryInformation
07:31:55 [NTFS ADS] Stream found - c:\recycler\s-1-5-21-1644491937-1788223648-839522115-1004\dc126.exe:(4c8cc155-6c1e-11d1-8e41-00c04fb9386d)
07:31:58 [NTFS ADS] Stream found - c:\recycler\s-1-5-21-1644491937-1788223648-839522115-1004\dc214:
07:31:58 [NTFS ADS] Stream found - c:\recycler\s-1-5-21-1644491937-1788223648-839522115-1004\dc215:
07:31:58 [NTFS ADS] Stream found - c:\recycler\s-1-5-21-1644491937-1788223648-839522115-1004\dc227:
07:42:38 [File Scan] Scanned 35719 files: 11 alarms in 1821.672 seconds (Avg 20.61 files/sec)
07:42:38 [File Scan] Scanning in C:\WINDOWS\ ...
07:51:08 [File Scan] Scanned 9161 files: 11 alarms in 509.4375 seconds (Avg 18.98 files/sec)
07:51:08 [File Scan] Scanning in C:\ ...
07:51:08 [NTFS ADS] Stream found - c:\aaw.exe:SummaryInformation
07:51:08 [NTFS ADS] Stream found - c:\aaw.exe:(4c8cc155-6c1e-11d1-8e41-00c04fb9386d)
07:51:09 [NTFS ADS] Stream found - c:\lrsetup.exe:SummaryInformation
07:51:09 [NTFS ADS] Stream found - c:\lrsetup.exe:(4c8cc155-6c1e-11d1-8e41-00c04fb9386d)
07:51:09 [NTFS ADS] Stream found - c:\zasetup_37_143.exe:SummaryInformation
07:51:09 [NTFS ADS] Stream found - c:\zasetup_37_143.exe:(4c8cc155-6c1e-11d1-8e41-00c04fb9386d)
08:01:16 [TDS] Good morning Robert.
08:10:53 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc20.exe for read access, file is locked
08:10:54 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc64.exe for read access, file is locked
08:10:54 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc65.exe for read access, file is locked
08:10:54 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc73.exe for read access, file is locked
08:10:54 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc83.exe for read access, file is locked
08:10:54 [Locked File] Couldn't open c:\recycler\qrspfaxogmtjuqjltvpaborobkqowmcmeewlajkipfqgnj\dc84.exe for read access, file is locked
08:10:55 [NTFS ADS] Stream found - c:\recycler\s-1-5-21-1644491937-1788223648-839522115-1004\dc126.exe:SummaryInformation
08:10:55 [NTFS ADS] Stream found - c:\recycler\s-1-5-21-1644491937-1788223648-839522115-1004\dc126.exe:(4c8cc155-6c1e-11d1-8e41-00c04fb9386d)
08:10:59 [NTFS ADS] Stream found - c:\recycler\s-1-5-21-1644491937-1788223648-839522115-1004\dc214:
08:10:59 [NTFS ADS] Stream found - c:\recycler\s-1-5-21-1644491937-1788223648-839522115-1004\dc215:
08:10:59 [NTFS ADS] Stream found - c:\recycler\s-1-5-21-1644491937-1788223648-839522115-1004\dc227:
08:21:52 [File Scan] Scanned 35853 files: 22 alarms in 1843.984 seconds (Avg 20.44 files/sec)
08:21:52 [Scan] Finished.
08:25:01 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt
r perusal and some help? Thanks for the ime.

NTFS data streams usually arent anything to worry about , but there is a possibility for trojans to use this space to camp out in.

-{ Quote: "An NTFS file always includes a default data stream, the $DATA stream, which includes the file's content. Every NTFS file can also have alternate data streams that, as you mention in your question, Windows Explorer can't see and that attackers can therefore use to hide malicious information or code on your system.

The reason Microsoft included the alternate data stream capabilities in the NTFS was to enable a Windows NT system to act as a file server for Macintosh clients. The Mac OS uses a similar feature, resource forks, to store file metadata (e.g., date and time information).

These alternate data streams cannot be be removed, unless the parent file or directory is destroyed.

ADS also has other uses.
As just one example, you could store a thumbnail image of a picture in a stream and even an audio track,
allowing a single file to have several multimedia components.
Some anti-virus programs store checksums in a stream under every file on your disk." }-


ill let the real pros here dissect your logs , but to me it looks like its finding streams from files in the recycle bin, if thats what your recycler actually is, did you send your files to the bin afterwards and not empty them ??

someone should also edit out your real ip from your tds logs also, just for safetys sake. ;D , and you should update your radius file asap. ;D



also try these threads , full of great info on this subject:

http://www.wilderssecurity.com/showthread.php?t=21276

http://www.wilderssecurity.com/showthread.php?t=20665

hope that helps a little. 8)

I have edited the IP etc.
ADS streams are usually not a threat providing they are under 128 bytes in size, many image carry small data streams of around 88 bytes.

HTH Pilli

Thanks Pilli--I never even saw my IP---. I would love to get my hands on the author of the trojan I got a few weeks ago. He has caused me much aggravation and I don't feel secure anymore. I hope the streams are all ok and think I will just keep my stuff updated and forget about the rest. I have very little data of value to a hacker--just my bandwidth.

-{ Quote: "I have very little data of value to a hacker--just my bandwidth." }-

Sometimes that is all they want, so many DDos attacks on reputable companies - No more than blackmail IMHO.

I assume you have cleaned out any spyware and other nasties with AdAware or Spybot Search & Destroy?

Also checkout Javacool's tools lower down the forums here.

Best of luck with your cleanup. Pilli

Maybe it is also a good idea to delete all those email-addresses from the TDS log?
I don't know whether they are real or not.....

Thanks guys. I have run every program under the sun and they all say I am clean so I guess I must be. I have been online for 2 years now and never had a virus or trojan. Not even popup ads were a problem. Then one click at the wrong site ruined my feeling of security online.

-{ Quote: "Then one click at the wrong site ruined my feeling of security online. " }-

If you want to be sure that you are clean Port Explorer will show you what connects in and out of your PC

For another layer of protection try Process Guard, it will stop many keyloggers & most rootkits dead. :) And prevent any of your security programmesfrom being terminated such as your AV / AT and firewall.

Also try some of DCS's free tools such as advanced Process Manipulation, AutoStart viewer etc.
http://www.diamondcs.com.au/index.php?page=products

Have fun. Pilli

First time i have this too, nothing to worry about ?
I just remember to have done a defragmentation just before with PerfectDiskj (both Smart and Offline), i think it can be related to it.

Any thought ?

What is KAVICHS? looks like a checkfile of some sort. I remember that one of the AV's used a thing like that appended to every file as a sort of checksum so that it took a lot less time to do a full scan.
Just guessing but could it be defragmenter related?

Indeed i done just before too a full system AV scan (NAV2004) and a defragmentation, could be a clue, may be DCS will have an idea ?

Anyway, thx to have replying to my 2 posts so quickly Pilli, you have just earn a karma cookie ;)

Yum, I love the French ones! ;D

French karma cookies of real butter? ahhh!

Is you read tsech (?) here is some explanation of which i think to understand those KAVICHS are part of the KAV program. here (http://216.239.59.104/search?q=cache:8uzHXpO98nIJ:www.virusy.sk/clanok.ltc%3FID%3D468+KAVICHS+ntfs&hl=nl&ie=UTF-8)
Butif you don't use KAV i don't know. I remember this stream name was mentioned before in another thread, but now seraching where?

I have tested KAV indeed, so may be it is due to that.
I am going to read your link Jooske :)

EDIT : lol, unreadable !

KAV Inspector ? this speeds up scans by making CRC checks and not scanning unchanged files. A nice place to store a checksum would be in a stream..

Easiest solution is to use the stream options (in Scan Control) to ignore streams smaller than 256 bytes :)

Thanks for the tip Gavin :)

but i have Stream up to 228 bytes, would it be safe, i mean totally safe, to ignore stream under 228 bytes ?

Anyway, does it exists tool to clean those stream which are useless now ?

Whoops ! :)
256 bytes should be fine, if you were to have a danger in a stream it would more likely be 90KB rather than so small :)

-{ Quote: "
Anyway, does it exists tool to clean those stream which are useless now ? " }-

Hi GK, There are two ways that I know of.
1. Delete with TDS manually
2. Transfer the files to a non NTFS partition and then transfer them back, I did this some years ago when I had thousands left by an AV I had tested :(

A long while a go someone mentioned a tool for doing this but you will have to Google for it.

It is not the most rewarding job I can tell you! :irony: ;D

thanks you Gavin and Pilli :)