After a full version TDS3 (lastest update + db) scan, it showed:
#1
-{ Quote: "
PARENT
Path: %WINSYSDIR%\comctl32.dll size: 611328 bytes MZ Exe: DLL
STREAM
Name: 鿲summaryinformation size: 88 bytes MZ Exe: Unknown

Stream dumped to notepad: ԁȀ Ā 鿲累栐ꮑࠀ⬧동　 ⠀ Ȁ Ā ᠀ €  Ȁ  ጀ ऄ
" }-
#2 : on the same file path and filename:
-{ Quote: "
PARENT
Path: %WINSYSDIR%\comctl32.dll size: 611328 bytes MZ Exe: DLL
STREAM
Name: {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Size: 0 bytes
MZ Exe: Unknown
" }-
any help would be much appreciated. Thx.

Hello guest,

Let me refer you to this post here (http://www.wilderssecurity.com/showthread.php?t=20665) for help.

Guest

Do you have or have you had Kapersky antivirus installed on the computer as they look like Kapersky I stream checker ADS streams

-{ Quote: "Guest
Do you have or have you had Kapersky antivirus installed on the computer as they look like Kapersky I stream checker ADS streams" }-
Thanks, but no KAV on my box. Gave TDS3 1 try deleting the stream, it came back on. As other posts, it is possible to completely delete it from running TDS in windows safe mode. Is it something with that? Is there anyone having the such thing on his/her winxp box? Besides, it should be to delete that stream or not. Probably this is not a breach problem for its so small size of the stream (<128bytes) and that it came for tracking by windows?
thx for help.

in my experience that is normally an antivirus checking stream or a file protection system check

what AV do you have as several of them use the same technology now

File is part of a Windows 'common control libraray. Be wary of removal.

http://www.auditmypc.com/process/comctl32.asp

http://www.liutilities.com/products/wintaskspro/dlllibrary/comctl32/

http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=comctl32.dll

;D

-{ Quote: "File is part of a Windows 'common control libraray. Be wary of removal.

http://www.auditmypc.com/process/comctl32.asp

http://www.liutilities.com/products/wintaskspro/dlllibrary/comctl32/

http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=comctl32.dll

;D" }-

Nobody is suggesting in the remotest to remove the file, that is an important part of windows

The poster is asking about the ADS stream attached to the file

Hi there!
I googled for that long name {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
and see it in many postings, but solutions or what it is exactly are not clear yet.
The easiest way if TDS would not remove it is copy the file to a FAT32 location and back to it's place.
TDS can run in safe mode too if you want.

If this is windows 2000 rather than XP, then those streams are not removable as tehy are actual windows tracking files rather than an external tracking file

whichever they are, they are harmless and can be safely ignored, set TDS to ugnore ADS streams of less than 100 bytes and ignore NON executable streams

Thought it said MZ exe which sounds as an executable?
This is why .......

-{ Quote: "Nobody is suggesting in the remotest to remove the file, that is an important part of windows

The poster is asking about the ADS stream attached to the file" }-

Understood. ;)

-{ Quote: "Thought it said MZ exe which sounds as an executable?
This is why ......." }-

IT's very confusing but it's NOT MZ.exe (DOT EXE ) which would be an executable stream it is just called MZ EXE which is not an executable stream, why it was given that name I don't know

Ah! that explains ... more or less .. ;)
But it's small and no exe so considered harmless. 8)

Seems not many windows users know really about those kind of stream "technology" of ms!http://www.wilderssecurity.com/images/icons/icon12.gif ;-)
Looking forward to DCS lessions on this to relieve dcs's users from crossing fingers on these things.
;-)

http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams