454 alarms, ADS Hidden Streams

Hi-
Tds discovered 454 ADS Hidden Streams, all appear to be image files. The size range from 2000 bytes to 8000 bytes according to the tds windows stats.
These files are generally in the same folder. They can be images I created in photoshop. Or a folder for windows wallpaper themes, ie all the jpegs in that folder. Also images that are part of a program, ie the sample images that are part of an included tutorial.

And this one, setup.bmp in the windows folder.

This is odd about these two i randomly picked.
Space wallpaper.jpg is 6996 bytes in the tds window but 209 KB in the windows file explorer window.
Sports wallpaper.jpg is 4608 in the tds window but 89 KB in the windows file explorer window.
Right click to see Space wallpaper.jpg properties in the tds bottom window, I see this in a small gray box-
Parent 213,106 bytes,
Stream 6996 bytes
MX Exe: unknown (no dot between the MX and the Exe)


One last thing.
If these need cleaning, can i do them all at once, it appears a keyboard combination does not do multiple selections.
And if I right click window on one of these files i see 5 choices. One is "delete stream." Will this fix the file? I also see "delete stream and host." Thought i read that the whole file has to be removed.

Also, did I read, view the file in notepad and look to see if it is a real threat. I would not know what to look for if this is an option.

Apprectiate any help with this, thanks.

 

Hi topperds, welcome to the forum, please wait for the experts to answer. Though I am no expert, I'd say: no panic, do NOT delete anything right now. I think I've heard something like: "There could be a risk only under special circumstances with the ads hidden streams". I've lots of them on my machine but never touched 'em. There will be an other answer by someone who really has the knowledge soon.
paulson

 

Hi toppertds,
Firstly as Polson says "Don't panic" though I doubt you are
Tassie Devil uses photshop a lot and I believe his answer was to gp to Windows explorer - Tools - Folder Options -Views and enable "Do not Cache Thumbnails"
If you are at all concerned about these files zip them up and submit@diamondcs.com.au.

I have adstream ignore any streams smaller than 90Bytes

HTH Piill

 

Hi-
Thanks for responding, no panic. I think I've used them all up from other mysterious PC happenings over the years.
BTW, I didn't see that folder option "Do not Cache Thumbnails" in Windows explorer.
I must have stopped the tds-2 scan when i first posted, having now re-scanned i found 812 alarms. I stopped the scan since it was taking a long time to complete.
I did delete a stream on one of them, not a big deal. My photoshop files are not original creations, they are downloaded images that were worked on in Pshop.
But now the count is up to 812 (I stopped the scan pre-maturely, probably on both occaisons) this looks like too many files.
It looks like every image file on my hard drive is in the results list, including those that are part of the help files of applications i have.

 

Google says: Everything you need to know about NTFS Alternate Data Streams (and everything you didn't know)
http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams

paulson