Kaspersky stuff infiltrated my system.

Could you give version numbers of other dll files too? Like KAVSS.exe, KAVSS.DLL and so on...

Regards,
Firecat

 

Hi Firecat, I can't find any KAVSS files or AVPSS files, but there are two I/O drivers AVP_IO32.DLL and AVP_IONT.DLL identified as File Version 5.0.0.0

Other than that, there are some AVK dll's with a 15. series of numbers, and none of them are AVKSS, so maybe a direct comparison with a genuine original KAV version is not feasible.

 

So engine version seems to be 5 and bases handling DLL seems to come from KAV 6.0 prototypes.

 

Thanks Firecat, that sounds like a reasonable analysis to me.

 

Big C,

You say you have found removal of the ADS streams to be simple? I tried Kaspersky 5. I loved the program right up until I uninstalled it and found that it did not remove the ADS entries. No flame intended, but in my mind, uninstal means to return the computer to the same basic state it was in before installation.

The ADS entries may cause great harm for my system owing to the fact that one of my security programs reports them as problems but can not delete them.

Interestingly I was running the trial version of TDS3 and it did not detect the ADS stream values with either the ADS streams, or the ADS hidden options selected. So much for removal using TDS3.

I was frustrated in my attempts to find out much about the ADS stream changes. Most of what I found was outdated. My thoughts are these: If the ADS changes by Kaspersky could be removed easily, would that make the AV vulnerable to simply having the values recopied by a virus to give the appearance that all was well. Does TDS3 recognize the entries as friend and not foe, so does not report them? I sort of doubt that. I would condemn the practice if true.

I haven't tried that much to correct the situation, and I don't even regard it as a problem except that I don't know what is going on or why. Could it be that it would simply take as long as a full scan for KAV to remove the ADS changes? I am a little annoyed that whatever the case I will be finding out after the fact. I do understand that any attempt to advise the potential trial users would probably scare alot of people off. The (i think) simple solution would be to make that feature optional. But again, if not using the option dramatically changes the performance (which it would) Kaspersky would loose again.

Back to the old drawing board.


- HandsOff


P.S. I downloaded the trial a while back. Recently reading about it inspired me to install and try it. I cannot give the exact version number because I did sort of...well...Okay I panicked! when I saw all the ads streams pop out of nowhere, not knowing any better I immediately shut down, went to the safe mode and uninstalled and deleted every trace of the program. Well, anyway no harm done, i guess.

 

Just for the record when I tried streams, by sysinternals, they could not find the streams either.

They are still there. I can view the contents of them with another program.

If I cant get rid of them it is most definitely a problem. I still don't get it TDS3 and Streams can't even 'see' them



- HandsOff

 

HandsOff, i use an uninstaller to monitor many of my installs and i can tell from my experience no program removes everything when uninstalling, so thats not different from all the rest, actually Norton is one the worst offenders in this regard.

That because you didn't configure it correctly, TDS-3 has a default of 128kb i believe, anything smaller is not detected, Kav's are smaller. But it's a pain to remove 40000 ads with TDS-3.

The ADS aren't even visible when Kav is installed and are only "easily removed" when Kav is uninstalled. The ADS are put there by Kav to monitor what files have change or not, not vice versa. Don't you think that if it was possible for a virus "to simply having the values recopied by a virus to give the appearance that all was well", that we would have heard from Secunia etc.

No, if you use a utility like ADS spy and/or NTFS Streams Eraser it actually won't take much more than a minute.

If we are talking Kav Personal, then this has been possible since 5.0.227 to disable iStreams during the install and in Pro in the options.

Well actually that's not what i have seen while using it since it was released (and in the beta-fase too) and installing/unstalling to many times to remember, even without iStreams (ADS) installed it still faster than 4.5 on-demand and with less drag on the system.

 

"The ADS aren't even visible when Kav is installed and are only "easily removed" when Kav is uninstalled. " DP

I'm not sure how to interpret this as all ADS streams are invisible to windows XP and require special tools to view them, unless I am mistaken.



"The ADS are put there by Kav to monitor what files have change or not, not vice versa. Don't you think that if it was possible for a virus "to simply having the values recopied by a virus to give the appearance that all was well", that we would have heard from Secunia etc." -DP

Yes I understand that KAV uses them to monitor. what I dont understand is why a virus could not just copy the finger print and overwrite it. I was not saying that this can be done. What I meant was something done that prevents overwriting them, and is that why I am problems try to remove them? I am beginning to think the answer is yes. I uninstalled in the safe mode. Could that have hindered the uninstaller?



"That because you didn't configure it correctly, TDS-3 has a default of 128kb i believe, anything smaller is not detected, Kav's are smaller. But it's a pain to remove 40000 ads with TDS-3." DP

I cannot check because I uninstalled it. But you very likely hit the nail on the head. Ouch!! Still, I have known streams to have been able to work before, but it does not now. I did notice you name some alternatives. I appreciate that. Your post has given me some good information!



I'm sort of interested in what programs rely on ADS streams to function. I was hoping that none need them and the can all be deleted, but I guess that is not the case.

 

Kobra -

If you are out there, I appoligize for hijacking your thread! Actually, i like to think of it as 'keeping it warm in your absence'.

Just an update on my saga. I just tried using Hijack This! to clean some of the ADS streams. (if you click on configure, and miscelanious tools you will see that you can use HJT to clean ADS - i think using the ADS Spy engine)

The result:
Once again the streams were detected, but they were not removed. I guess the time has come to start getting serious about this.


- HandsOff

+++++++++++++++++++++++++++++++++++++++++++++++++++=
Update -

I just just turned to the forth or fifth tool I have tried to remove the ADS streams and this one seems to work! It is called NTFS streams eraser by Extreme Software. The first thing I noticed was the familiar Rezjor sheep! Well, anyway, I decided to use my MP3 partition for the trial, and it erased them all (several hundred). Then I test played Al Green's inspired version of 'My Girl' and it sounded as sweet as ever!

 

Of course Kaspersky have done something to protect them, otherwise you would have 40000+ entry points and that wouldn't be good . They would have to get past the monitor first though.

TDS-3 is no good in cleaning 40000+ streams, as you would have to do it one by one if i remember correctly, it could possibly be used to remove the last 1-5 ads that NTFS Streams Eraser & ADS spy can't remove even in safemode. The way i have cleared the last few is to use ADS spy and see which files they've attached to, so far these have been non-important and i have simply deleted the files and therefore also the ads.

I have to yet see any problem by leaving 1-5 ads after running ADS spy & NTFS Eraser btw.

I have so far only noticed ads in pictures.

Edit: I just did a scan with Kav 5.0 installed without iStreams/ADS and Max-protection, not bad IMO.

 

Would the "Scan Volume for ADS" in AdAware SE Plus have worked for this purpose?

 

Don -

It seems as though you are avoiding using The ADS feature, or are you just making a comparison? It strikes me as a very a good feature to use so long as one can configure their other detection programs to co-exist with them, and so long as it is reverseable.

I remember not too long ago reading an article where the auther was saying, "thankfully no trojans have been discovered to date that have replaced system files". I still get annoyed when I do a process ID look up with Wintasks Pro 5 and it identifies the process as some part of windows and says "Security Risk: 0". Zero! Oh really? Anyway, maybe its just me, but the ability to even have different versions of processes swapped without my knowledge is a cause for concern. One can either count on XP for file integrety, or make the transition to something a little more comprehensive to protect system files.

I don't know how well it works, but the Kaspersky's ADS manipulation might be just the thing we need! I don't quite understand the controversy surrounding it though.



- HandsOff

 

No HandsOff; I can sincerely tell you that Don REALLY likes iStreams and he is NOT avoiding using it.

He put those results just to show us how good KAV 5 is even without that feature - but I know he uses iStreams and has little problems with it.

Regards,
Firecat

 

No, i have always used iStreams except for two installs, this last one is just for you, so you can see that the difference isn't that big if indeed you are not comfortable with iStreams. The install is completely virgin as i use FirstDefense-ISR which makes this kind of testing a piece of cake, it took me about 5 minuttes to set it up (plus the scan, of course ).

Neither do i, but probably because Kaspersky have not been very good at explaining exactly what it does to the system.

Anyway, they will be a thing of the past quite soon, they are not used in Kaspersky 6/2006 (in beta ATM), so i actually would recommend disabling iStreams during the installation, that way you won't have to go through removing them when upgrading to Kav 6.

 

You are so right, Kaushik. It will be a sad day indeed for me when iStreams is headed for retirement, a bit like when The King died, you just couldn't believe it and felt numb for a year.

 

Well, I guess all you iStream lovers should blame me, I was the one who predicted its end - sorry guys .

I made that prediction b'coz I saw that iStream works very well for some and very bad for others. Any company would simply remove such a feature b'coz it wouldnt work well in all common scenarios, y'see.....similar to GeForce FX - make a technology demo and watch the graphics fly beyond the competition, play a game and see the inefficiency....And in the end the architecture was completely revamped.

Thats what I expected would happen with KAV 6 too - all the 'mixed' (i.e. good and bad opinioned) features would be removed and replaced....

They may just bring it back though, if they get it working fine.

Have a nice day

Best Regards,
Firecat (Kaushik)

 

I'm sorry I don't know much about this stuff, I'm trying to learn.

Please, one of you smart guys respond to my ADS question in reference to Adaware SE Plus.

I'm going to learn, and one day hopefully contribute also.

Thanks,

-Karen :]

 

I personally like the idea of Kav useing ADS to checksum my files as it scans. and ads does nothing else detremental to my comp. And by the way The eTrust7 server Promo antivirus from computer associates has an option to scan ads on your comp.

bigc

 

I never liked the idea of KAV using ADS for checksums. To me it smacks a bit of hijacking an unrelated technology and using it for something for which it really wasn't intended. Also, part of it is Microsoft's fault since OS support for ADS useage is sort of piecemeal and unknown to most users. I can appreciate the value that these checksums might bring, however I'm not sure why KAV can't just write them into their own proprietary "database" file (ie, file/checksum). Do they really need to store the checksum in an ADS?

 

Well, I haven't seen an official annoucement from KL that iStreams is no longer with us. That said, I think they did not handle the whole thing well at all in the version 5 level program.

• There do appear some scenarios where iStreams creates an operational problem with other software. This is a major issue for a program being deployed since even folks who will be unaffacted today may hold off on a purchase based on what may happen tomorrow.
• There has been a substantial amount of misinformation forwarded regarding iStreams, and some of it has been due to poor internal communication of what it does and what it does not do within KL. It helps with scan efficiency of files which are resident on a PC longer than a predefined time. That's it. Personally I believe that it is a somewhat misplaced focus since the content which one must be most concerned about on a PC is generally quite volatile. Downloaded content (even cached) for many users has a lifetime of less than 2 weeks. From that perspective, the only advantage of iStreams is with static files on the PC. In terms of where I see usage slowdowns, I generally do not worry about the time of loading an old Word or Excel file, I do look at the time to deal with freshly downloaded content since I'm constantly grabbing and tossing that away. In this latter context, iStreams offers no benefits.
• With recommended settings, the iStreams quarantine time is 365 days. It can be decreased to 15 days by going to the High Speed Settings, although this is equivalent to setting for scanning based on filename extension.
• iChecker does the same thing, except it stores the result in a secondary database. iChecker is really implemented for FAT32 volume coverage. One thing KL never fully explained is whether iChecker is used on NTFS volumes if iStreams only is disabled. My 5.0 beta tests imply it is, although I did not go back to verify that in the production release.
• The quarantine period before which the speed advantages of iStreams kick in, reported to be 15, 365, and 365 days for High Speed, Recommended, and Maximum Protection respectively really should have been given more thought. The implicit issue here is that KL effectively guarantees definition coverage prior to expiration of the quarantine period. That can't be too short. However, if it is made long, the operational advantages of the approach quickly diminish. I can see this as a great idea that doesn't pan-out to a pragmatic advantage. I really don't care if an overnight scan takes 1 hour or 3 hours - I do it overnight for a reason.

Anyway, as I said above and despite my comments, I'd say it's premature to declare iStreams finished just yet. I'd wait for some official indication or clear evidence that the 2006 version of KAV doesn't employ this approach in a working version much closer to the release candidate than the currently available prototype.

Blue

 

Alec,

They have, it's called iChecker and no, the checksum doesn't have to be stored in an ADS. However, and ADS storage approach yields speed advantages on very large volumes since there is effectively no secondary lookup.

Blue

 

To actually store their info in the ads is a very good idea for the simple reason that if one of them is changed at all it will be seen by Kav if it was stored in it own database and it got corrupted in the slightest it would not be checking the checksums in the ads it would be checking with corrupted files that would be useless. But as I always say about any software it is just a personal preference what we use and like. Personally I like the idea of useing ads because it works and has no other effect on my comp at all.

bigc

 

So BigC, do you now prefer KAV over McAfee?

Acadia

 

I think he uses KAV

 

I think that, BigC, uses a couple more than Kav & McAfee, Panda is another, if memory serves me correctly.