XP svchost and hidden ADS

I think I understand what NFTS ADS streams are, but wonder if svchost (XP Pro) should have hidden ADS streams associated with it. For example:

13:37:13 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe:SummaryInformation
13:37:13 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe*****)
13:37:13 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe:SummaryInformation
13:37:13 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe*****)
13:37:14 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe:SummaryInformation
13:37:14 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe*****)

 

Hi Mikeky,
Can you give us some more information please such as the size of these streams?

If they are 0 byte files then thay are nothing, if they are under 256 bytes they are probably harmless, if they are under 128 bytes almost certainly harmless
I set mine to ignore any streams less than 90 bytes as many image files use 88 byte streams. Thumb.db comes to mind.

Thanks Pilli

 

These are all either 0 or 88 bytes. Certainly I get a similar message with Thumb.db files, but just wasn't sure why the svhost would ADS associated with it.

 

you mean SVChost I hope not svhost?

SVChost is responsible for many functions under windows so it does not surprise me.

If you want a better idea about what svchosts gets up to on your PC get Process Explorer from sysinternals (free), a very nice utility.

If you want see what goes in and out of your PC get Port Explorer from DCS (trial ware)

Pilli

 

Looks normal, especially when they are 0 or 88 bytes. Haven't tracked down what adds these but its the same for most of us

Set ignore streams smaller than about 128 bytes is fine. Look in Scan Control > ADS Stream Options

 

I recently updated ZoneAlarm Pro (registered user), which causes many problems (but that is for another thread). But I mention it here because since then strange things happen on my pc.

One of them is that when i start TDS-3 I get the following message:
"NTFS Alternate Data Stream ADS HIdden Stream Detected: 88 bytes in C:\window\system32\svchost.exe:|summary information

NTFS Alternate Data Stream ADS Hidden Stream Detected: 0 bytes in
C:\windows\system32\svchost.exe {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}"

and this message I get 5 times (so 10 lines).

Now when i read the messages above, it seems since it is so little bytes, i shouldn't be worried about it. BUT!!! I didn't get these messages before the ZA update!

Does anyone know what may cause this? And is it dangerous? Thank you for your help .

 

You mean the ZA version 5.xxx ?
I hear it can make problems with your installed AV/AT software, seems to monitor and/or protect it and since it seems to give problems, right?
They probably better should have kept with just and only firewall and program allowances and kept away from what they're doing now.
Several AV/AT programs seem to add those ADS streams to files for several reasons, maybe to see if they canged since the last scan, who knows...
The streams were there, you set TDS to ignore them that small, so ZA should not tell you differently.

 

First, thank you very much Jooske for your reply .
Perhaps I didn't explain it good enough. But it is NOT ZA who tells me about those hidden streams, but TDS-3. It does that when I start the program to check for updates (so before I do a full system scan it already reports this).
I have never set TDS to ignore them because they never showed up before!
I did not change anything about the configuration of TDS-3 either.

But now they suddenly are there .

 

If you look with Port Explorer which applications are on these svchost processes, are there any of them related to ZA or your AV/AT maybe life updates or things like that?
Could be ZA placed those extra streams -- is there any way to see them what they are?

 

For comprehensive information about NTFS Streams, see this page

 

@Wayne: Thanks but i had already read that

@Jooske: I used PortExplorer but the only information i could get was that it is going to Microsoft Corporation in Redmond , USA
and the process is "Generic Host Process For Win 32 Services
C:\WINDOWS\system32\svchost-k-rpcss " 12KB

When i try to delete the hidden Streams with TDS-3, TDS-3 tells me it has deleted them but they stay there, so they aren't deleted!

This is soo complicated for me.I don't understand it at all.Don't get it why they show up now, and never did before...

 

Hi, ronny

Don't give up ronny most things get fixed with help.

What Version Number, is it the Latest v50_590_015?

The reason I ask is because it says in ZoneAlarm Pro's [history] one of it new functions is checks to see if your AntiVirus is up too date.

May be this is what it is doing and as some thing to do with it?

Take Care,
TheQuest

 

rpcss is probably connected to port 135?
but that will not be in all 5 instances, what aer the other files?

 

Interesting, reading elsewhere it appears that KAV5 also creates hidden streams sometimes but it does not on this PC, I do not know about ZA as I do not use it.
I am wondering if KAV & ZA are utilising hidden streams for some specific reason on certain systems?
Maybe contacting ZA support may provide an answer.

 

Yes, rpcss is connected to port 135.
the other processes are:
netsvcs: connected to ports ..., .. (2x) and ... (2x)
Network Servic: port ... and ...
LocalServic: port ... and .... (2x)

Do you need to know if they are TCP or UDP too?

Hm, my experience with ZA support so far hasn't been great . Their answer to any problems seems to be "clean install" . But maybe I should try again...

 

Clean install won't help you, guess it's part of ZApor placing them, and since Gavin told you as long as those streams themselves are no exe and smaller then 128 bytes you can ignore them.

 

i would not ignore this, having the same, same size, and like i read further on, same trange things happening, this process is going on with every body i know, live in belgium, try in tds itself, to dump that proces in file, so i did, (right click on it), you will notige you can open it for few seconds, see properties, , at the end, it seems to be , all of them.... yes a windows pif-file, ofcourse i had no idea what that was, looked it up, and realized, surprised, it is some kind of extra commands for a dos program running in windows, the commands ill post here, i hope some one can explain it better, anyway it looks like a very sophisticated take over of the pc, was looking for a too to find out somethin, tds did, after i switched on option to find these streams, i was for weeks trying to find out, found aswell something about rootkid, and the revealer showed a lot positive facts, but dont ignore it, security task manager, showed olso a very strange thing going on, check on website trend micro, problem s after a path on 22 april, the worm before named b_buchon, and its program in visual c++, dropping keys "run" command.
a n active key logger, read wat generates this tool of tekst, in every program running, im sure some very strange goes on, who can find out and know more about it or understands more about pc, should give a reaction, but i do not think ignoring it is correct, even when the stream seems 0bytes, greeets monika

 

exatly that is strange, not always, and no exe but pif, see my other post, but it looks like they create a lot of exe files, those are active, and located in system 32 , good look if i get more to find out, ill post it.

 

Please have a look here........

http://www.spywarewarrior.com/viewtopic.php?t=13378

Cheers

Tony

 

tds finds mz.exefiles, sseems normal, no idea, had everybody this?with ntfsdisk??

The NE EXE files are the new exe files used by windows and OS/2 executables.
They contain a small MZ EXE which prints "This program requires Microsoft
Windows" or something similar but Some files contain both DOS and Windows
versions of the executable. The position of the new EXE header can be found
in the old exe header - see the MZ EXE topic for further information. All
offsets within this header are from the start of the header if not noted
thanks

 

i found out, yes its is a help command file in dos
tds names it mz.exe, here is what i found about it:


The NE EXE files are the new exe files used by windows and OS/2 executables.
They contain a small MZ EXE which prints "This program requires Microsoft
Windows" or something similar but Some files contain both DOS and Windows
versions of the executable. The position of the new EXE header can be found
in the old exe header - see the MZ EXE topic for further information. All
offsets within this header are from the start of the header if not noted

and still more:
Streams
The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file's main unnamed data stream, but by using the syntax "file:stream", you are able to read and write to alternates. Not all applications are written to access alternate streams, but you can demonstrate streams very simply. First, change to a directory on a NTFS drive from within a command prompt. Next, type "echo hello > test:stream". You've just created a stream named 'stream' that is associated with the file 'test'. Note that when you look at the size of test it is reported as 0, and the file looks empty when opened in any text editor. To see your stream enter "more < test:stream" (the type command doesn't accept stream syntax so you have to use more).

NT does not come with any tools that let you see which NTFS files have streams associated with them, so I've written one myself. Streams will examine the files and directories (note that directories can also have alternate data streams) you specify and inform you of the name and sizes of any named streams it encounters within those files. Streams makes use of an undocumented native function for retrieving file stream information. Full source code is included.

Usage: streams [-s] [-d] <file or directory>

-s Recurse subdirectories.
-d Delete streams.

Streams takes wildcards e.g. 'streams *.txt'.

Download Streams (19 KB)

is everybody having with xp on ntfs this result with tds scan
does it influence a tool named rootkidrevealer, witch showed me 54000 items, a frind did not have this at all, can anybody explain??
greeeets