Barrage of Alternate Data Streams

Hi, I am new to the forum. Been using TDS as a trial for a few weeks; purchased it, updated the database, ran a full system scan and came out clean. Cool.

Two days later I did the scan again and had 216 ADS's!!! (hidden alternate data streams). They are scattered throughout many different files of different types. I have not yet deleted them because I am afraid it could disable a lot of stuff.

What are these things? Where did they come from? What should I do about them? Help!! Thanks very much.

My PC Config, in case you need to know:
M$Windows2000, Firefox, ZoneAlarmPro, AVS Pro, SpyBot, SpySweeper, Trojan Hunter, HijackThis, SpywareBlaster, AdAware, Stinger, IE-Spyad

 

Have you recently uninstalled KAV antivirus?

Bruce

 

Hi Slipbeezer, You can usually delete streams with no detrimental effect, they are used to track files within your system to speed things up, usually media files but other programs like KAV can also use them.
This utility may delete them for you: http://www.sysinternals.com/ntw2k/source/misc.shtml#streams

Or you can delete them manually from within the TDS3 console.

Streams smaller than 128 bytes are deemed safe and many media files create 88 byte streams. I set AdStreams to ignore those less than 90 bytes.
0 byte files can simply be deleted.

HTH Pilli

 

Actually I don't have that AV program, I use AVG. What is KAV?

Thanks, Pilli, for the info and link. I will try that.

 

OK AdStreams are created by a number of programs mainly nedia related and are used for internal tracking / housekeeping. I have since found another little Ad stream deletion program mentioned in another thread. ADS spy 1.07 Written by Merijn. Here is the shortcut: http://computercops.biz/zx/Merijn/adsspy.zip
And here is Merijn's site: http://www.spywareinfoforum.com/~merijn/downloads.html Many useful tools there

HTH Pilli

 

I recommend Streams Shell Extensions which is a Windows shell extension that you can download and install and an additional Streams tab will be added to the property page lists of every directory and file. You will be able to see what, if any, ADS tag is added and will be able to delete the stream if you want.

This is a great extension that everyone should have! I was able to delete most of the remaining KAVICHS ADS tags after I ran Streams from System Internals which left about 35 files with the tags. I also have deleted ADS tags on individual files that had nothing to do with Kaspersky antivirus.

It is from a SANS handler and has a PDF file explaining it. Now I can check every file I download for ADS tags and delete them with one click.

»www.giac.org/practical/GCWN/Ryan_Means..
»www.giac.org/practical/GCWN/Ryan_Means..

 

Hi Mele, I get an error on that link, does that also link to the shell extension as it sounds rather useful?

Thanks. Pilli

 

Pilli,
It was pretty easy to find, the list of certified GCWN analysts is at http://www.giac.org/GCWN.php
The link posted contains the name Ryan Means and his name is in that list

The pdf is Alternate Data Streams: Out of the Shadows and into the Light - HONORS
The zip file is Stream Shell Extensions Setup (.zip)

I subscribe to the SANS newsletters but hadn't (yet) had a look around on the GIAC side of things.
This certainly qualifies as the catch of the day, not for just being fed a fish (in terms of this utility) but as yet another place to go fishing...
[See appropriate dilbert comic on this, search for dilbert2001152331227 on google if this link doesn't work]

Regards

 

Hi gottadoit, Thanks for the clarification

Pilli

 

Thanks for all the good iinformation. I've got some homework to do with learning TDS and now there's another one. The ammunition required these days in order stay sane, financially secured and computing happily is close to more than I can deal with anymore.

While I'm at it, any chance either of you, or anyone, has any clues what could cause the keyboard/mouse/icon/not sure which to take you off your current screen and sometimes bring up several random screens on top in rapid succession?

I have been trying to figure this one out for about 3 weeks now. Have ran a ton of security apps, checked accessibility options, keyboard drivers and troubleshooter, all connections. what else. It seems like some kind of crazy virus, but nothing shows up. I keep asking people and nobody seems to know what it could be. Sometimes it does it maybe 50 times in an hour and other times not at all for hours.

This may not be the right place to ask, I'm not sure. Sorry if it is.

Thanks very much!

 

Hey if you really want to have fun have a look at the thread on what security software is being used and why

See Security that you use and its purpose
and Security that you use and its purpose - DISCUSSIONS

Some light reading that is sure to keep you entertained for hours