Barrage of Alternate Data Streams

Discussion in 'Trojan Defence Suite' started by slipbeezer, Jan 31, 2005.

Thread Status:
Not open for further replies.
  1. slipbeezer

    slipbeezer Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    3
    Hi, I am new to the forum. Been using TDS as a trial for a few weeks; purchased it, updated the database, ran a full system scan and came out clean. Cool.

    Two days later I did the scan again and had 216 ADS's!!! (hidden alternate data streams). They are scattered throughout many different files of different types. I have not yet deleted them because I am afraid it could disable a lot of stuff.

    What are these things? Where did they come from? What should I do about them? Help!! Thanks very much.

    My PC Config, in case you need to know:
    M$Windows2000, Firefox, ZoneAlarmPro, AVS Pro, SpyBot, SpySweeper, Trojan Hunter, HijackThis, SpywareBlaster, AdAware, Stinger, IE-Spyad
     
  2. controler

    controler Guest

    Have you recently uninstalled KAV antivirus?

    Bruce
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Slipbeezer, You can usually delete streams with no detrimental effect, they are used to track files within your system to speed things up, usually media files but other programs like KAV can also use them.
    This utility may delete them for you: http://www.sysinternals.com/ntw2k/source/misc.shtml#streams

    Or you can delete them manually from within the TDS3 console.

    Streams smaller than 128 bytes are deemed safe and many media files create 88 byte streams. I set AdStreams to ignore those less than 90 bytes.
    0 byte files can simply be deleted.

    HTH Pilli
     
    Last edited: Jan 31, 2005
  4. slipbeezer

    slipbeezer Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    3
    Actually I don't have that AV program, I use AVG. What is KAV?

    Thanks, Pilli, for the info and link. I will try that.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I recommend Streams Shell Extensions which is a Windows shell extension that you can download and install and an additional Streams tab will be added to the property page lists of every directory and file. You will be able to see what, if any, ADS tag is added and will be able to delete the stream if you want.

    This is a great extension that everyone should have! I was able to delete most of the remaining KAVICHS ADS tags after I ran Streams from System Internals which left about 35 files with the tags. I also have deleted ADS tags on individual files that had nothing to do with Kaspersky antivirus.

    It is from a SANS handler and has a PDF file explaining it. Now I can check every file I download for ADS tags and delete them with one click.

    »www.giac.org/practical/GCWN/Ryan_Means..
    »www.giac.org/practical/GCWN/Ryan_Means..
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Mele, I get an error on that link, does that also link to the shell extension as it sounds rather useful? :)

    Thanks. Pilli
     
  8. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Pilli,
    It was pretty easy to find, the list of certified GCWN analysts is at http://www.giac.org/GCWN.php
    The link posted contains the name Ryan Means and his name is in that list

    The pdf is Alternate Data Streams: Out of the Shadows and into the Light - HONORS
    The zip file is Stream Shell Extensions Setup (.zip)

    I subscribe to the SANS newsletters but hadn't (yet) had a look around on the GIAC side of things.
    This certainly qualifies as the catch of the day, not for just being fed a fish (in terms of this utility) but as yet another place to go fishing...
    [See appropriate dilbert comic on this, search for dilbert2001152331227 on google if this link doesn't work]

    Regards
     
    Last edited: Feb 2, 2005
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi gottadoit, Thanks for the clarification :)

    Pilli
     
  10. slipbeezer

    slipbeezer Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    3
    Thanks for all the good iinformation. I've got some homework to do with learning TDS and now there's another one. The ammunition required these days in order stay sane, financially secured and computing happily is close to more than I can deal with anymore.

    While I'm at it, any chance either of you, or anyone, has any clues what could cause the keyboard/mouse/icon/not sure which to take you off your current screen and sometimes bring up several random screens on top in rapid succession?

    I have been trying to figure this one out for about 3 weeks now. Have ran a ton of security apps, checked accessibility options, keyboard drivers and troubleshooter, all connections. what else. It seems like some kind of crazy virus, but nothing shows up. I keep asking people and nobody seems to know what it could be. Sometimes it does it maybe 50 times in an hour and other times not at all for hours.

    This may not be the right place to ask, I'm not sure. Sorry if it is.

    Thanks very much!
     
  11. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
Thread Status:
Not open for further replies.