Deleting Alternate stream problem

Discussion in 'other security issues & news' started by SteeLRasH, Jan 25, 2004.

Thread Status:
Not open for further replies.
  1. SteeLRasH

    SteeLRasH Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    7
    Location:
    Turkey
    hi all!
    i have a problem about alternate data streams
    when i enter this command in console
    type C:\windows\notepad.exe > C:\:example.exe
    than it creates notepad.exe in root as example.exe
    and as you know it is invisible file when you want to run
    example.exe you must enter this command in console
    start C:\:example.exe
    then notepad will work
    but i am not able to delete example.exe from my disk.
    in sysinternal there is a program name is streams. and it can delete ads from file and folder but not from C root
    is there a person who knows how i can delete this file.
    iam looking forward to your solution to this prblem :rolleyes:
    thx alot
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again SteeLRasH
    Also not working via TDS SCan Console NTFS ADS Streams?
    and deleting :example.exe doesn't work?
    How about renaming it to something else which can be deleted much easier if that would be the problem like
    from c:\
    ren :example.exe example.exe (or whatever the second name would be)
    Hope it helps. With your TDS scanner you should be able to find if any streams have left.

    BTW make sure you check if notepad.exe is still there and working before you remove the example.
     
  3. SteeLRasH

    SteeLRasH Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    7
    Location:
    Turkey
    unfortunately renaming hadnt worked i tried it.
    and also neither TDS nor other stream scanners don't find the C:\:example.exe.i am sure If tds detected this exe, it would delete but it didn't.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    sounds strange, then in safe mode maybe? Are there streams inside to give TDS something to detect at all?
    Empty code even TDS will not detect. Have all options checked and include scanning for 0 bytes files.
    Just thinking, can you move the file to another location, folder you create for it maybe so it can be deleted that way?
    Few more options:
    there is DelLater in the DCS free tools which might solve the problem.
    Also make sure all possible entries for this example.exe are deleted from the registry if those are there at all, after which it must be possible to delete it.
    Hope it works for you, any of them.
     
  5. SteeLRasH

    SteeLRasH Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    7
    Location:
    Turkey

    hi again but still no solution :rolleyes:

    Jooske thanks for your response
    but Alternate data streams cant be moved or renamed or addressed just be started via this command "start directory of stream"
    so renaming,moving or dellater program isnt working on
    this alternate data streams.
    and whats more,even if we delete C:\windows\notepad.exe, out stream is still working as notepad.exe

    thx again for your helping anyway.
    If anybody knows the solution, i am always here. :)

    Regards
    Yigit
     
  6. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hi SteeLRasH. Don't know if it works, but have you seen this?

    Taken from this site.


    Hope that helps,
    Jade.
     
  7. SteeLRasH

    SteeLRasH Registered Member

    Joined:
    Jan 25, 2004
    Posts:
    7
    Location:
    Turkey
    thx Bowserman it works all problems in my mind has gone thx to you.

    Second method is working for my problem.
     
  8. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia

    Glad that you got it sorted SteeLRasH :cool:.

    Regards,
    Jade.
     
Loading...
Thread Status:
Not open for further replies.