ntfs ads infected, need help

Discussion in 'Trojan Defence Suite' started by Wolfzbane, Aug 14, 2003.

Thread Status:
Not open for further replies.
  1. Wolfzbane

    Wolfzbane Guest

    Very newbie here with tds-3.
    I have thousands of images that tds-3 has detected ntfs ads streams in.
    Is there a way to tell tds-3 to delete the ads stream in the files without having to right click them all individually and selecting "delete stream" from the menu? I could be here for weeks trying to do this manually.
    Deleting the files is not an option, I need those files.
    Help me please...
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    http://www.wilderssecurity.com/showthread.php?t=11255;start=msg73030#msg73030

    http://www.wilderssecurity.com/showthread.php?t=10877;start=msg70830#msg70830

    In these two threads is written a lot about the subject and in the second Dan posted a link to a sysinternals tool which has that ability you asked for.

    Many people ignore streams under 90 b and even 256 and have seen higher values so ignoring those smaller ones which can't harm and which could be necessary for some programs to function properly (several AV scanners add them to see in a next scan if there are changes f.e.).
    I'm almost sure with this you'll have far less streams which need additional attention, right?

    Are the streams in images part of watermarking for copyright reasons?
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Ignore streams smaller than 256 or even 512 BYTES, not KB ;) An EXE file in a stream will still be reported, valid PE EXE files are 513 bytes minimum, any functional trojan file that might hide in a stream will be much bigger than that :)

    Click Scan Control
    ADS Stream Options
    Ignore streams smaller than 256 bytes :)
     
  4. MaxPat

    MaxPat Registered Member

    Joined:
    Aug 21, 2003
    Posts:
    1
    If all what you want to do is remove the streams from your images, you could simply burn them onto a CD, then copy them back to your original folder.

    Another way is to copy them to a FAT32 or non-NTFS partition on your system (or across a network), then copy them back again.

    The idea is to transfer them to a non-NTFS media where streams are not supported.

    Windows 2000 with indexing service on a partition is the culprit of your problem, as it stores fast-indexing information in each image stream.

    Simply copying your files to a NTFS non-indexed partition won't help, since the streams exist already and remain during an NTFS-to-NTFS copy. They would just be useless and space-wasting since indexing would be disabled on that partition.

    Hope this helps!

    Max P. :)
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello MaxPat and welcome to the forum!
    this sounds as a good tip? About the Fat32 partitions had heard before, the cd-rom is new to me but sounds logical too. And like you said you can copy the files you like to be cleansed, so not all streams will be lost which you might need for programs to function properly.
     
Thread Status:
Not open for further replies.