ntfs streams/ignore <128 enabled/still showing

hey,

after the latest update i'm getting NTFS hidden streams detected
• Radius Advanced Specialist Extensions on standby for 13 trojan families
01:12:25 [Init] • Systems Initialised [58251 references - 30804 primaries/15158 traces/12289 variants/other]
01:12:25 [Init] Radius Systems loaded. <Databases updated 17-06-2005
--------------------------------------------------------------------------

"ignore streams smaller then 128 bytes is enabled,all streams are 68 bytes..but the point is they show up? and after deleting them and a tds reload they again show up?
http://img292.echo.cx/img292/2584/stream18qq.jpg

http://img245.echo.cx/img245/9973/str26bm.jpg

http://img245.echo.cx/img245/832/str33db.jpg

anyone can tell me what to do here?
thanks in advance

 

oke, i runned NTFS Streams Eraser..and its fixed

can close it...

 

For NTFS hidden streams that you want to keep, I think there is a exclusion list.

 

Hi there, i don't know about the still showing them, but i do know the ones you showed us are added by KAV so expect them to be back soon enough.

 

Hey Jooske, the weird thing about this is that i'm not using kav at all..never used it.never tryed to run installer.
so how can one explain these kav streams?

by now they are removed and TDS reports clean again

thanks for the reply's

 

http://www.kaspersky.com/faq?qid=156666512

I don't know if some trojan or rootkit is using them too then. You see them all added to your security software in your screenshot.

https://www.wilderssecurity.com/showthread.php?t=59638&page=1

 

hey, thxs for the links..i highly doubt its rootkit? but as u noticed they all are attached at my services..

and to think about it..i have tryed to installing kav once but it bugged me about nav corp so i canceled the install.

but then again never seen them till the last tds update...

oke heres wot i did:
Unhackme: reports nothing
TDS: nothing

then i runned KLStreamRemover.exe on all partitions
it must be oke now

thanks for the tips

 

You're welcome!
I would think KAV would add it's streams to all files in the initialisation process before scanning, i had not thought it would happen during the installation of the program, although there is some logic in that too.
Since you did try to install KAV i highly doubt about a rootkit too.

 

Hi there
I have the same problem only my ADStreams are 88 bytes long.
If you look at the streams you will notice the MZ.exe is found on allmost
all of the streams and the streams dont show up untill I start having trojan
problems. When my system is clean I only get 1 or 2 streams. WinXP and
MAC operating systems carry those stupid ADS files and MAC is supposed
to have a split file system. So WinXP will have some streams but not that
many at one time. Some worms and trojandroppers will leave file traces
or copies of those streams so they have a hidden way back into your system.
I had a hacker problem untill I closed my ports. Ask Jooske to help you
with System cleaning and the closeing of your ports and your stream
problem will end.