ntfs streams/ignore <128 enabled/still showing

Discussion in 'Trojan Defence Suite' started by fred22, Jun 16, 2005.

Thread Status:
Not open for further replies.
  1. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    hey,

    after the latest update i'm getting NTFS hidden streams detected
    • Radius Advanced Specialist Extensions on standby for 13 trojan families
    01:12:25 [Init] • Systems Initialised [58251 references - 30804 primaries/15158 traces/12289 variants/other]
    01:12:25 [Init] Radius Systems loaded. <Databases updated 17-06-2005
    --------------------------------------------------------------------------

    "ignore streams smaller then 128 bytes is enabled,all streams are 68 bytes..but the point is they show up? and after deleting them and a tds reload they again show up?
    http://img292.echo.cx/img292/2584/stream18qq.jpg

    http://img245.echo.cx/img245/9973/str26bm.jpg

    http://img245.echo.cx/img245/832/str33db.jpg

    anyone can tell me what to do here?
    thanks in advance
     
  2. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    oke, i runned NTFS Streams Eraser..and its fixed

    can close it...
     
  3. Carver

    Carver Guest

    For NTFS hidden streams that you want to keep, I think there is a exclusion list.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, i don't know about the still showing them, but i do know the ones you showed us are added by KAV so expect them to be back soon enough.
     
  5. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    Hey Jooske, the weird thing about this is that i'm not using kav at all..never used it.never tryed to run installer.
    so how can one explain these kav streams?

    by now they are removed and TDS reports clean again ;)

    thanks for the reply's
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  7. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    hey, thxs for the links..i highly doubt its rootkit? but as u noticed they all are attached at my services..

    and to think about it..i have tryed to installing kav once but it bugged me about nav corp so i canceled the install.

    but then again never seen them till the last tds update...

    oke heres wot i did:
    Unhackme: reports nothing
    TDS: nothing

    then i runned KLStreamRemover.exe on all partitions
    it must be oke now

    thanks for the tips
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome!
    I would think KAV would add it's streams to all files in the initialisation process before scanning, i had not thought it would happen during the installation of the program, although there is some logic in that too.
    Since you did try to install KAV i highly doubt about a rootkit too.
     
  9. Tracccker178

    Tracccker178 Registered Member

    Joined:
    May 16, 2005
    Posts:
    34
    Hi there
    I have the same problem only my ADStreams are 88 bytes long.
    If you look at the streams you will notice the MZ.exe is found on allmost
    all of the streams and the streams dont show up untill I start having trojan
    problems. When my system is clean I only get 1 or 2 streams. WinXP and
    MAC operating systems carry those stupid ADS files and MAC is supposed
    to have a split file system. So WinXP will have some streams but not that
    many at one time. Some worms and trojandroppers will leave file traces
    or copies of those streams so they have a hidden way back into your system.
    I had a hacker problem untill I closed my ports. Ask Jooske to help you
    with System cleaning and the closeing of your ports and your stream
    problem will end.
     
Thread Status:
Not open for further replies.