Questions from new TDS-3 user

Discussion in 'Trojan Defence Suite' started by bluekey23, May 3, 2004.

Thread Status:
Not open for further replies.
  1. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Hello,
    I have finished my trial period and have now purchased a permanent license. I'm impressed with this program, but have some questions which perhaps someone here can answer.
    1. During trial period I did a full system scan almost every day with all options
    checked. The results were the same for almost three weeks: completely
    clean. But then 11 hidden ADS showed up all at once. The help file doesn't
    really explain the origin of these. Where do they come from? Why a clean
    system for many weeks and then all of a sudden, many show up? EIght
    small(88 bytes), but 3 were over a thousand bytes. I deleted all. and
    haven't seen any ADS show up for last week.

    2. After adding the key file to the TDS directory, I am seeing programs asking
    to run that have never ran before. Proc Guard permission request screen
    show that
    grpconv.exe and runonce.exe
    are asking to run. Filealyzer shows that these programs have never run
    before on this machine(which is over 6 months old). Are they safe to
    allow?

    Thanks for your help.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Bluekey, welcome with your best buy.
    I can only partly asnwer your questions relating to TDS:
    The NTFS ADS Streams as they are called are extras added to files, for instance antivirus scanners might do as a check for changed programs, in images you see them for extra info, etc, most just info, and small.
    The smallers ones you can ignore and no need to delete them as programs might recreate them again.
    There are the larger things like you found which can be malicious or as innocent, which only testing them extra can tell so please if you find them larger then say about 200 bytes send them in to submit@diamondcs.com.au for deeper study for you. A few thousands bytes sounds larger and could contain executable stuff.
    At this page you find more explanation about them:
    http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams
    and tests you can perform yourself.
    If new things show up all of a sudden while you might not have installed nothing new at all nor received any emails then there is certainly reason to look deeper. At least configure your scan options to all checked and highest sensitivity and make sure youhave the latest radius update and scan all there is, and you might like for the first time to look at all NTFS ADS Streams, knowing you can ignore the smaller then 200 bytes ones.
    After that look deeper at your finds.
    Also place several files in the CRCfiles.txt to be warned for changes, whatever file you think needs to be watched.

    For the Process Guard waiting for others to jump in and for the programs mentioned.

    WinTasks Process Library
    grpconv - grpconv.exe - Process Information
    Process File: grpconv or grpconv.exe
    Process Name: Windows Program Group Converter
    Description: Application that is used to convert the Windows 3.1 groups to folders while upgrading from Windows 3.1.
    Company: Microsoft Corp.
    System Process: Yes
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
    Common Errors: N/A

    runonce - runonce.exe - Process Information
    Process File: runonce or runonce.exe
    Process Name: Runonce
    Description: Known as the Microsoft "Run Once" wrapper. The application is a program that developers can use as part of their installation procedures to ensure, for example, that after the first reboot after the software installation, some additional configuration program runs once, and once only, to complete the installation.
    Company: Microsoft Corp.
    System Process: Yes
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
    Common Errors: N/A

    So you see both are legal system processes which by the looks of it you can safely allow to run.
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    H Bluekey 23, The ADS streams are usually created by images, 88 bytes I have TDS set to ignore any streams smaller than 128 bytes
    Here is a page with much more information: http://www.diamondcs.com.au/web/streams/streams.htm

    grpconf.exe is a windows system file: "Windows program group converter" as is runonce.exe you can see by their properties whether they are genuine MS files.
    Runonce is usually shown when a programme has failed to install properly.

    HTH Pilli
     
  4. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Jooske and Pilli,
    Thanks for the excellent help and advice!
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome! Did it help, and is all clear and running fine now, no new NTSF ADS Streams anymore (yet)?
     
Thread Status:
Not open for further replies.