system file comctl32.dll need advice on ADS hidden stream

Discussion in 'Trojan Defence Suite' started by TDS#1, Feb 12, 2005.

Thread Status:
Not open for further replies.
  1. TDS#1

    TDS#1 Guest

    After a full version TDS3 (lastest update + db) scan, it showed:
    #1
    #2 : on the same file path and filename:
    any help would be much appreciated. Thx.
     
  2. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    Hello guest,

    Let me refer you to this post here for help.
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Guest

    Do you have or have you had Kapersky antivirus installed on the computer as they look like Kapersky I stream checker ADS streams
     
  4. chifeo

    chifeo Guest

    Thanks, but no KAV on my box. Gave TDS3 1 try deleting the stream, it came back on. As other posts, it is possible to completely delete it from running TDS in windows safe mode. Is it something with that? Is there anyone having the such thing on his/her winxp box? Besides, it should be to delete that stream or not. Probably this is not a breach problem for its so small size of the stream (<128bytes) and that it came for tracking by windows?
    thx for help.
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    in my experience that is normally an antivirus checking stream or a file protection system check

    what AV do you have as several of them use the same technology now
     
  6. BourgePD

    BourgePD Registered Member

    Joined:
    Sep 5, 2004
    Posts:
    75
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there!
    I googled for that long name {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
    and see it in many postings, but solutions or what it is exactly are not clear yet.
    The easiest way if TDS would not remove it is copy the file to a FAT32 location and back to it's place.
    TDS can run in safe mode too if you want.
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If this is windows 2000 rather than XP, then those streams are not removable as tehy are actual windows tracking files rather than an external tracking file

    whichever they are, they are harmless and can be safely ignored, set TDS to ugnore ADS streams of less than 100 bytes and ignore NON executable streams
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thought it said MZ exe which sounds as an executable?
    This is why .......
     
  11. BourgePD

    BourgePD Registered Member

    Joined:
    Sep 5, 2004
    Posts:
    75
    Understood. ;)
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    IT's very confusing but it's NOT MZ.exe (DOT EXE ) which would be an executable stream it is just called MZ EXE which is not an executable stream, why it was given that name I don't know
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Ah! that explains ... more or less .. ;)
    But it's small and no exe so considered harmless. :cool:
     
  14. ding

    ding Guest

  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
Thread Status:
Not open for further replies.