XP svchost and hidden ADS

Discussion in 'Trojan Defence Suite' started by mikeky, May 19, 2004.

Thread Status:
Not open for further replies.
  1. mikeky

    mikeky Registered Member

    Joined:
    May 19, 2004
    Posts:
    2
    I think I understand what NFTS ADS streams are, but wonder if svchost (XP Pro) should have hidden ADS streams associated with it. For example:

    13:37:13 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe:SummaryInformation
    13:37:13 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe:(*****)
    13:37:13 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe:SummaryInformation
    13:37:13 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe:(*****)
    13:37:14 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe:SummaryInformation
    13:37:14 [NTFS ADS] Stream found - c:\windows\system32\svchost.exe:(*****)
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Mikeky,
    Can you give us some more information please such as the size of these streams?

    If they are 0 byte files then thay are nothing, if they are under 256 bytes they are probably harmless, if they are under 128 bytes almost certainly harmless :)
    I set mine to ignore any streams less than 90 bytes as many image files use 88 byte streams. Thumb.db comes to mind.

    Thanks Pilli
     
  3. mikeky

    mikeky Registered Member

    Joined:
    May 19, 2004
    Posts:
    2
    These are all either 0 or 88 bytes. Certainly I get a similar message with Thumb.db files, but just wasn't sure why the svhost would ADS associated with it.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    you mean SVChost I hope not svhost? :eek:

    SVChost is responsible for many functions under windows so it does not surprise me.

    If you want a better idea about what svchosts gets up to on your PC get Process Explorer from sysinternals (free), a very nice utility.

    If you want see what goes in and out of your PC get Port Explorer from DCS (trial ware)

    Pilli
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Looks normal, especially when they are 0 or 88 bytes. Haven't tracked down what adds these but its the same for most of us :)

    Set ignore streams smaller than about 128 bytes is fine. Look in Scan Control > ADS Stream Options
     
  6. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    I recently updated ZoneAlarm Pro (registered user), which causes many problems (but that is for another thread). But I mention it here because since then strange things happen on my pc.

    One of them is that when i start TDS-3 I get the following message:
    "NTFS Alternate Data Stream ADS HIdden Stream Detected: 88 bytes in C:\window\system32\svchost.exe:|summary information

    NTFS Alternate Data Stream ADS Hidden Stream Detected: 0 bytes in
    C:\windows\system32\svchost.exe {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}"

    and this message I get 5 times (so 10 lines).

    Now when i read the messages above, it seems since it is so little bytes, i shouldn't be worried about it. BUT!!! I didn't get these messages before the ZA update!

    Does anyone know what may cause this? And is it dangerous? Thank you for your help :).
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You mean the ZA version 5.xxx ?
    I hear it can make problems with your installed AV/AT software, seems to monitor and/or protect it and since it seems to give problems, right?
    They probably better should have kept with just and only firewall and program allowances and kept away from what they're doing now.
    Several AV/AT programs seem to add those ADS streams to files for several reasons, maybe to see if they canged since the last scan, who knows...
    The streams were there, you set TDS to ignore them that small, so ZA should not tell you differently.
     
  8. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    First, thank you very much Jooske for your reply :).
    Perhaps I didn't explain it good enough. But it is NOT ZA who tells me about those hidden streams, but TDS-3. It does that when I start the program to check for updates (so before I do a full system scan it already reports this).
    I have never set TDS to ignore them because they never showed up before!
    I did not change anything about the configuration of TDS-3 either.

    But now they suddenly are there o_O .
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you look with Port Explorer which applications are on these svchost processes, are there any of them related to ZA or your AV/AT maybe life updates or things like that?
    Could be ZA placed those extra streams -- is there any way to see them what they are?
     
  10. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    For comprehensive information about NTFS Streams, see this page
     
  11. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    @Wayne: Thanks but i had already read that ;)

    @Jooske: I used PortExplorer but the only information i could get was that it is going to Microsoft Corporation in Redmond , USA
    and the process is "Generic Host Process For Win 32 Services
    C:\WINDOWS\system32\svchost-k-rpcss " 12KB

    When i try to delete the hidden Streams with TDS-3, TDS-3 tells me it has deleted them but they stay there, so they aren't deleted! o_O

    This is soo complicated for me.I don't understand it at all.Don't get it why they show up now, and never did before... :'(
     
  12. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, ronny

    Don't give up ronny most things get fixed with help.


    What Version Number, is it the Latest v50_590_015?

    The reason I ask is because it says in ZoneAlarm Pro's [history] one of it new functions is checks to see if your AntiVirus is up too date.

    May be this is what it is doing and as some thing to do with it?

    Take Care,
    TheQuest :cool:
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    rpcss is probably connected to port 135?
    but that will not be in all 5 instances, what aer the other files?
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Interesting, reading elsewhere it appears that KAV5 also creates hidden streams sometimes but it does not on this PC, I do not know about ZA as I do not use it.
    I am wondering if KAV & ZA are utilising hidden streams for some specific reason on certain systems?
    Maybe contacting ZA support may provide an answer.
     
  15. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Yes, rpcss is connected to port 135.
    the other processes are:
    netsvcs: connected to ports ..., .. (2x) and ... (2x)
    Network Servic: port ... and ...
    LocalServic: port ... and .... (2x)

    Do you need to know if they are TCP or UDP too?

    Hm, my experience with ZA support so far hasn't been great :(. Their answer to any problems seems to be "clean install" :rolleyes: . But maybe I should try again...
     
    Last edited: Jun 3, 2004
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Clean install won't help you, guess it's part of ZApor placing them, and since Gavin told you as long as those streams themselves are no exe and smaller then 128 bytes you can ignore them.
     
  17. madampc

    madampc Guest

    i would not ignore this, having the same, same size, and like i read further on, same trange things happening, this process is going on with every body i know, live in belgium, try in tds itself, to dump that proces in file, so i did, (right click on it), you will notige you can open it for few seconds, see properties, , at the end, it seems to be , all of them.... yes a windows pif-file, ofcourse i had no idea what that was, looked it up, and realized, surprised, it is some kind of extra commands for a dos program running in windows, the commands ill post here, i hope some one can explain it better, anyway it looks like a very sophisticated take over of the pc, was looking for a too to find out somethin, tds did, after i switched on option to find these streams, i was for weeks trying to find out, found aswell something about rootkid, and the revealer showed a lot positive facts, but dont ignore it, security task manager, showed olso a very strange thing going on, check on website trend micro, problem s after a path on 22 april, the worm before named b_buchon, and its program in visual c++, dropping keys "run" command.
    a n active key logger, read wat generates this tool of tekst, in every program running, im sure some very strange goes on, who can find out and know more about it or understands more about pc, should give a reaction, but i do not think ignoring it is correct, even when the stream seems 0bytes, greeets monika
     
  18. madampc

    madampc Guest

    exatly that is strange, not always, and no exe but pif, see my other post, but it looks like they create a lot of exe files, those are active, and located in system 32 , good look if i get more to find out, ill post it.
     
  19. tony64

    tony64 Registered Member

    Joined:
    Dec 11, 2004
    Posts:
    98
    Location:
    Milan, Italy
  20. madampc

    madampc Guest

    tds finds mz.exefiles, sseems normal, no idea, had everybody thiso_O?with ntfsdisk??

    The NE EXE files are the new exe files used by windows and OS/2 executables.
    They contain a small MZ EXE which prints "This program requires Microsoft
    Windows" or something similar but Some files contain both DOS and Windows
    versions of the executable. The position of the new EXE header can be found
    in the old exe header - see the MZ EXE topic for further information. All
    offsets within this header are from the start of the header if not noted
    thanks
     
  21. madampc

    madampc Guest

    i found out, yes its is a help command file in dos
    tds names it mz.exe, here is what i found about it:


    The NE EXE files are the new exe files used by windows and OS/2 executables.
    They contain a small MZ EXE which prints "This program requires Microsoft
    Windows" or something similar but Some files contain both DOS and Windows
    versions of the executable. The position of the new EXE header can be found
    in the old exe header - see the MZ EXE topic for further information. All
    offsets within this header are from the start of the header if not noted

    and still more:
    Streams
    The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file's main unnamed data stream, but by using the syntax "file:stream", you are able to read and write to alternates. Not all applications are written to access alternate streams, but you can demonstrate streams very simply. First, change to a directory on a NTFS drive from within a command prompt. Next, type "echo hello > test:stream". You've just created a stream named 'stream' that is associated with the file 'test'. Note that when you look at the size of test it is reported as 0, and the file looks empty when opened in any text editor. To see your stream enter "more < test:stream" (the type command doesn't accept stream syntax so you have to use more).

    NT does not come with any tools that let you see which NTFS files have streams associated with them, so I've written one myself. Streams will examine the files and directories (note that directories can also have alternate data streams) you specify and inform you of the name and sizes of any named streams it encounters within those files. Streams makes use of an undocumented native function for retrieving file stream information. Full source code is included.

    Usage: streams [-s] [-d] <file or directory>

    -s Recurse subdirectories.
    -d Delete streams.

    Streams takes wildcards e.g. 'streams *.txt'.

    Download Streams (19 KB)

    is everybody having with xp on ntfs this result with tds scano_O
    does it influence a tool named rootkidrevealer, witch showed me 54000 items, a frind did not have this at all, can anybody explaino_O??
    greeeets:)
     
Thread Status:
Not open for further replies.