Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Aug 28th, 2008, 2:17pm
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   NTFS ADS found		 « Previous topic | Next topic »
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: NTFS ADS found  (Read 1813 times)
Gandalf
Junior Member
**



Love, Light & Peace

   


Gender: male
 Posts: 64
NTFS ADS found
« on: Sep 15th, 2007, 4:42am »		 Quote Quote  Modify Modify
After scanning today with latest ruleset loaded TH shows the following Alternate Data Streams: -  
Found NTFS alternate data stream attached to directory: C:\Documents and Settings\All Users\Application Data\Microsoft\goJwsKElQrhgkel:wGtfaHOciMzOOf0RfDNs4rhm:$DATA
Found NTFS alternate data stream attached to directory: C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player:vUguLc0jPcLQpAniDM8PAcQY8u29:$DATA
Found NTFS alternate data stream attached to directory: C:\Documents and Settings\All Users\Application Data\Symantec\hpc:468323563:$DATA
Found NTFS alternate data stream attached to directory: C:\Documents and Settings\All Users\Application Data\TEMP:84098FD3:$DATA
 
Have done nothing about them as yet, awaiting advice. Also the option to delete ADS is not available - greyed out.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: NTFS ADS found
« Reply #1 on: Sep 15th, 2007, 4:52am »		 Quote Quote  Modify Modify
I've emailed Magnus to provide feedback on this.  I am also seeing this on a TEMP folder on my Vista Business system.
 
It started after LiveUpdate installed TH scanner Build 958 a couple of days ago.  You probably just got Build 958 of TrojanHunter.exe on your update.
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Gandalf
Junior Member
**



Love, Light & Peace

   


Gender: male
 Posts: 64
Re: NTFS ADS found
« Reply #2 on: Sep 15th, 2007, 6:09am »		 Quote Quote  Modify Modify
Yes siliconman01 that is correct. Further info: -  I have looked at each file in question.
1st ADS: File is empty, 0 folders, 0 bytes
2nd ADS: cannot find file specified
3rd ADS: File 0 bytes
4th ADS: temp folder is empty.
 
Will await further outcome.
IP Logged
Gandalf
Junior Member
**



Love, Light & Peace

   


Gender: male
 Posts: 64
Re: NTFS ADS found
« Reply #3 on: Sep 16th, 2007, 3:20am »		 Quote Quote  Modify Modify
siliconman01: Decided to rescan after applying September 16 ruleset and now get hundreds of ADS, files, double extentions etc. Tried to post the scan report here but unable to do so as would be in excess of 4 posts to fit it all into the thread.
Is there no way of attaching text files to posts on the forum?
I have sent a copy of the scan report to support at email addie. Thought I'd better post that here as well.
Don't know what's going on.
Cheers,
« Last Edit: Sep 16th, 2007, 3:21am by Gandalf » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: NTFS ADS found
« Reply #4 on: Sep 16th, 2007, 4:00am »		 Quote Quote  Modify Modify
There is not a direct way to attach a file to this forum.  You have to use a separate ftp storage source and then paste a link to the file you want to display.  
 
Concerning the Double Extensions, refer to the FAQ link below for how to handle them.  I personally run with the option to log files with double extensions unchecked.  This is the last option in the Option list.  TH still scans them for malicious content.  
 
http://www.misec.net/forum/board/FAQ/1139255660  
 
On the ADS logged items, I suspect that you are getting a lot of them on IE7's favicon...Favorites and Quick Launch URLs, eh?  They will have url:favicon in the string...like the one below.
 
Quote:
Found NTFS alternate data stream: C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\26. Mischel Internet Security - Forum.url:favicon:$DATA

 
These are showing up now with TH V5.0 because the scan engine now scans ALL files; previous versions did not.  
 
It does no good to clean the ADS on items like the one above because as soon as you go to webpage again, IE7 will store the favicon again.  So these have to be ignored as an "annoyance" logged item.  I do not know if Magnus is working on modifying TH scanner to not show/log these types of ADS.  I doubt it.  
 
But if you have other files with ADS streams, you should delete the ADS.  Once deleted, it should no longer show up in subsequent scans.  
 
The other way to handle the logged ADS items is to turn off the Option to log files with ADS streams.  Again TH will still scan them; it will just not log them as being found.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4092
Re: NTFS ADS found
« Reply #5 on: Sep 16th, 2007, 5:08am »		 Quote Quote  Modify Modify
The latest build included code to detect ADS streams attached to directories. However, it seems that logging all such streams results in too many alerts on legitimate streams, so I will remove the logging in the next build.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: NTFS ADS found
« Reply #6 on: Sep 16th, 2007, 5:54am »		 Quote Quote  Modify Modify
Quote:
However, it seems that logging all such streams results in too many alerts on legitimate streams, so I will remove the logging in the next build.

 
Do you mean "remove the logging" on ADS attached to directories or ALL logging?  It's nice to have the logging on executables and ZIPS so that the ADS can be removed.  Wink
 
I've run into several instances when downloading ZIPs that Vista will not let users extract the ZIPs until the ADS is removed.  Trusty TH is great to remove the ADS.   Cheesy
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4092
Re: NTFS ADS found
« Reply #7 on: Sep 16th, 2007, 7:56am »		 Quote Quote  Modify Modify
It will only be removed as it is now (always reporting ADS streams attached to directories). Normal ADS logging won't be removed.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: NTFS ADS found
« Reply #8 on: Sep 16th, 2007, 8:08am »		 Quote Quote  Modify Modify
It would great if you could "unlog" these types also.  Cheesy
 
Found NTFS alternate data stream: C:\Users\Administrator\Favorites\Forums\TrojanHunter Forum.url:favicon:$DATA
 
Found NTFS alternate data stream: C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\36. Software & Definitions Updates\Nvidia Graphics Windows Vista 32-bit.url:favicon:$DATA
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Gandalf
Junior Member
**



Love, Light & Peace

   


Gender: male
 Posts: 64
Re: NTFS ADS found
« Reply #9 on: Sep 16th, 2007, 8:19am »		 Quote Quote  Modify Modify
siliconman01 I use IE 6 sp2.  
 
Magnus Because I could not post the scan report text file on here - far too large - I sent it attached to an email to your support email address. Unbelieveable the things it is throwing up. If you can please have a look. With the email I included a hyperlink to this thread.
 
Much obliged.
IP Logged
Gandalf
Junior Member
**



Love, Light & Peace

   


Gender: male
 Posts: 64
Re: NTFS ADS found
« Reply #10 on: Sep 16th, 2007, 9:38am »		 Quote Quote  Modify Modify
Have now unchecked log ADS and warn on double extentions. Rescanned and it still shows the four in my original post: -  
on Sep 15th, 2007, 4:42am, Gandalf wrote:
After scanning today with latest ruleset loaded TH shows the following Alternate Data Streams: -  
Found NTFS alternate data stream attached to directory: C:\Documents and Settings\All Users\Application Data\Microsoft\goJwsKElQrhgkel:wGtfaHOciMzOOf0RfDNs4rhm:$DATA
Found NTFS alternate data stream attached to directory: C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player:vUguLc0jPcLQpAniDM8PAcQY8u29:$DATA
Found NTFS alternate data stream attached to directory: C:\Documents and Settings\All Users\Application Data\Symantec\hpc:468323563:$DATA
Found NTFS alternate data stream attached to directory: C:\Documents and Settings\All Users\Application Data\TEMP:84098FD3:$DATA
 
Have done nothing about them as yet, awaiting advice. Also the option to delete ADS is not available - greyed out.

 
 
IP Logged
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 1971
Re: NTFS ADS found
« Reply #11 on: Sep 17th, 2007, 3:13am »		 Quote Quote  Modify Modify
Don't really like the look of that stream attached to the TEMP folder.
 
Install FileAlyzer from Safer-Networking, and rightclick that folder. Then choose analyse folder with FileAlyzer.
 
On the STREAMS tab, you will have various things, if you have a binary extract it with right click. The best thing to do if unsure is just extract everything one by one.. zip them up and send them in
 
http://www.safer-networking.org/en/filealyzer/index.html
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5594
Re: NTFS ADS found
« Reply #12 on: Sep 17th, 2007, 5:33am »		 Quote Quote  Modify Modify
Sent you info on the C:\Program Data\TEMP folder with the ADS on my Vista Business system.  It's an empty folder.
« Last Edit: Sep 17th, 2007, 5:34am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 1971
Re: NTFS ADS found
« Reply #13 on: Sep 17th, 2007, 5:43am »		 Quote Quote  Modify Modify
Interested in this one specifically
 
Found NTFS alternate data stream attached to directory: C:\Documents and Settings\All Users\Application Data\TEMP:84098FD3:$DATA  
 
 
So there is a stream called 84098FD3, attached to that TEMP folder inside the All Users folder.. suspicious.
 
Mine just has nothing special, certainly no file with the name above !
 
(FileAlyzer acts differently on folders I just noticed) Smiley you'll work it out Gandalf, it will just come up with the streams immediately..
IP Logged
Gandalf
Junior Member
**



Love, Light & Peace

   


Gender: male
 Posts: 64
Re: NTFS ADS found
« Reply #14 on: Sep 17th, 2007, 6:35am »		 Quote Quote  Modify Modify
Gavin Upon navigating to that temp folder it is empty there is no file in there with the name: TEMP:84098FD3:$DATA  
I ran filealyzer on the temp folder and got this message: -  
********************************************************************
FileAlyzer © 2003-2006 Safer Networking Ltd. All Rights Reserved.
********************************************************************
 
 
File: C:\Documents and Settings\All Users\Application Data\TEMP
Date: 17/09/2007 11:21:42
 
 
***** General ******************************************************
      Location: C:\Documents and Settings\All Users\Application Data\
     Size: -1
  Version: ?
   CRC-32: Error generating checksum.
      MD5: Error generating checksum.
     SHA1: Error generating checksum.
     Read only: No
   Hidden: No
   System file: No
     Directory: No
  Archive: No
 Symbolic link: No
    Time stamp: ?
      Creation: ?
   Last access: ?
    Last write: ?
 
 
********************************************************************
FileAlyzer © 2003-2006 Safer Networking Ltd. All Rights Reserved.
********************************************************************
 
 
File: C:\Documents and Settings\All Users\Application Data\TEMP
Date: 17/09/2007 11:21:42
 
 
***** General ******************************************************
      Location: C:\Documents and Settings\All Users\Application Data\
     Size: -1
  Version: ?
   CRC-32: Error generating checksum.
      MD5: Error generating checksum.
     SHA1: Error generating checksum.
     Read only: No
   Hidden: No
   System file: No
     Directory: No
  Archive: No
 Symbolic link: No
    Time stamp: ?
      Creation: ?
   Last access: ?
    Last write: ?
 
I have just rescanned the temp folder again with TH and it still lists the ADS file and I can view the ADS but have no way of posting a screen shot of it on here. Should I send a screenshot of the ADS stream via email to the submit address?
 
 
 
 
 
IP Logged
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register