TDS-2 NTFS ADS Log

This is in my TDS log under alarms

NTFS Alternate Data Stream ADS Hidden Stream detected C:\Windows\explorer.exe summary information
NTFS Alternate Data Stream ADS Hidden Stream detected C:\Windows\explorer.exe summary information
NTFS Alternate Data Stream ADS Hidden Stream detected C:\Windows\explorer.exe summary information
NTFS Alternate Data Stream ADS Hidden Stream detected C:\Windows\explorer.exe summary information
NTFS Alternate Data Stream ADS Hidden Stream detected C:\Windows\explorer.exe summary information
NTFS Alternate Data Stream ADS Hidden Stream detected C:\Windows\lmhsvc:dll summary information
NTFS Alternate Data Stream ADS Hidden Stream detected C:\Windows\lmhsvc:dll summary information

NTFS Alternate Data Stream ADS Hidden Stream detected C:\Windows\lmhsvc:dll summary information
NTFS Alternate Data Stream ADS Hidden Stream detected C:\Windows\lmhsvc:dll summary information


Candy

 

Hi,
Thank you for the welcome. This TDS-3 shows rarely seen NTFS hidden streams that are used to cover files BENEATH regular files. These files are of intetrest to law enforcement because they often contain covert information. Mine showed as alarms which means TDS scan read trojans in these streams. This system is excellent and provides users with alot of information when their systems may have been hijacked.

Sorry if i breached forum rules by posting this thread. I'll go read the guidelines now.


Candy

 

Sorry I have a Gateway 700XL Windows XP a P4 with 2.4gz and 252 Ram. I am running Panda Platinum Security, TDS-3, Smartwhois, RegCleaner, Caller Ip and Tokenmon.

Candy

 

It comes up with MZ.exe under properties and now a new stream has been added. To help this along, I sent the file to diamond labs to look at. I have had trojans and other issues, which is why i tried this again, as it does a superb job and is usually very accurate. the file is hidden behind I believe $servicepackinstaller$ and windows system32 dll cache. Maybe this is something some other users with more stubborn problems may like to use to check.

Candy

 

I've always been interested in ADS, but I've never seen trojans or viruses use it...

If this app can actually pinpoint where the ADS, is, if you have the resources (like a fat32 partition), copy the file its behind to there.

ADS cannot live on FAT, so it should show up at that point, and be scannable by any antivirus.

I found this as well:

http://www.bitmart.net/r2k.shtml

This may allow you to see it yourself and see if it truly exists.


I found this as well for detecting ADS:

http://www.heysoft.de/nt/ep-lads.htm



I would be curious to see if these applications pick up the ADS that the trojan scanner did.

http://www.heysoft.de/Frames/f_faq_ads_en.htm

Here there is a faq for exposing the ADS for deletion.

However he refers to an app named cat, off of some resource kit, and I didn't see if specify what resource kit exactly.