Page 1 of 3 123 LastLast
Results 1 to 15 of 36

Thread: ADS Spy?

  1. #1
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    ADS Spy?

    I ran this Spyware program that checks for Alternate Data Streams ( ADS )
    In addition to a group of legit hits in the Favorites folder, it found this one particular one in the WindowsSystem32 folder that stood out. It's a binary file so I can't really tell what it says or does? ( if anything ) but before I let the program delete it, I would like to know if anyone can tell me about it. It does NOT show up in Windows Explorer or Search. Screenshot below.
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: ADS Spy?

    <P ID="edit" class=small>(Edited by jscher2000 on 25-Jan-08 14:30. )</P>I couldn't find any streams in a quick scan of a few folders (e.g., c:windows and my Favorites and Local Settings folders), but I probably don't surf as widely as some other people.

    How can you tell that odd file name (??) is a binary file?

    Added: Does that GUID-like number correspond to anything in the Registry?

  3. #3
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: ADS Spy?

    Jefferson,
    I did try to search for that file as you did I suppose but it says it will NOT show up in explorer or in windows.

    I did a search in the reg for that GUID like number and the only spot it showed up was in HKLMcurrent usersoftwaremicrosoftsearch assistantACMru5603, which was probably the result of my searching for it in WE.

    When you right click on the file the program responds that "file contains binary data & will most likely not display properly or completely".
    It showed up as:
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  4. #4
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: ADS Spy?

    And opened in Wordpad as:
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  5. #5
    Plutonium Lounger
    Join Date
    Mar 2002
    Posts
    84,353
    Thanks
    0
    Thanked 29 Times in 29 Posts

    Re: ADS Spy?

    I really don't know what to recommend. I fear that it's very difficult for most computer users (including me!) to interpret the results of highly technical programs such as RootkitRevealer or ADS Spy. Malware programs are trying to hide from security programs, but at the same time some security programs are trying to hide from malware, so it's hard to tell whether a hidden item is a threat or benevolent.

    Bottom line: if you have no other indications that your computer is compromised, I'd ignore this item for the moment.

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: ADS Spy?

    I Googled the first section of that number (the 726B6F7C of 726B6F7C-E889-4EFE-8CA3-AEF4943DBD38) and found a few references. But nothing to identify it. Hard to know what 12 bytes could possibly do...

  7. #7
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: ADS Spy?

    Following that link you found which apparently was someone's HiJack this log, I drilled down in the recommendations and it did find that EXACT strange file with the same 12 byte size and all. It was ID'ed as a ADS Spy file and was removed.

    I think I will also delete it and check carefully for any problems afterwards.
    I can always restore the System32 file using True Image to restore only that part of the folder.

    Thanks for your diligence in tracking it down.
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  8. #8
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: ADS Spy?

    Did you check the image to see if the file is there ?? Or can't you do that with the program ???
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  9. #9
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: ADS Spy?

    Hey Bob, is this the link for that software? ADS Spy v1.11 (freeware) ?

    I think you're covered by your backup in doing a removal, but based on this statement on the software's web page, I think I go along with Hans. It could be something legit from Windows or your AV program or a firewall or who knows what: <big>"Use with caution, Windows and several antivirus programs also store (temporary) information in ADS."</big>

  10. #10
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: ADS Spy?

    FWIW, this is the link I used. I think it's the "official" site (it's framed by merijn.org), but it's hard to say for sure.

    http://www.spywareinfo.com/~merijn/programs.php#adsspy

  11. #11
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: ADS Spy?

    Al,
    That is the software I mentioned but just from another link. Jefferson's link IS the "official" site from the author.
    It would be interesting to have someone else use that tool to see if they also show that file in their System32 folder. You don't have to use the tool to go any further than to just "look" for any ADS files.

    Yeah, I'm sure True Image would give me the protection to restore the folder properly, if necessary.

    Also, the actual part of that users HiJack This report and the removal of the file in question is shown here.
    ---------------------------------------------------------
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  12. #12
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: ADS Spy?

    Doc,
    Do you mean can ADS Spy look in the True Image backup image for that same file?
    If so, I don't know but I can try to see if it can. Will post back after checking.
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  13. #13
    Plutonium Lounger
    Join Date
    Mar 2002
    Posts
    84,353
    Thanks
    0
    Thanked 29 Times in 29 Posts

    Re: ADS Spy?

    I did run ADS Spy yesterday, and it didn't find any alternate data streams on my PC.

  14. #14
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: ADS Spy?

    Hans,
    OK, that kind of confirms that it IS some sort of file that shouldn't be in there.
    A few more reports from a other Loungers should definitely show that.
    Thanks.
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  15. #15
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: ADS Spy?

    Doc,
    By mounting an Image of the C: drive from my last two backups from True Image ( I only keep two current backup images ), I was able to use ADS Spy to check the images and it DID find the same mysterious file in both Images!

    So it's been around for at least two months, doing whatever? <img src=/S/bummer.gif border=0 alt=bummer width=15 height=15>
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •