alternate data streams

[fourspdtom]

hi again

been a bit since my last problem post. seems my last couple suspected issues went away after a restore point, uninstall and reinstall of webroot spysweeper, uninstalled webroot firewall but just using xp firewall now. also set only trend micro to start at restart, then i start webroot after startup settles. everything has seemed normal lately although restarts are still a bit slow. decided to run spybot and hjt today.

spybot found 4 entries for "RegistrySmart" and a good handfull of usage tracks. hjt looked normal, nothing new,, but the ads spy function found quite a few alternate data streams, about half connected to a temp folder,, and the other half connected to items in the favorites folder.

what are these? and do i just "fix" them thru hjt? any way to know what they are connected to or being used for? we had removed a few of these before when cookiegal helped me a while back ["desktop MRI disabled"], since uninstalling webroot firewall and using xp again, have i opened up for another infection?

my main concern is and has been desktop spying-viewing [ i play cards online] , is it possible these are anything related ? even with xp firewall on, remote assist and file sharing off , spysweeper and trendmicro always running,, is it even possible for someone to easily [and without my knowledge] spy on my desktop??

thanx for the help [and patience] once again

 

[lotuseclat79]

Hi forspdtom,

Here are some links you might find handy wrt ads:
* ADS (Alternate Data Streams) Removal Tools (free)

ADS Spy: http://www.spywareinfo.com/~merijn/files/adsspy.zip

Streams: http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

CrucialADS: http://www.crucialsecurity.com//index.php?option=com_content&task=view&id=95&Itemid=137

-- Tom

 

[fourspdtom]

appreciate the links lotuseclat

i believe i can also remove these thru hjt, is that as effective?. do they all need to be removed, i.e. all considered harmful? and if so , how to find source and prevent re-occurences?

thanx again

 

[lotuseclat79]

Hi fourspdtom,

I don't know. Read merijn's web page about it at http://merijn.org/programs.php#adsspy.

-- Tom

 

[fourspdtom]

thanx again for then links,,

read up just a bit. seems there are some legitimate alternate data streams, but easily exploitable harmful uses as well. i went thru hjt and removed all of them. couple reboots, play cards, couple websites,, none returned.

the ones connected to the documents and settings/temp folder i assume are related to web surfing, sites viewed or something. all were between 98 and 135 bytes. probably no telling what they are.

the ones connected to items in the favorites folder apparently have to do with the icons next to the titles. now all the ones that had icons are changed back to the default explorer page icon. no harm there apparently but i woiuld like to get those back.

looks like half legitimate,, half suspect. i think ill check occassionally, see if any show up and see what i was doing just prior, might narrow it down. ill read up a little more too.

as usual,, appreciate the help

 

[fourspdtom]

little more i found lately on the subject

the ads connected to the items in favorites are [i believe] just for the little icons in the favorites list. they each return as you visit the site, close and reopen explorer, there they are.

the ones connected to items in documents and settings/temp folder,, im not sure yet what sites, but they return occasionally after web browsing. seems they show up 2 or 3 at a time, and each item listed twice. i saved the first list of ads i found if someone wants to look at them?? they might be from the kids sites, games and what not. we seem to catch more things from the kids sites and game downloads than anything else.

also, on the desktop spying or game cheating ive been worried about, one forum thread led me to a thing called snoopfree. freeware that monitors keyboard hooks and screen snapshots and such,, any here of or use it ??

first thing it blocked was zHotkey, from the gateway keyboard but not necessary. also it blocked a keyboard hook from ie explorer. both since running it this afternoon, the zhotkey comes at startup, the explorer one im not sure [accidentally cleared log missed the time, doh].

thanx again

 

[fourspdtom]

hello again,

i know its been a while on the subject,, the ads tool in hjt shows the ones for the icons in the favorites folder.

occasionally hjt picks up a couple in the documents and settings temp folder [although they dont show if you look in the folder?]. seem to come 2 or 3 at a time every week or so, and they always are listed twice. those i dont know when or from where they appear [not at startup, or web browser, possibly kids online games], hjt removes them and nothing seems noticeably different before or after.

any other thoughts?? , or am i worrying too much lol

thanx again