PDA

View Full Version : Unknown ADS and no Admn in ACL what is good and what is bad???



billybob0626
2008-04-29, 00:06
I originally posted on April 17th about "9 hidden registry keys found" and you promptly responded that they probably were corrupted keys (the list of keys follows
:: RootAlyzer Results
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\????????\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?SID\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?
SID\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\?
SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\",""
RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\??SID\{B2847E28-5D7D-4deb-8B67-05D28BCF79F5}\",""

The details said that it could not open keys.

Yesterday I ran the updated version of root analyzer and the keys did not show up but here is what did:

// info: Rootkit removal help file
// copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Reserved filename","N:\autorun.inf\lpt3.This folder was created by Flash_Disinfector"
File:"Reserved filename","D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector"
File:"No admin in ACL","C:\WINDOWS\Temp\hsperfdata_SYSTEM\596"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130468.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130485.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130503.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130521.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130537.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130553.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130569.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130585.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130601.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130617.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130633.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130649.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130665.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130681.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130713.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130745.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130796.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130812.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130828.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130844.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130860.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130876.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130892.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130908.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\130924.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Kodak\Kodak EasyShare software\Originals\192947.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Program Files\Adobe\Adobe Photoshop CS2\Presets\Photoshop Actions\Frazers Sketch.atn:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\Vault\2f7f05b4_502488.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\Vault\4d83db18_812004.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\Vault\91fee0dd_975119.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\Vault\a52894af_786799.jpg:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\Vault\b098a97b_864504.jpg:SummaryInformation:$DATA"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk"
File:"Reserved filename","C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector"
Directory:"No admin in ACL","N:\System Volume Information"
Directory:"No admin in ACL","C:\System Volume Information"

I am on expert (that is why I turned to you) but I know that the Easy Share application uses back web lite and the three files with reserved names came from a flash drive cleaner that I used.

Also, I am puzzled as to why my N drive has system volume information since I use that drive to store jpeg and avi files. Could you help me "interpret" the results of the scan?

a greatful BillyBob0626

PepiMK
2008-04-29, 10:14
Thanks for the details :)

If you look into the integrated documentation, you'll notice that there's mentioned somewhere in the ADS part that it's impossible to know all legit ADS stream names. This :|SummaryInformation:$DATA is such an example, though an awkward one.
That's standard Windows document information - if you right-click such a file in Windows Explorer, select Properties and then the Summary tab, that's what is in this stream.
I did actually try to put this on the whitelist, but was not copy'n'pasting correctly from a MSDN page - the character shown as a square here was something I saw as a vertical line, so the whitelist entry didn't catch it. Did add a bug tracker entry (http://forums.spybot.info/project.php?issueid=230) and immediately fixed it :)

Second this is this Flash_Disinfector thing. That's no false positive! These folders called autorun.inf and a name starting with the name of a printer device (lpt3.) are indeed rootkit methods. Seeing it on each drive makes it look like a virus as well. Of course, legit software could also use rootkit methods, so do you did install this thing names Flash_Disinfector intentionally, or have any other information on this?

This System Volume Information is on every drive, you're probably using Vista? Did add a bug tracker entry (http://forums.spybot.info/project.php?issueid=231) for this as well, since this is indeed a folder that can be whitelisted and where it's ok that you're not allowed to access it.

Buster
2008-04-29, 10:39
Looks like this is a real flash drive disinfector using rootkit functionality. According to this (http://www.boards.ie/vbulletin/showthread.php?p=55527098) forum post the flash drive disinfector creates a hidden folder named autorun.inf in each partition.

billybob0626
2008-04-29, 21:10
Thank you for your replies,

The OS is Windows XP Home edition with SP2

I looked in the RootAnalyze help and read about the difficultity in determining legit unknown ads. My greatest concern is the unknown ads found in a Photoshop action. This was a third-party plugin and there would be no legit reason for this to use ads.
Another concern is the find File:"File:"No admin in ACL","C:\WINDOWS\Temp\hsperfdata_SYSTEM\596" This file does not show up in any searches. Another concern is "File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk" I had no idea that this phonebook existed or what info is in this.

One last question I cannot access any of the system volume information eventhough I am an administrator. Is this normal?

Thank you again for your response,

A loyal and greatful Spybot S&D user

Billybob0626

PepiMK
2008-04-29, 21:48
1. Photoshop thing: just locate the file in standard Windows Explorer. Right-click it, choose Properties, then the tab Summary. Check if any of the fields there is filled. You could also open the file using our FileAlyzer, which would show the contents of the ADS. Should be typically a few hundred bytes, not more, then it's regular.

The "funniest" ADS I found so far was simply because of the way ADS streams can be accessed: by using a colon after the file name. So an installer just tried to write "Productname: readme.lnk" as a short. But of course, the colon is not allowed as part of filenames, so it created a file "Productname" with an attached stream named "readme.lnk".

2. As for the file C:\WINDOWS\Temp\hsperfdata_SYSTEM\596, it "perfdata" sounds like the system performance services from Windows. If you want to see these hidden files, using Total Commander plus our plugin for it (see Spybot Beta forum, I can look for links if you don't find them) allows you to browse the harddisk in the same lower level way RootAlyzer looks as well.

3. If you're not connecting through a router, but through any kind of direct access, be it dial-up or directly attached broadband, it probably contains the information about your internet connection. I wasn't aware that Windows would actually be trying to hide it, but it would make sense to avoid trojans to snoop on these logons (since the ras files are quite badly encoded and it's easy to restore passwords from them if I remember that correctly).

4. System Volume Information: yes, it's normal that even the admin cannot access it, so I did add it to a whitelist for the next release. This folder does not contain real files in the way you know them, but instead very lowlevel access to the hard disk structure.

billybob0626
2008-04-30, 04:57
Thank you again for your response.
I connect to the internet through a router and proxy server.

The \WINDOWS\Temp\hsperfdata_SYSTEM\596 changed its object number and will not give me a name when the file was created or when the file was modified. Do you think I should delete this?

The size of the files with unknown Ads were only one or two hundred bytes.

The plugin for photoshop was changed on april 4th as were all of the easy share files with unknown ADS.

The rasphonebook was changed today at 4:30 pm (Pacific time).

I do not know what if anything these changes mean.

I was not able to download total command. There could be issues with the proxy server.

Again, thank you for your time and responses.

A loyal and greatful Spybot S&D user,

Billybob0626

billybob0626
2008-05-01, 08:03
Thank you again for your time and responses. This has been a long day.

I reconfigured my firewall and was able to download total command and the zipped folder with the root kit plugins. I am not sure if I properly installed the plugins but the program does work. The object "WINDOWS\Temp\hsperfdata_SYSTEM\596" is now "WINDOWS\Temp\hsperfdata_SYSTEM\1712 and total command cannot open the file. It says access denied. Total command found several hidden files in the same folder. These too cannot be accessed. I am not sure what if anything this means. Thanks again for your responses.

A greatful and loyal Spybot S&D user.

Billybob0626

PepiMK
2008-05-04, 21:38
Sorry for my delay, took a lot of time to test 0.2 on a broader base of virtual machines. But here it is: version 0.2.0.32 (http://www.spybotupdates.com/files/rootalyz-0.2.0.32.zip) with the ADS and Vista stuff fixed to reduce that list a bit ;)

As for the hsperfdata_SYSTEM folders, I did some research and it seems they belong to Java (link (http://java.sun.com/performance/jvmstat/)), a part responsible for performance monitoring. Not exactly what I initially thought, but also something that does no harm. I'm not sure why Java would not want admins to access this file, but given its context, Sun may suspect that sensitive data could land in there, and it should thus be unavailable to any person (only to the computer itself), similar to how Vista reduced some rights (where system files may only be updated by "trusted installers", not just any standard admin right).
Not sure if we should whitelist this?

If you know what Java is and can recognize Java applications (their user interface often looks a bit different from standard Windows appearance, but in a difficult to describe way), do you know if you were running one when doing the scan? (a good indicator would be the Sun Java symbol in the system tray next to the clock on your start bar at the bottom of the screen)

Could you give me the list created by the newest version linked above to see what is still left please :)

billybob0626
2008-05-05, 06:40
Thank you for your respnose.

I ran the .2 version of RootAnalyzer and the system volume and ads things were not on the list. Understandably the autorun from the flash drive cleaner were. The perfdata object was there along with the rasphone file. Here are the results:

:: RootAlyzer Results
File:"Reserved filename","N:\autorun.inf\lpt3.This folder was created by Flash_Disinfector"
File:"Reserved filename","D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector"
File:"No admin in ACL","C:\WINDOWS\Temp\hsperfdata_SYSTEM\212"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk"
File:"Reserved filename","C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector"

Every time I turn my computer the perfdata object's number changes. Is this unusual?

Thank you again for your time and response.

A greatful and loyal Spybot S & D user
Billybob0626

billybob0626
2008-05-05, 08:42
Sorry, I did not see the question about java. There was no java logo in the system tray. The only applications that were running were my antivirus software along with spywareblaster in the background. The interface appeared to be the windows interface.

Billybob0626

soapy
2014-12-17, 02:52
Hi, I know this is thread necromancy, but this is where the help pages etc point.

So what does the "No admin in ACL" warning actually mean? I'm scanning my PC as I type this, and I've got every single file flagged as this.