View Full Version : RootAlyzer... interpreting results

2009-07-01, 19:46
Have just run a RootAlyzer scan which showed up a long list of Unknown ADS items but, despite reading the Help file within RootAlyzer, I do not understand how to interpret the results.

This is an example taken from the log...
File:"Unknown ADS","C:\Documents and Settings\BEA\My Documents\My Pictures\9834SK 7-8mm Green $12.03.jpg:Q30lsldxJoudresxAaaqpcawXc:$DATA"

I do recognize all the items in the log as the jpg/bitmap images I have either downloaded from the internet or scanned in over time. However, I am perplexed that all the items shown in the log file were accessed on June 29th @ 18.55. On that same date, TeaTimer noticed two attempts to change the registry when I powered on. I had not recently installed or downloaded any program, software or MS updates. (I am running Win2K SP4).

I managed to deny the first registry change but on the second one, the 'deny' option in TeaTimer was greyed-out/unavailable and the PC then switched off/rebooted. (I didn't get the details of the Registry change other than that it contained the text 'BHO'...) I immediately attempted a scan in S&G 1.6.2 but the scan 'completed' at about 20,000 items rather than the usual 545,342.

In the meantime, I have run full scans with AVGv.8, Lavasoft Adaware, Panda Activescan, CWShredder - these were all run either online or in safe or normal mode where applicable. Other than finding and removing a couple of tracking cookies, no problems were found. I cleared the cache and tried running S&G again but once more, it stops at about 20,000 items with the customary 'Congrats/No problems found' message. (It does run a full scan of 545342 items in Safe Mode and supposedly finds no problems.)

Given all those 'clean' scans, I thought there might be a glitch in the S&D pkg and came to the website with the intention of removing/re-installing it. Just happened to come across the Root Alyzer on the way and ran it out of curiosity. However, as mentioned above, am concerned/confused about all those files been accessed on the same day that problems started happening...

Last but not least, thanks much for any help you can offer. Don't get too technical please :-)

BTW, the 'Pack Suspicious Files' function in RootAlyzer:: what exactly does this do?!

2009-08-25, 21:20
Any line in the report with "Q30lsldxJoudresxAaaqpcawXc" in it is nothing to worry about - it's a thumbnail image. Any time you view files such as JPEG or GIF images using Thumbnail or Filmstrip view, Windows saves the thumbnail version as an ADS attached to the main file. (On drives not using NTFS and therefore not having ADS capability, they're stored in a separate hidden file called "Thumbs.db".) If your log file is too big to scan for other, more relevant entries (mine was 10MB! :eek:), open a Command Prompt and type

find /v "Joudres" YourRootAlyzerLog.txt > FilteredRootAlyzerLog.txt
(changing the file names as appropriate). This will create a smaller version of the log with the bogus entries screened out.

@PepiMK: These need to be whitelisted like these (http://forums.spybot.info/project.php?issueid=240) were. The stream name begins with a 0x05, just like those.