PDA

View Full Version : Uknown ADS - Do I need to worry about JPEGs and PDFs?



Jimbo010101
2013-03-19, 15:02
Hi all,

Please have a look at my scan log below. It's coming up with Unknown ADS for several items, most of which are JPEG images and PDFs.

Do I need to worry about these files?

There's also a hidden file D":\WINDOWS\system32\termcap" which seems a bit more suspicious...

Would you say that there is anything suspicious looking in these results?

Thanks!

// info: Rootkit removal help file
// copyright: (c) 2008-2013 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Hidden file","D:\WINDOWS\system32\termcap"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Photos\Theatre 1972.jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Photos\Christmas lights 1966..jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Photos\From Hill 1898..jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Photos\Harvard formation 1979.jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Photos\Map of Town 1891.jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Photos\c1920.jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Photos\Sea Station c1901.jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Photos\Top of Mountain c1978..jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Photos\Upper-street c1901 (with snow)..jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Photos\Town\Docks c1899..jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Papers & Presentations\Images\Kohli & Sah FIGURE 3.png:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\venue layout.jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\gift thanks.jpg:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\House blank for A3 printing.png:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\SG diagrams\MULTI1018487117-Sheet1.TIF:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\SG diagrams\MULTI1018487117-Sheet4.TIF:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\House plan v1.png:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\House plan v2.png:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\House plan v3.png:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\Documents and Settings\User\Desktop\Dropbox\Rough measurements.jpg:com.dropbox.attributes:$DATA"

File:"No admin in ACL","D:\Documents and Settings\User\Application Data\Real\Update\UpgradeHelper"
File:"No admin in ACL","D:\Documents and Settings\User\Application Data\Real\Update\UpgradeHelper\RealPlayer"
File:"No admin in ACL","D:\Documents and Settings\All Users\Application Data\Real\setup\config.ini"
File:"No admin in ACL","D:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA"

spybotsandra
2013-03-19, 16:07
Hello,

That is nothing to worry.

termcap is a software library which enables programs to send control strings to terminals.

The other found items are only pictures.

If you get ‘No admin in ACL’ this threads in our forum should help explaining:
Unknown ADS and no Admn in ACL what is good and what is bad??? (http://forums.spybot.info/showthread.php?t=27446)

Malware sometimes uses rootkit technology to hide itself at system level.
This makes it undetectable by standard tools. Our plugins help Spybot – Search & Destroy to detect this form of malware.
Our Rootkit Scanner tool shows anything that uses certain rootkit technologies. But items with rootkit properties detected here are not necessarily malware. Sometimes, legit software uses rootkit technologies to hide registration data or other things it does not want the user to see in any case. So please keep in mind that the Rootkit Scanner only flags suspicious stuff, not identifying just bad stuff.

Best regards
Sandra
Team Spybot

Jimbo010101
2013-03-19, 16:21
Thanks for your prompt reply Sandra.

I did check out the two threads you mentioned before posting my question and I thought you might like to know why I didn't find them that useful:

"Unknown ADS and no Admn in ACL what is good and what is bad???"
I scanned through both pages of this but struggled to find a simple answer to what "Unknown ADS" and "No admin in ACL" mean.

PepiMK's response probably said it best but it was still too technical for me. I take it that "Unknown ADS" simply means that its a stream that Spybot doesn't recognise, which is not uncommon since there are so many. I still don't know what a stream actually does though :)

"2 Simple, Quick Questions"
I get a "Jimbo010101, you do not have permission to access this page." error on the second link.

Anyway, I got my answer promptly and eloquently so thanks again! :)

spybotsandra
2013-03-19, 18:22
Hello,

Sorry, the second link - which also should have helped to clarify - was to the Business forum, which you can't access.

ADS means unknown Alternate Data Streams (ADS).
In Microsoft's NTFS file system forks (http://en.wikipedia.org/wiki/Fork_%28file_system%29) are known as Alternate Data Streams (ADS) (http://en.wikipedia.org/wiki/NTFS#Alternate_data_streams_.28ADS.29).
Alternate data streams allow more than one data stream to be associated with a filename, using the filename format "filename:streamname" (e.g., "text.txt:extrastream"). Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size.

That's why they have been found in the RootAlyzer scan, as they do not have the usual format or size as a normal file, plus they are hidden.

But nothing to worry, your's are OK. ;)

Best regards
Sandra
Team Spybot