PDA

View Full Version : Do I delete this?



PistolSlap
2015-03-09, 00:23
Hello I have looked around in here but I haven't found any results that are exactly like this. When I run the rootkit scan, I basically just get hundreds of entries like this:
Type: File
Object: dotNetFx40_Full_x86_x64.exe:$CmdTcID:$DATA
Location: Z:\cobian backup\windows reinstall backup\
Details: Unknown ADS

But I don't know what that means or if I should delete it. for some reason my system is running abominably slow but spybot, malwarebytes, and comodo do not show any detections :(

tashi
2015-03-09, 05:17
Hello PistolSlap,


Hello I have looked around in here but I haven't found any results that are exactly like this. When I run the rootkit scan, I basically just get hundreds of entries like this:
Type: File
Object: dotNetFx40_Full_x86_x64.exe:$CmdTcID:$DATA
Location: Z:\cobian backup\windows reinstall backup\
Details: Unknown ADS

But I don't know what that means or if I should delete it. for some reason my system is running abominably slow but spybot, malwarebytes, and comodo do not show any detections :(

Is it possible the path is: dotNetFx40_Full_x86_x64.exe:$Cmd AcID:$DATA

What is your operating system please. :)

PistolSlap
2015-03-09, 20:16
Hello PistolSlap,



Is it possible the path is: dotNetFx40_Full_x86_x64.exe:$Cmd AcID:$DATA

What is your operating system please. :)



Oh hello, I am sorry, I am running Win 7 x64!

tashi
2015-03-09, 20:23
"Is it possible the path is: dotNetFx40_Full_x86_x64.exe:$Cmd AcID:$DATA"

PistolSlap
2015-03-11, 20:29
"Is it possible the path is: dotNetFx40_Full_x86_x64.exe:$Cmd AcID:$DATA"

nope it is a direct copy/paste

tashi
2015-03-12, 05:50
Hi PistolSlap,


for some reason my system is running abominably slow but spybot, malwarebytes, and comodo do not show any detections :(

Could you let someone take a look at the system, if so please start a topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and a volunteer analyst will advise. :)

First see that forum's FAQ which also includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

http://forums.spybot.info/showthread.php?t=288

Best regards.

Thierry.WWW
2015-04-24, 17:53
Hi,

I have the same kind of result on my computer:
File:"Unknown ADS","SomeFileName:$CmdTcID:$DATA"


I can see it as well through the "streams.exe" tool from Sysinternals (https://technet.microsoft.com/en-au/sysinternals/bb545046).

Comodo Internet Security 8 (obviously at least up to my 8.2.0.4508 installed release, but apparently not CIS 7 and previous) is indeed creating such an alternate data stream attached to some or many files, for some reason (probably a bug), see:
https://forums.comodo.com/news-announcements-feedback-cis-b129.0/-t108152.0.html

or:
https://forums.comodo.com/install-setup-configuration-help-cis/alternate-data-stream-cmdtciddata-t108076.30.html

or search Comodo's or Spybot's forum for "CmdTcID".

So if your ADS are effectively due to Comodo, this shouldn't be a big issue (to be confirmed: this is only my personal understanding of our situation).
(In order to be sure it's due to Comodo, you might have to find the way to create a new file that systematicaly ends with $CmdTcID in its ADS, then temporarily disable Comodo 8 or replace it with version 7, and then re-create a new file in the same way and check with streams.exe that its ADS does not contain $CmdTcID)

But as mentioned in one of the above posts:
When you copy files from a NTFS file system to a USB flash-drive (FAT),


You may receive the Easter egg "The file Setup.exe has properties that can't be copied to the new location. Do you wish to continue?"

and by the time you remember it's all about last year Comodo's ADS, you spent minutes (or hours...) wondering what the hell is going on here...
Any other side effect anybody can think of?

It seems that we have to wait for a fix of Comodo IS, and even once delivered we might still have to remove these ADS through a tool such as the aforementioned streams.exe - but this one removes all the "ADS fields" (?) of a file (there might be other "ADS fields" than $CmdTcID related to a given file), unless a recent release addressed this. The first one who finds a tool that easily, automatically remove a given "field" (?) in the ADS of all the files in a directory and all its sub-directories wins the right to post its URL here. And even once found and succesfully run, according to some of these posts on Comodo's forum it might not prevent Comodo to re-create this very ADS on the very same files...

Regards.

tashi
2015-04-25, 18:16
FYI :)

PistolSlap's topic in the malware forum: http://forums.spybot.info/showthread.php?72181-Please-help!

PistolSlap
2015-04-30, 09:13
FYI :)

PistolSlap's topic in the malware forum: http://forums.spybot.info/showthread.php?72181-Please-help!


Hello, by the way, that topic was closed before it was resolved. I was requested some files, but I got busy with school for finals then when I checked back the topic had been closed. Is there a way it could be reopened so I can respond with the information I was requested?

tashi
2015-04-30, 16:45
Hello PistolSlap,


Hello, by the way, that topic was closed before it was resolved. I was requested some files, but I got busy with school for finals then when I checked back the topic had been closed. Is there a way it could be reopened so I can respond with the information I was requested?

Afraid not, that topic was closed in March and we are nearly into May.


Note:
When a volunteer posted a response to which you did not reply.


At this time threads may now be closed three days after last post in topic at the discretion of the volunteer. Please subscribe to your topic so you know when a reply has been posted. If the topic has been archived and you still require help start a new topic and include fresh Farbar (FRST) & aswMBR logs with a link to your previous thread. Please do not post any other logs, you'd be starting fresh. :)


It takes time to analyze logs and prepare a response. Volunteers help users at several sites, and take X number of new topics in order to give each member their attention and avoid burnout.

Thank you.

http://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-%28Please-read-this-Procedure-Before-Requesting-Assistance%29-Updated

If you do start a new topic please re-read the FAQ, thank you.

Best regards.

PistolSlap
2015-04-30, 20:27
Afraid not, that topic was closed in March and we are nearly into May.
.

well i know, but back at the end of March it's not like I could post a reply on the topic and ask it to be reopened.

tashi
2015-04-30, 22:20
Hello PistolSlap,


well i know, but back at the end of March it's not like I could post a reply on the topic and ask it to be reopened.

"At this time threads may now be closed three days after last post in topic at the discretion of the volunteer. Please subscribe to your topic so you know when a reply has been posted. If the topic has been archived and you still require help start a new topic and include fresh Farbar (FRST) & aswMBR logs with a link to your previous thread."

Post #10 in this thread: http://forums.spybot.info/showthread.php?72144-Do-I-delete-this&p=463860&viewfull=1#post463860

If you ask for assistance in a new topic please respond to the person helping in a timely manner to avoid the thread being archived. If you know you will be unable to post, (exams) please let them know. :)

Best regards.