Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Do I delete this?

  1. #1
    Junior Member
    Join Date
    Mar 2015
    Posts
    8

    Exclamation Do I delete this?

    Hello I have looked around in here but I haven't found any results that are exactly like this. When I run the rootkit scan, I basically just get hundreds of entries like this:
    Type: File
    Object: dotNetFx40_Full_x86_x64.exe:$CmdTcID:$DATA
    Location: Z:\cobian backup\windows reinstall backup\
    Details: Unknown ADS

    But I don't know what that means or if I should delete it. for some reason my system is running abominably slow but spybot, malwarebytes, and comodo do not show any detections :(

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,485

    Default

    Hello PistolSlap,

    Quote Originally Posted by PistolSlap View Post
    Hello I have looked around in here but I haven't found any results that are exactly like this. When I run the rootkit scan, I basically just get hundreds of entries like this:
    Type: File
    Object: dotNetFx40_Full_x86_x64.exe:$CmdTcID:$DATA
    Location: Z:\cobian backup\windows reinstall backup\
    Details: Unknown ADS

    But I don't know what that means or if I should delete it. for some reason my system is running abominably slow but spybot, malwarebytes, and comodo do not show any detections :(
    Is it possible the path is: dotNetFx40_Full_x86_x64.exe:$Cmd AcID:$DATA

    What is your operating system please.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Mar 2015
    Posts
    8

    Default

    Quote Originally Posted by tashi View Post
    Hello PistolSlap,



    Is it possible the path is: dotNetFx40_Full_x86_x64.exe:$Cmd AcID:$DATA

    What is your operating system please.


    Oh hello, I am sorry, I am running Win 7 x64!

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,485

    Default

    "Is it possible the path is: dotNetFx40_Full_x86_x64.exe:$Cmd AcID:$DATA"
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  5. #5
    Junior Member
    Join Date
    Mar 2015
    Posts
    8

    Default

    Quote Originally Posted by tashi View Post
    "Is it possible the path is: dotNetFx40_Full_x86_x64.exe:$Cmd AcID:$DATA"
    nope it is a direct copy/paste

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,485

    Default

    Hi PistolSlap,

    Quote Originally Posted by PistolSlap View Post
    for some reason my system is running abominably slow but spybot, malwarebytes, and comodo do not show any detections :(
    Could you let someone take a look at the system, if so please start a topic in the Malware Removal Forum and a volunteer analyst will advise.

    First see that forum's FAQ which also includes instructions in post #2 on how to provide the logs from Farbar Recovery Scan Tool and aswMBR, which are the logs used in the preliminary analysis.

    http://forums.spybot.info/showthread.php?t=288

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  7. #7
    Junior Member Thierry.WWW's Avatar
    Join Date
    Apr 2015
    Posts
    2

    Lightbulb $CmdTcID alternate data stream (ADS) is likely to be harmlessly created by Comodo IS

    Hi,

    I have the same kind of result on my computer:
    File:"Unknown ADS","SomeFileName:$CmdTcID:$DATA"

    I can see it as well through the "streams.exe" tool from Sysinternals (https://technet.microsoft.com/en-au/...rnals/bb545046).

    Comodo Internet Security 8 (obviously at least up to my 8.2.0.4508 installed release, but apparently not CIS 7 and previous) is indeed creating such an alternate data stream attached to some or many files, for some reason (probably a bug), see:or:or search Comodo's or Spybot's forum for "CmdTcID".

    So if your ADS are effectively due to Comodo, this shouldn't be a big issue (to be confirmed: this is only my personal understanding of our situation).
    (In order to be sure it's due to Comodo, you might have to find the way to create a new file that systematicaly ends with $CmdTcID in its ADS, then temporarily disable Comodo 8 or replace it with version 7, and then re-create a new file in the same way and check with streams.exe that its ADS does not contain $CmdTcID)

    But as mentioned in one of the above posts:
    When you copy files from a NTFS file system to a USB flash-drive (FAT),
    You may receive the Easter egg "The file Setup.exe has properties that can't be copied to the new location. Do you wish to continue?"
    and by the time you remember it's all about last year Comodo's ADS, you spent minutes (or hours...) wondering what the hell is going on here...
    Any other side effect anybody can think of?

    It seems that we have to wait for a fix of Comodo IS, and even once delivered we might still have to remove these ADS through a tool such as the aforementioned streams.exe - but this one removes all the "ADS fields" (?) of a file (there might be other "ADS fields" than $CmdTcID related to a given file), unless a recent release addressed this. The first one who finds a tool that easily, automatically remove a given "field" (?) in the ADS of all the files in a directory and all its sub-directories wins the right to post its URL here. And even once found and succesfully run, according to some of these posts on Comodo's forum it might not prevent Comodo to re-create this very ADS on the very same files...

    Regards.

    Thierry WWW

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,485

    Default

    FYI

    PistolSlap's topic in the malware forum: http://forums.spybot.info/showthread...81-Please-help!
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  9. #9
    Junior Member
    Join Date
    Mar 2015
    Posts
    8

    Default

    Quote Originally Posted by tashi View Post
    FYI

    PistolSlap's topic in the malware forum: http://forums.spybot.info/showthread...81-Please-help!

    Hello, by the way, that topic was closed before it was resolved. I was requested some files, but I got busy with school for finals then when I checked back the topic had been closed. Is there a way it could be reopened so I can respond with the information I was requested?

  10. #10
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,485

    Default

    Hello PistolSlap,

    Quote Originally Posted by PistolSlap View Post
    Hello, by the way, that topic was closed before it was resolved. I was requested some files, but I got busy with school for finals then when I checked back the topic had been closed. Is there a way it could be reopened so I can respond with the information I was requested?
    Afraid not, that topic was closed in March and we are nearly into May.

    Note:
    When a volunteer posted a response to which you did not reply.

    At this time threads may now be closed three days after last post in topic at the discretion of the volunteer. Please subscribe to your topic so you know when a reply has been posted. If the topic has been archived and you still require help start a new topic and include fresh Farbar (FRST) & aswMBR logs with a link to your previous thread. Please do not post any other logs, you'd be starting fresh.

    It takes time to analyze logs and prepare a response. Volunteers help users at several sites, and take X number of new topics in order to give each member their attention and avoid burnout.

    Thank you.
    http://forums.spybot.info/showthread...nce%29-Updated

    If you do start a new topic please re-read the FAQ, thank you.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •