Sign in to follow this  
Solaze

Detecting Things As Malware...

Recommended Posts

Definitions File Loaded:

Reference Number : SE1R174 04.06.2007

Internal build : 215

File location : C:\Program Instillations\Ad-Aware Refs\defs.ref

File size : 1241556 Bytes

Total size : 4135496 Bytes

Signature data size : 4093563 Bytes

Reference data size : 41421 Bytes

Signatures total : 105966

CSI Fingerprints total : 7670

CSI data size : 467722 Bytes

Target categories : 15

Target families : 1125

 

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium IV

Memory available:10 %

Total physical memory:515008 kb

Available physical memory:51456 kb

Total page file size:1529056 kb

Available on page file:832556 kb

Total virtual memory:2097024 kb

Available virtual memory:1971900 kb

OS:Microsoft Windows NT Home Edition (Build 6000)

 

Ad-Aware SE Settings

===========================

Set : Search for low-risk threats

Set : Move deleted files to Recycle Bin

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Run scan as background process (Low CPU usage)

Set : Scan registry for all users instead of current user only

Set : Use permanent archive caching

Set : Automatically check all objects in results lists

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Log Ad-Aware events

Set : Block pop-ups aggressively

Set : Automatically select problematic objects in results lists

Set : Reanalyze results after scanning before displaying results lists

Set : Write-protect system files after repair (Hosts file, etc.)

Set : Include info about ignored objects in log file, if detected in scan

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Create log file for removal operations

Set : Include alternate data stream details in log file

Set : Show splash screen

Set : Backup current definitions file before updating

Set : Play sound at scan completion if scan locates critical objects

 

 

6-4-2007 10:53:16 PM - Scan started. (ADS scan)

Performing deep Scan and listing Alternate Data Streams...

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

C: Drive supports Alternate Data Streams.

Scanning and Enumerating ADS...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Other Object Recognized!

Type : Alternate Data Stream

Data : Zone.Identifier

TAC Rating : 7

Category : Malware

Comment :

Object : C:\Program Instillations\Ad-Aware Refs\defs.ref:\

 

 

 

Other Object Recognized!

Type : Alternate Data Stream

Data : Zone.Identifier

TAC Rating : 7

Category : Malware

Comment :

Object : C:\Program Instillations\defs.zip:\

 

 

 

Other Object Recognized!

Type : Alternate Data Stream

Data : OECustomProperty

TAC Rating : 7

Category : Malware

Comment :

Object : C:\Users\Mike\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1D170F22-00000001.eml:\

 

 

 

Other Object Recognized!

Type : Alternate Data Stream

Data : favicon

TAC Rating : 7

Category : Malware

Comment :

Object : C:\Users\Mike\Favorites\Antivirus Software - Eliminate Spyware and Adware with NOD32 Antivirus from ESET.url:\

 

 

 

Other Object Recognized!

Type : Alternate Data Stream

Data : favicon

TAC Rating : 7

Category : Malware

Comment :

Object : C:\Users\Mike\Favorites\DJ Rukiz - Juelz Santana Don't Watch Me, Watch TV MixtapeTorrent.com.url:\

 

 

 

Other Object Recognized!

Type : Alternate Data Stream

Data : favicon

TAC Rating : 7

Category : Malware

Comment :

Object : C:\Users\Mike\Favorites\HijackThis Logfileauswertung.url:\

 

 

 

Other Object Recognized!

Type : Alternate Data Stream

Data : favicon

TAC Rating : 7

Category : Malware

Comment :

Object : C:\Users\Mike\Favorites\Internet Stuff\Development - Free Debugging download.url:\

 

 

 

Other Object Recognized!

Type : Alternate Data Stream

Data : favicon

TAC Rating : 7

Category : Malware

Comment :

Object : C:\Users\Mike\Favorites\Internet Stuff\YTMND - Race Wars Nigga Stole My....url:\

 

 

 

C: Enumerating detected ADS...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Location:C:\Program Instillations\Ad-Aware Refs\defs.ref:Zone.Identifier

StreamName:Zone.Identifier

StreamID:BACKUP_ALTERNATE_DATA (4)

StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)

DataSize:26 Bytes

NameSize:44 Bytes

 

Location:C:\Program Instillations\defs.zip:Zone.Identifier

StreamName:Zone.Identifier

StreamID:BACKUP_ALTERNATE_DATA (4)

StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)

DataSize:26 Bytes

NameSize:44 Bytes

 

Location:C:\Users\Mike\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1D170F22-00000001.eml:OECustomProperty

StreamName:OECustomProperty

StreamID:BACKUP_ALTERNATE_DATA (4)

StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)

DataSize:820 Bytes

NameSize:46 Bytes

 

Location:C:\Users\Mike\Favorites\Antivirus Software - Eliminate Spyware and Adware with NOD32 Antivirus from ESET.url:favicon

StreamName:favicon

StreamID:BACKUP_ALTERNATE_DATA (4)

StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)

DataSize:1406 Bytes

NameSize:28 Bytes

 

Location:C:\Users\Mike\Favorites\DJ Rukiz - Juelz Santana Don't Watch Me, Watch TV MixtapeTorrent.com.url:favicon

StreamName:favicon

StreamID:BACKUP_ALTERNATE_DATA (4)

StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)

DataSize:8430 Bytes

NameSize:28 Bytes

 

Location:C:\Users\Mike\Favorites\HijackThis Logfileauswertung.url:favicon

StreamName:favicon

StreamID:BACKUP_ALTERNATE_DATA (4)

StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)

DataSize:894 Bytes

NameSize:28 Bytes

 

Location:C:\Users\Mike\Favorites\Internet Stuff\Development - Free Debugging download.url:favicon

StreamName:favicon

StreamID:BACKUP_ALTERNATE_DATA (4)

StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)

DataSize:9662 Bytes

NameSize:28 Bytes

 

Location:C:\Users\Mike\Favorites\Internet Stuff\YTMND - Race Wars Nigga Stole My....url:favicon

StreamName:favicon

StreamID:BACKUP_ALTERNATE_DATA (4)

StreamAttributes:STREAM_NORMAL_ATTRIBUTE. (0)

DataSize:3638 Bytes

NameSize:28 Bytes

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 8

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 8

 

10:59:33 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:06:17.19

Objects scanned:115944

Objects identified:8

Objects ignored:0

New critical objects:8

 

Reanalyzing scan result

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

No objects have been removed from the result list.

Share this post


Link to post
Share on other sites

Also, none of those hold malware, because those definition files I downloaded from this website, and those other things are my favorites which I bookmarked...

Share this post


Link to post
Share on other sites

Hi Solaze,

 

Thanks for your report - we're currently looking into this.

 

Regards,

 

Andy

Lavasoft Research

Share this post


Link to post
Share on other sites

Hi Solaze!

 

Make a cup of tea, sit down and brace yourself! This is a pretty long winded reponse, so bear with me!

 

Having assessed the log, there's nothing to worry about here. Ad-Aware is erring on the side of caution by notifying you about an alternate data stream (ADS) object that is not recognised. ADS are used for many things, from "mark of the web" (file:Zone.Identifier), to thumb-prints, to icons for favourites (file.url:favicon). However, malware authors could attempt to use ADS to mask their activities.

 

An example of a legitimate ADS is the above-mentioned Zone.Identifer that was flagged in your scan log. When downloading some files an ADS called Zone.Identifier is appended. The Zone.Identifier ADS can be cleared by unchecking the "Always ask before opening this file" checkbox that appears when you try to download a file with this ADS attached.

 

You can control the reporting of unrecognised ADS by downloading and installing Tweak SE from the Lavasoft homepage. Run it and uncheck the item "Flag all unrecognized Alternate Data Streams" by following the steps below:

 

1. Open Ad-Aware.

2. Click the Add-ons button.

3. Double click on 'Tweak SE' and OK to execute.

4. On the Scanning Engine tab uncheck 'Flag all unrecognized Alternate Data Streams'.

5. Click 'Proceed'.

 

You can read more about ADS here.

 

If you would like to remove the ADS from files, check out Streams by Sysinternals/Microsoft.

 

I appreciate there is a lot of information here, but I hope you find it useful!

 

Regards,

 

Andy

Lavasoft Research

Share this post


Link to post
Share on other sites
Sign in to follow this