lynchknot
join:2003-06-16
Camas, WA
2 edits | Removing KAV5's ADS tags
AS per mele20's post - »Users of both kav 5 & Windows XP -- request "I had to run streams from System Internals to get the tags removed (it was that or reformat)! This was after I removed 5.0. kav is horribly remiss in not providing a tool to remove the tags when one removes kav. Terrible just terrible. Further, I have 35 files that were locked and thus streams could not remove the tags from those files. I now have to go get a trial of TDS-3 and remove each one by hand using TDS to do it which will be tedious. I can't imagine anyone using kav 5.0 personal after learning about these tags especially since there is NOTHING in the help file about them and nowhere does kav explain or ask your permission to place these tags on all your files"
I uninstalled kav5 and installed kav4.5 and ran TDS-3 and found these "ADS streams" I thought every single app in program files would be tagged. Are these legitimate streams? I tried to run streams from sysinternal but do not understand how it works.
I set TDS-3 without any "ignore" streams options and this is the result - thanks for your help:
11:22:24 [File Scan] Scanning in C:\ ...
11:22:24 [CRC32] Test finished.
11:22:42 [NTFS ADS] Stream found - C:\Documents and Settings\All Users\Application Data\PowerQuest\hpc:1617307125
11:22:42 [NTFS ADS] Stream found - C:\Documents and Settings\All Users\Application Data\PowerQuest\hpc:2663419967
11:25:43 [NTFS ADS] Stream found - c:\documents and settings\ken\desktop\desktop\panther 1.0\thumbs.db:encryptable
11:43:05 [NTFS ADS] Stream found - c:\windows\resources\themes\metallurgy - release - 3\wallpaper\thumbs.db:encryptable
11:50:34 [File Scan] Scanned 48984 files: 25 alarms in 1690.188 seconds (Avg 29.98 files/sec)
11:50:34 [File Scan] Scanning in D:\ ...
11:51:28 [NTFS ADS] Stream found - d:\math assignments\peterframpton\cover\thumbs.db:encryptable
11:52:01 [File Scan] Scanned 2718 files: 26 alarms in 87.5 seconds (Avg 32.06 files/sec)
11:52:01 [File Scan] Scanning in E:\ ...
11:52:27 [NTFS ADS] Stream found - e:\desktop1\images\camera\thumbs.db:encryptable
11:53:48 [NTFS ADS] Stream found - e:\desktop1\newwalls\thumbs.db:encryptable
11:54:10 [NTFS ADS] Stream found - e:\docs\desktop\website\thumbs.db:encryptable
11:54:14 [NTFS ADS] Stream found - e:\docs\desktop\website\umicons\thumbs.db:encryptable
11:59:26 [NTFS ADS] Stream found - e:\games\nascar_thunder_2004\autorun\thumbs.db:
--
Firefox themes: »home.comcast.net/~lynchknot/ |
|
lynchknot
join:2003-06-16
Camas, WA
1 edit | Related topic: I'm guessing but after uninstalling kav5, the system restore fragemented files went with it?
With kav5:
Xp pro
syst restore on
List of the 43 most fragmented files and directories
# of Fragments File size File/Directory Name
26 715.9 MB C:\RECYCLER\S-1-5-21-1060284298-1229272821-725345543-1003\Dc315\Dogma.avi
4 17.6 MB C:\Program Files\Acronis\DiskDirector\MediaBuilder.exe
3 0.4 MB C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\hpgt35.dll
3 5.2 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP101\A0029895.exe
3 232.1 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP128\A0045127.exe
3 111.1 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP128\A0045143.exe
3 4.1 MB C:\Downloads\driverguide.toolkit.1.0.5.zip
2 9.7 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP103\snapshot\_REGISTRY_MACHINE_ SOFTWARE (1)
2 4.8 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP123\snapshot\MFEX-3.DAT (1)
2 5.1 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP101\A0029687.exe
2 1.3 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP128\A0045132.exe
2 81.9 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP102\A0030657.exe (1)
2 49.9 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP101\A0030216.exe
2 2.3 MB C:\Program Files\InterVideo\Home Theater\skins\Default\DVD Settings\DVD_Settings_Resize.BMP
2 0.1 MB C:\Documents and Settings\ken\Application Data\zzzzzzzzzzzFirefox\Profiles\default\urcxfbmm.slt\bookmarks.html
2 0.0 MB C:\Program Files\Stardock\Object Desktop\WindowBlinds\Blackcomb\trackthumbdown.tga
2 94.5 MB C:\Documents and Settings\ken\Desktop\Limp_Bizkit-Results_May_Vary-RETAIL-2003-ESC.rar
2 4.5 MB C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrodistdll.dll
2 0.5 MB C:\Documents and Settings\ken\Application Data\Copy (3) of Firefox\Profiles\default.zja\extensions\{89951EC8-A9B4-49AE-B93E-D889C1222734}\chrome\ProLCD -.jar
2 1.0 MB C:\Program Files\JetAudio\jdl_vorbis.dll
2 0.1 MB C:\Program Files\Greeting Card Creator 32\Clipart\G1302909.WMF
2 3.1 MB C:\Program Files\Macromedia\FreeHand MXa\MMxpt.dll
2 0.5 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP128\change.log
2 0.2 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP128\A0038638.dll
2 232.1 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP128\A0043001.exe
2 0.6 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP128\A0042711.dll
2 0.0 MB C:\WINDOWS\inf\atiixpag.PNF
2 8.0 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP128\A0042674.dll
2 0.5 MB C:\WINDOWS\system32\rtcdll.dll
2 1.0 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP128\A0045235.reg
2 0.0 MB C:\Program Files\RegSupreme Pro\Documentation\html\regcleaner.html
2 0.6 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP128\A0035685.sys
2 4.6 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP127\A0034094.old
2 0.5 MB C:\WINDOWS\system32\winlogon.exe
2 0.0 MB C:\Documents and Settings\ken\Local Settings\Temp\ns_temp\xpcom.ns\bin\plc4.dll
2 0.0 MB C:\Program Files\JetAudio\JFEffDRC.dll
2 12.0 MB C:\WINDOWS\PCHEALTH\HELPCTR\Database\HCdata.edb
2 1.0 MB C:\WINDOWS\system32\IME\PINTLGNT\pintlgix.imd
2 0.0 MB C:\WINDOWS\inf\sis6306.PNF
2 0.3 MB C:\WINDOWS\system32\termmgr.dll
2 0.2 MB C:\WINDOWS\system32\wmpdxm.dll
2 0.0 MB C:\WINDOWS\system32\nddeapi.dll
2 0.1 MB C:\$Extend\$ObjId:$O
After uninstall and install kav4.5 -
14 172.8 MB C:\FolderShareTemp\34914349-60e63700e55e15eb1f47934a41520f25.temp
5 4.1 MB C:\Program Files\FolderShare\logs\log (5)
3 14.1 MB C:\Program Files\Agnitum\Outpost Firewall\op_data.mdb
2 0.1 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP131\A0064962.DLL
2 0.2 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP131\A0059447.dll
2 1.6 MB C:\System Volume Information\_restore{513EE648-39CA-4326-B7BB-DA32752BFE36}\RP131\A0064237.ocx
2 0.2 MB C:\$Extend\$ObjId:$O |
|
Digibits
Premium
join:2000-09-02
The Hilltop
clubs: 
| reply to lynchknot
When I used TDS-3 to identify the remaining ADS tagged files on my drive after running streams, those files that were still tagged all indicated a reference to kavICHS.
Using TDS-3, I used the option to delete only the streams. not the files.
--
|
|
lynchknot
join:2003-06-16
Camas, WA
1 edit | reply to lynchknot
How do you run streams? I clicked it and nothing happend. How do you eliminate "just" streams in TDS-3? I see many of them are worthless thumbs.db files which I can just delete.
--
Firefox themes: »home.comcast.net/~lynchknot/ |
|
boblandy
Premium
join:2002-05-06
| reply to lynchknot
what a drag. awhile back i upgraded from 4.0 to 5.0 (yes i never migrated to 4.5) and 5.0 created a boatload of ADS on my machine.
for a number of reasons i didn't like 5.0 and uninstalled and went happily back to 4.0.
except now i have in excess of 35,000 ADS on the hd i can't get rid of. TrojanHunter was going off like crazy when i scanned with it, finally had to turn that feature off entirely.
i just barely understand this topic, but i sure hate that kav won't step up and give me a tool to remove what they put on my hd.
i'll follow the topic with interest. thank you
--
look out kid they keep it all hid |
|
Digibits
Premium
join:2000-09-02
The Hilltop
clubs:
| reply to lynchknot
»kav 5.0 Personal scanning really slow covered the removal of the ADS pretty well. See Mele20's post (about 11th one down).
--
|
|
Digibits
Premium
join:2000-09-02
The Hilltop
clubs:
| reply to lynchknot
said by lynchknot  :
How do you run streams? I clicked it and nothing happend. How do you eliminate "just" streams in TDS-3? I see many of them are worthless thumbs.db files which I can just delete.
TDS-3 will identify which files contain ADS. Select one of the files within TDS, right click on it, and choose the option to delete the stream only, not the entire file.
As for kav, I've gone back to version 4.5. 
--
|
|
lynchknot
join:2003-06-16
Camas, WA
1 edit | reply to lynchknot
Sorry but you did not answer my question and did you guys even view my first post? Most of the ADS is just thumbs.db(are they not?) - which I can easily delete. I just want to know how to remove the few that are left - in fact, I don't see any in program files (I think)
--
Firefox themes: »home.comcast.net/~lynchknot/ |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to lynchknot
I would not expect the fragmented System Restore files associated with kav to simply disappear because an uninstall was run.
Say you wanted to Restore the system to the point prior to the uninstall -- you would normally be able to, but you can't if the System Restore files from when kav was on your system are all gone.
I don't understand how uninstalling kav 5 and installing kav 4.5 could defragment these files:
C:\RECYCLER\S-1-5-21-1060284298-1229272821-725345543-1003\Dc315\Dogma.avi
C:\Program Files\Acronis\DiskDirector\MediaBuilder.exe
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\hpgt35.dll
etc., etc.
I'm guessing that maybe there was a scheduled execution of a disk defragmenter in there.
And if there was a defragmenter run, kav 5 isn't associated with fragmentation until either the monitor has run for a while or done a scan has been done.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
lynchknot
join:2003-06-16
Camas, WA
| reply to lynchknot
I never stated that kav fragmented those files - this is a cut and paste of my defrag results(PD)
I have removed every single ADS stream (by deleting thumbs.db files) but these two (i'm not sure if these are needed)
11:22:42 [NTFS ADS] Stream found - C:\Documents and Settings\All Users\Application Data\PowerQuest\hpc:1617307125
11:22:42 [NTFS ADS] Stream found - C:\Documents and Settings\All Users\Application Data\PowerQuest\hpc:2663419967
HOw do you explain the size difference in fragmented files in my second post? 43 vs 7.
--
Firefox themes: »home.comcast.net/~lynchknot/ |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to boblandy
I've asked about this on the "Unofficial kav forum" which is run by a kav distributer, and which is visited almost daily by someone from kav.
The topic is here:
»forums.useice.com/cgi-bin/ikonbo···=1;t=573
Hopefully we'll get an answer soon.
For now, think of the ADS tags as a kind of directory entry. The ADS tags kav uses are entries that record information on the file's contents so that kav won't have to scan it again until it changes.
Yes space is wasted by these entries when you uninstall kav, but no they aren't slowing your machine down when you do ordinary work, and no that aren't a security exposure. -
a) You aren't running kav so the only thing reading them is TrojanHunter and your AV when it does a scan -- and presumably you don't sit and wait while the scan runs.
b) Code can be stored in ADS tags, and that code can be a security exposure. But code can also be stored in .bin's, .jpg's, .txt's, and even in regular file names. The question is where does the file or directory entry come from -- what put it there. And in this case it was kav and you know you had kav on your system and they are a reputable company.
If you were still running kav 5, the ADS tags would speed up processing (at least that is what is supposed to happen) because files that are unchanged since the last scan only have to be examined to confirm they haven't changed, not re-scanned and re-analysed completely.
So hopefully we'll get word back from kav in a couple of days on them providing a tool to remove the ADS tags from computers where kav 5 has been uninstalled.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
lynchknot
join:2003-06-16
Camas, WA
1 edit | reply to lynchknot
I uninstalled kav5 and installed kav4.5 - I then ran TDS-3 only to find 9 ADS streams! 7 of which were only thumbs.db files - so where are all the ADS tags that kav5 supposedly installed?
Prior to the switch, there were 43 fragmemnted files and directories. Upon uninstalling and installing kav4.5 I run defrag and only find 7 fragmented files - where did all the fragmneted files go? - NOw did that make sense?
--
Firefox themes: »home.comcast.net/~lynchknot/ |
|
boblandy
Premium
join:2002-05-06
| reply to keith2468
keith you make terrific points. yes i definitely trust kav.
the TH scanner spends time listing 35,000 ADS tags and i have to turn the feature off or go nuts (no i don't watch, but i do prefer to view results and 35,000 files tend to clog that pipeline right up).
i do understand *why* the ADS are used. i don't like that they are not removable, but i can see that you are aware of that.
so again, you wrote a good post. i thank you and, like you, i hope kav creates a remedy for this issue.
--
look out kid they keep it all hid |
|
lynchknot
join:2003-06-16
Camas, WA
3 edits | reply to lynchknot
Will someone please understand me? Where are the 35,000 tags? I only saw 9 after I uninstalled - am I searching incorrectly?
here is a SS of scan config: »www.filenote.com/redir/17841.jpg
--
Firefox themes: »home.comcast.net/~lynchknot/ |
|
boblandy
Premium
join:2002-05-06
| i've already copped to not understanding much on this subject so i know you're not complaining to me....
but i will perhaps shed some more light on this by telling you that the 35,000 ADS are now ALSO showing as 35,000 I/O errors when i scan with kav4.0. this is not a mystery to me, inasmuch as kav did not come up with this tagging method until 5.0... so 4.0 is calling what it finds errors.
meanwhile i have to deal with another clogged up on-demand scanner.
--
look out kid they keep it all hid |
|
lynchknot
join:2003-06-16
Camas, WA
| reply to lynchknot
The only I/O errors kav4.5 is finding in my PC is 22 and they are all from a download of TDS-3.
--
Firefox themes: »home.comcast.net/~lynchknot/ |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to boblandy
Boblandy-
I'm wondering if you have an earlier version of kav 4.
Early versions of kav 4 had a lot of I/O errors reported, although supposedly this didn't affect the actual scanning.
You could email support@kaspersky.com with your version numbers and a description of what you are seeing -- and see what they say.
I understand the latest releases of earlier versions are available for download here:
»kasperskylab.co.uk/files/homeuser/
- Keith
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
boblandy
Premium
join:2002-05-06
| keith
kav4.0.5.37 here, on 2 machines.
the difference in I/O errors was like night and day, to put it mildly, before and after kav5.0 install and uninstall.
i only put 5.0 on one machine and not the other. on the pc that 5.0 was never installed on, i routinely see somewhere around 7 I/O errors.... not excessive, would you agree
i see an earlier version (kav Personal 4.0.9) here, but given the relatively low I/O count noted above, i sorta doubt my version is really doing anything to in any way contribute to the 35,000 I/Os
if that makes any sense....
--
look out kid they keep it all hid |
|
MapleLeaf
Premium
join:2001-09-04
Burnaby, BC | Bob, any specific reason that you don't upgrade to 4.5.0.94? |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to lynchknot
I think one of the last versions of 4 was 4.5.0.95, which showed in many places as 4.5.0.94.
quote:
You can download 4.5.0.94 from the website or ftp-server, but some components will be updated during the update process. So your monitor still will show 4.5.0.94, but the on-demand-scanner will have version number 4.5.0.95. A bit confusing
»forums.useice.com/cgi-bin/ikonbo···=1;t=402
Updating to that, if you don't have a special reason not to, should fix your I/O errors (and other things). It was one of the last updates that cleared them up.
--
(Virus&Hijacking FAQ+Submit suspected malware+Security FAQ) |
|
