ADS Infections Removal – Windows Alternate Data Streams

Home / Guides / Malware & Virus Analysis / ADS Infections Removal – Windows Alternate Data Streams
sm-u Malware & Virus Analysis

πŸ” Introduction

Alternate Data Streams (ADS) are hidden components attached to regular filesβ€”such as documents, executables, and system filesβ€”on NTFS drives. In this guide, you’ll learn:

  • βœ… What ADS are
  • βœ… How both legitimate applications and malware use them
  • βœ… How to detect and remove malicious ADS safely

To enhance your malware detection skills, consider reviewing Learning HijackThis!.

🧠 A Brief History of ADS

Since their introduction in Windows NT with the NTFS file system, ADS have served a purpose. They were originally designed to maintain compatibility with Apple’s Hierarchical File System (HFS).

πŸ“Œ Legitimate Uses:

  • Applications store metadata such as indexing details and access permissions in ADS.
  • Document properties, visible under the β€œDetails” tab, are stored in ADS.
  • Antivirus programs might use ADS to log scanning details.

While these uses are valid, attackers frequently exploit ADS for concealment.

🧰 How Software Uses ADS

Legitimate programs commonly utilize ADS to store metadata invisibly. For example, if you create a text file and view its properties, you’ll see summary information stored through an ADS.

βž• Example: Creating ADS via Command Prompt

c:\file.exe > C:\WINDOWS\system32\calc.exe:file.exeCode language: CSS (css)

Here, file.exe becomes a hidden stream inside calc.exe. However, the host file’s appearance and behavior remain unchanged.

⚠️ Why ADS Can Be Dangerous

Despite their usefulness, ADS present a security risk when misused.

🚩 Exploitation by Malware:

  • ADS are invisible in standard Explorer views and directory listings.
  • Malicious streams can be launched via PowerShell, VBScript, or command line.
  • Traditional antivirus and Task Manager may fail to detect them.

🚨 Common Risks:

  • Trojans, ransomware, or spyware can hide in ADS.
  • Rootkits often use ADS to maintain stealth.
  • These streams do not alter file size or timestamp, making them hard to detect manually.

❌ Can ADS Be Disabled?

Unfortunately, ADS cannot be disabled in NTFS. Nevertheless, you can scan and remove them using specialized utilities.

πŸ”Ž How to Detect and Remove ADS Infections

Manual removal can be risky and may break applications. Instead, it’s better to rely on trusted tools. Keep in mind: deleting a host file will also delete its ADS.

🧰 Trusted Tools for Detection and Removal:

Each of these tools is designed to uncover and eliminate malicious ADS.

🧽 Removing ADS with FRST

🧾 Example from an FRST Log:

AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe [134]
AlternateDataStreams: C:\malware:malware.exe [134]Code language: CSS (css)

πŸ›  Removal Process:

  1. Download and run FRST.
  2. In the same directory, create a file named fixlist.txt with this content:
Start::
AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe [134]
AlternateDataStreams: C:\malware:malware.exe [134]
C:\malware
Stop::Code language: CSS (css)
  1. Click Fix in the FRST interface.
  2. Reboot your system once cleanup is complete.

🧽 Removing ADS with OTL (OldTimer’s List It)

🧾 Example from an OTL Log:

@Alternate Data Stream - 48 bytes -> C:\WINDOWS:5E0D2877D3BDDE45Code language: CSS (css)

πŸ›  Removal Steps:

  1. Launch OTL.exe.
  2. Under Custom Scans/Fixes, paste the following:
:Files
@C:\WINDOWS:5E0D2877D3BDDE45
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  1. Click Run Fix.
  2. Allow your system to reboot.

🧽 Removing ADS with ComboFix

ComboFix detects and removes ADS automatically during its standard scan. However, you can also specify entries manually.

🧾 Example Log Entry:

c:\windows\system32\OLD4.tmp:ext.exe 32768 bytes executableCode language: CSS (css)

πŸ›  Manual Removal:

  1. Open Notepad.
  2. Enter the following:
ADS::
c:\windows\system32\OLD4.tmpCode language: CSS (css)
  1. Save it as CFScript.txt.
  2. Drag this script onto ComboFix.exe.
  3. Let ComboFix complete the removal process.

🧽 Removing ADS with HijackThis (ADS Spy)

HijackThis includes a utility called ADS Spy, designed to detect and delete hidden ADS entries. It is an effective method of removing ADS infections.

πŸ›  Removal Instructions:

  1. Open HijackThis.
  2. Click Config β†’ Misc Tools β†’ ADS Spy.
  3. Press Scan to find hidden streams.
  4. Review the results carefully.
  5. Select unwanted entries and click Remove Selected.

πŸ’‘ Need a refresher on HijackThis? See Learning HijackThis!.

βœ… Conclusion

Alternate Data Streams (ADS) are integral to NTFS but present risks when exploited. Although you can’t disable ADS, using trusted tools allows you to remove threats effectively.

βœ… Employ tools like FRST, OTL, ComboFix, and HijackThis to detect and clean up ADS infections.

πŸ” Regular system scans can reveal hidden threats your antivirus might overlook.

🌐 For expanded malware analysis techniques, visit Learning HijackThis! and explore our Malware & Virus Analysis Resources hub.

Article by

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

Table of Contents

Table of Contents
Back To Top

Add A Knowledge Base Question !

+ = Verify Human or Spambot ?