Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ads-joudres


  • Please log in to reply
4 replies to this topic

#1 tmuh

tmuh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 01 May 2006 - 02:08 PM

I've been getting alot of Alternate Data Streams on some of my PC's when I do a ADS scan. All of them seem to be coming up with the ADS name of Joudres.

Has anyone heard of this? Is there anyway to find out what it actually is? I've watched the Firewall logs and no traffic seems to be going in or out when i click on the picture.

Thanks

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:22 PM

Posted 01 May 2006 - 02:30 PM

The only thing I can find on joudres is an association with porn sites. Are you using Merijn's ADSSpy for scanning?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tmuh

tmuh
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 01 May 2006 - 03:05 PM

I noticed that as well when I did a google search. I am using ADSpy to scan. I am using ADSTools and have finally extracted the Data Stream ( 8KB file ). Now what I'm trying to do is to find out exactly what the file does when activated.

I'm not even sure if that's possible. The only reason why I'm trying to find out what it does is for discipline purpouses only. Ahhh.......the IT profession is never without problematic users......LOL


Thanks

#4 javaweasel

javaweasel

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 14 February 2007 - 07:10 PM

Hey there...

A little behind the times, but there isn't much else out there on the "Joudres" ADS issue.

I found the same thing attached to every single *image* file on my machine. There are two ADS files attached, one named Q30lsldxJoudresx(nnnn) and the other name is an ID string.

Using Microsoft's stream.exe tool, I deleted the ADS files from the images, no problems. (To find the tool, do a search on "sysinternals" from the microsoft.com main page. (use the tools at own risk/system damage/lost data/etc., etc.))

After cleaning, I viewed the one of the image folders in Explorer, viewing the file list as 'details.' I then switched to the 'thumbnail' view, and the ADS files magically returned. I went into selected folders and tried switching some to Thumbnail view, and leaving others alone. The ADS files reappeared whenever I used Thumbnail view.

So, on my system, the Joudres file(s) seem to be associated with the thumbnail view in Explorer, and appear to be serve a completely benign journaling or indexing function.

Just a word of caution...there are completely legit programs that attach little notes/journals to a file's ADS stream, such as editors, backup software, system utilities, and the like. If you wipe out those ADS files with streams.exe (easy to do, btw), you lose potentially valuable info. I found that out the hard way by deleting the ADS files attached to essential documents.

One good thing to come of this is that I did lots of reading on ADS as a result.

J

#5 Nougat

Nougat

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 16 February 2007 - 12:31 PM

I believe this is related to Adware.Look2me.

Here's an uninstaller:

http://www.f-secure.com/sw-desc/look2me.shtml


While that is an uninstaller for Adware.Look2me, that ADS is harmless. It's carrying the summary information for the file. You can see this data by right clicking the file, going to properties, then looking in the summary tab.

http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/

Edited by Nougat, 16 February 2007 - 01:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users