Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • This topic is locked This topic is locked
4 replies to this topic

#1 ooze_21


  • Members
  • 16 posts
  • Local time:12:14 AM

Posted 29 March 2016 - 04:11 AM



I have a recurring thing that shows up exactly in 7 days interval. Rouge Killer x64 finds it and removes it. Every other program I use can not find it. (Zemana, Malwarebytes, Superantispyware, HitmanPro, Emsisoft Emergency Kit.)


What can it be? Should I worry?


Rouge Killer x64 reports it at dangerous.


This is what is found:


¤¤¤ Files : 1 ¤¤¤
[Hidden.ADS][Stream] C:\Windows\System32:Win32App_1 -> Found


Other programs I use are Hitman.Pro.Alert



Windows 10 x64

BC AdBot (Login to Remove)


#2 buddy215


  • Moderator
  • 13,420 posts
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:14 PM

Posted 29 March 2016 - 05:55 AM

Welcome to BC...


Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.


DO NOT bump your new topic. Wait for a response from one of the Team Members.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,953 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:14 PM

Posted 29 March 2016 - 06:59 AM

In NTFS (New Technology File System), a file consists of different data streams. One stream holds the security information. Another stream holds the "real data" you expect to be in a file. Another has link information instead of the real data stream if the file actually is a link. And there may be an alternate data stream (ADS) which holds data the same way the standard data stream does.

Alternate Data Streams (ADS) are a feature of the Windows NTFS File System which has the ability to fork (hide) file data into existing files and folders (directories) without affecting their functionality or size. ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System (HFS) where file information is sometimes forked into separate resources.

ADS are used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage. ADS is used to store icons and other file information such as attributes with a hidden stream that instructs the system how to use the data contained in the file. They typically have the following characteristics.
  • NTSF Streams are only visible to specialized software.
  • Streams can attach themselves to directories as well as files.
  • Disk space used by Streams are not reported by programs such as Windows Explorer or commands such as 'DIR'
  • Streams can be executed and executed streams' filenames are not displayed correctly in Task Manager.
ADS also provides hackers with a method of hiding rootkits or hacker tools on a breached system and allows them to be executed without being detected by conventional anti-virus and anti-malware scanners. Files with an ADS are almost impossible to detect and do not show in Windows Task Manager. ADS can be executed by using commands or be scripted within scripting languages like VB or Perl. Once injected, the ADS executable will appear to run as the original file. Using this method allows hackers to not only hide a file but to also hide the execution of an illegitimate process. However, both legitimate programs and malware can exhibit rootkit-like behavior or hook into the OS.

ADS are extremely easy to make and require little or no skill on the part of a legitimate creator or hacker. Common DOS commands like type are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another. As such, further investigation is required to determine if the ADS is legitimate or not.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 ooze_21

  • Topic Starter

  • Members
  • 16 posts
  • Local time:12:14 AM

Posted 29 March 2016 - 02:37 PM

You can close this now!



#5 Animal


    Bleepin' Animinion

  • Site Admin
  • 35,905 posts
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:02:14 PM

Posted 29 March 2016 - 02:54 PM


Now that you have posted a log at the link above, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)

A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)

"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)

Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users