Adlice forum

General Category => Malware removal help => Topic started by: planetboris on November 14, 2016, 04:45:08 AM

Title: Hidden.ADS infections - gs5sys
Post by: planetboris on November 14, 2016, 04:45:08 AM: Hello, Rogue Killer scans keep coming up with Hidden.ADS infections, even after being deleted.

My latest RK scan results:

RogueKiller V12.8.0.0 (x64) [Nov 7 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Client [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 11/13/2016 20:41:55 (Duration : 00:24:23)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f5360646-7351-40e3-9350-ddd70472812e} | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-]) -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[Hidden.ADS][Stream] C:\Users\Client\AppData\Roaming:gs5sys -> Deleted
[Hidden.ADS][Stream] C:\Users\Client\AppData\Local:gs5sys -> Deleted
[Hidden.ADS][Stream] C:\ProgramData:gs5sys -> Deleted

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1002FAEX-00Z3A SCSI Disk Device +++++
--- User ---
[MBR] aa4fbfb426fcf5267b120e2e5d8e11d8
[BSP] 143fdc32b0aa50c7e931aecb7d91ff29 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 927815 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1900167168 | Size: 450 MB
2 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 1901090816 | Size: 25599 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD3202ABYS-01B7A0 +++++
--- User ---
[MBR] 96c730a9420de6f531c48a026eb3890c
[BSP] 6a4cdbb4432ea14b8cbaef9136369d0b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 304207 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Thanks and best regards
Title: Re: Hidden.ADS infections - gs5sys
Post by: Curson on November 14, 2016, 03:18:14 PM: Hi planetboris,

This seems to be a false positive.
Could you please follow the following process to help us ?
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
more < C:\Users\Client\AppData\Roaming:gs5sy >> %USERPROFILE%\Desktop\ADS.txtA new file named ADS.txt should has been created on your desktop.

Please attach it with your next reply.

Regards.
Title: Re: Hidden.ADS infections - gs5sys
Post by: planetboris on November 14, 2016, 11:39:34 PM: Thanks very much for your reply. I copy-pasted:

more < C:\Users\Client\AppData\Roaming:gs5sy >> %USERPROFILE%\Desktop\ADS.txt

into cmd (admin ) but only received this response: The system cannot find the file specified.
Title: Re: Hidden.ADS infections - gs5sys
Post by: Curson on November 15, 2016, 07:05:07 PM: Hi planetboris,

It seems that Windows is unable to list the content of a folder ADS this way.
Could you please list all the security softwares you are using ?

Regards.
Title: Re: Hidden.ADS infections - gs5sys
Post by: planetboris on November 15, 2016, 09:09:05 PM: Hi, Bit Defender is turned off because I have Emsisoft running

Zemana is also installed, I turned it off at Start Up, but ZAM shows up in background processes

I runs scans manually with SuperAntispyware, Herd Protect, RK (of course), Junk File removal tool, Eset online scanner, MalwareBytes, ADW cleaner

Thanks
Title: Re: Hidden.ADS infections - gs5sys
Post by: Curson on November 15, 2016, 09:38:01 PM: Hi planetboris,

Thanks for your feedback.
Since you are using many security software, it's difficult to point a potential culprit among them.

I will check how to extract the ADS in order to analyze it and get back to you as possible.
Thanks for your patience.

Regards.
Title: Re: Hidden.ADS infections - gs5sys
Post by: planetboris on November 15, 2016, 09:53:17 PM: Thank you for your time and energy. Very much appreciated. Looking forward to any solution.

Best regards
Title: Re: Hidden.ADS infections - gs5sys
Post by: planetboris on November 16, 2016, 10:25:47 AM: Hi, I was able to get the RDS.txt file from

more < C:\Users\Client\AppData\Roaming:gs5sy >> %USERPROFILE%\Desktop\ADS.txt

gs5sy was missing letter s to make it gs5sys. No problem, I just added it. Although before I ran that command into cmd admin I had completed another scan using RK and this time I didn't delete the Hidden.ADS, so that's why maybe now it showed up, Here is the attached file as requested. Hope it helps

Thanks again.
Title: Re: Hidden.ADS infections - gs5sys
Post by: Curson on November 16, 2016, 11:39:59 AM: Hi planetboris,

Thanks for the fix and sorry for this mistake.
This ADS is a metadata for an application on your system.
Since it's totally harmless, it will be whitelisted in RogueKiller next release.

Thanks again for your feedback.
Regards.
Title: Re: Hidden.ADS infections - gs5sys
Post by: planetboris on November 18, 2016, 01:27:20 AM: Ok, good to know! Thank again for all your help and for creating Rogie Killer, a fantastic product, and for making it available.

cheers
Title: Re: Hidden.ADS infections - gs5sys
Post by: Curson on November 18, 2016, 12:09:11 PM: Hi planetboris,

You are very welcome.
Thanks for the kind words.

Regards.