Hidden.ADS - false positive?

[Steve76]

Hi, Roguekiller has detected two Hidden.ADS "files" - C:\Windows:s8vj4g0sk4d1 and C:\Users\Me\AppData\Roaming:lv93ja32540f.

I've got a basic understanding of what alternate data streams are - I've not allowed RogueKiller to remove them yet as I'm worried it'll remove those entire folders!  They don't seem attached to individual files but the entire directory.  Are these false positives or something to worry about?  Nothing else has been detected, I've ran several other scans which all came back clean.  The computer is used only for work and has never had so much as an unwanted toolbar installed.  I've checked via command line and they do seem attached to the actual directory itself.

Any help appreciated!

[Curson]

Hi Steve,

Welcome to Adlice.com Forum.
We are going to investigate those ADS.

Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :

Code: [Select]

more < C:\Windows:s8vj4g0sk4d1 > %USERPROFILE%\Desktop\checkADS1.log && more < C:\Users\Me\AppData\Roaming:lv93ja32540f > %USERPROFILE%\Desktop\checkADS2.logTwo files named checkADS1.log and checkADS2.log will be created on your desktop. Please attach them with your next reply.

Regards.

[Steve76]

Hi, the log files are attached, thanks!

On Windows 7 (in case that's relevant).

[Curson]

Hi Steve,

At first sight, those ADS seems to be leftovers.
Could you please attach the JSON report in your next reply ?

Regards.

[Steve76]

Hi, report attached (the PUP on the report seems to only point to a log file from a driver installation).

When you say "leftovers" could that be from something benign?  There's never been an infection removed.

[Curson]

Hi Steve,

It's difficult to be sure about the source of those ADS but they are not malicious in any way. Maybe they were left by some security program.
I think you can leave them alone.

Regards.

[Steve76]

OK, thanks for your help.

[Curson]

Hi Steve,

You are welcome.

Regards.