Author Topic: Hidden.ADS infections - gs5sys  (Read 4872 times)

0 Members and 1 Guest are viewing this topic.

November 14, 2016, 04:45:08 am

planetboris

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Hidden.ADS infections - gs5sys
« on: November 14, 2016, 04:45:08 am »
Hello, Rogue Killer scans keep coming up with Hidden.ADS infections, even after being deleted. 

My latest RK scan results:

RogueKiller V12.8.0.0 (x64) [Nov  7 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Client [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 11/13/2016 20:41:55 (Duration : 00:24:23)

Processes : 0

Registry : 2
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f5360646-7351-40e3-9350-ddd70472812e} | DhcpNameServer : 135.19.0.18 70.80.0.66 24.200.0.1 ([Canada][Canada][-])  -> Not selected

Tasks : 0

Files : 3
[Hidden.ADS][Stream] C:\Users\Client\AppData\Roaming:gs5sys -> Deleted
[Hidden.ADS][Stream] C:\Users\Client\AppData\Local:gs5sys -> Deleted
[Hidden.ADS][Stream] C:\ProgramData:gs5sys -> Deleted

WMI : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: WDC WD1002FAEX-00Z3A SCSI Disk Device +++++
--- User ---
[MBR] aa4fbfb426fcf5267b120e2e5d8e11d8
[BSP] 143fdc32b0aa50c7e931aecb7d91ff29 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 927815 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1900167168 | Size: 450 MB
2 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 1901090816 | Size: 25599 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD3202ABYS-01B7A0 +++++
--- User ---
[MBR] 96c730a9420de6f531c48a026eb3890c
[BSP] 6a4cdbb4432ea14b8cbaef9136369d0b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 304207 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Thanks and best regards
 


Reply #1November 14, 2016, 03:18:14 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: Hidden.ADS infections - gs5sys
« Reply #1 on: November 14, 2016, 03:18:14 pm »
Hi planetboris,

This seems to be a false positive.
Could you please follow the following process to help us ?
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
more < C:\Users\Client\AppData\Roaming:gs5sy >> %USERPROFILE%\Desktop\ADS.txtA new file named ADS.txt should has been created on your desktop.

Please attach it with your next reply.

Regards.

Reply #2November 14, 2016, 11:39:34 pm

planetboris

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hidden.ADS infections - gs5sys
« Reply #2 on: November 14, 2016, 11:39:34 pm »
Thanks very much for your reply. I copy-pasted:
 
more < C:\Users\Client\AppData\Roaming:gs5sy >> %USERPROFILE%\Desktop\ADS.txt

into cmd (admin ) but only received this response: The system cannot find the file specified.

Reply #3November 15, 2016, 07:05:07 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: Hidden.ADS infections - gs5sys
« Reply #3 on: November 15, 2016, 07:05:07 pm »
Hi planetboris,

It seems that Windows is unable to list the content of a folder ADS this way.
Could you please list all the security softwares you are using ?

Regards.

Reply #4November 15, 2016, 09:09:05 pm

planetboris

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hidden.ADS infections - gs5sys
« Reply #4 on: November 15, 2016, 09:09:05 pm »
Hi,  Bit Defender is turned off because I have Emsisoft running

Zemana is also installed, I turned it off at Start Up, but ZAM shows up in background processes

I runs scans manually with SuperAntispyware, Herd Protect, RK (of course), Junk File removal tool, Eset online scanner, MalwareBytes, ADW cleaner

Thanks

Reply #5November 15, 2016, 09:38:01 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: Hidden.ADS infections - gs5sys
« Reply #5 on: November 15, 2016, 09:38:01 pm »
Hi planetboris,

Thanks for your feedback.
Since you are using many security software, it's difficult to point a potential culprit among them.

I will check how to extract the ADS in order to analyze it and get back to you as possible.
Thanks for your patience.

Regards.

Reply #6November 15, 2016, 09:53:17 pm

planetboris

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hidden.ADS infections - gs5sys
« Reply #6 on: November 15, 2016, 09:53:17 pm »
Thank you for your time and energy. Very much appreciated. Looking forward to any solution.

Best regards

Reply #7November 16, 2016, 10:25:47 am

planetboris

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hidden.ADS infections - gs5sys
« Reply #7 on: November 16, 2016, 10:25:47 am »
Hi, I was able to get the RDS.txt file from

more < C:\Users\Client\AppData\Roaming:gs5sy >> %USERPROFILE%\Desktop\ADS.txt

gs5sy was missing letter s to make it gs5sys. No problem, I just added it.   Although before I ran that command into cmd admin I had completed another scan using RK and this time I didn't delete the Hidden.ADS, so that's why maybe now it showed up, Here is the attached file as requested. Hope it helps

Thanks again.

Reply #8November 16, 2016, 11:39:59 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: Hidden.ADS infections - gs5sys
« Reply #8 on: November 16, 2016, 11:39:59 am »
Hi planetboris,

Thanks for the fix and sorry for this mistake.
This ADS is a metadata for an application on your system.
Since it's totally harmless, it will be whitelisted in RogueKiller next release.

Thanks again for your feedback.
Regards.

Reply #9November 18, 2016, 01:27:20 am

planetboris

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hidden.ADS infections - gs5sys
« Reply #9 on: November 18, 2016, 01:27:20 am »
Ok, good to know! Thank again for all your help and for creating Rogie Killer, a fantastic product, and for making it available.

cheers

Reply #10November 18, 2016, 12:09:11 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: Hidden.ADS infections - gs5sys
« Reply #10 on: November 18, 2016, 12:09:11 pm »
Hi planetboris,

You are very welcome.
Thanks for the kind words.

Regards.