LATEST NEWS

A virus using ADS infected my workstation!

img
Jun
21

DAMN! For almost 2 year i have been free of viruses, yesterday was the time that i got infected by an ADS virus, which seems to be stealth to normal computer users.

Detected as a rootkit (Win32:Rootkit-gen[Rtk]) by Avast! Antivirus, it was almost undetectable since i never had any antivirus. I usually prevent, detect and remove viruses manually. This post was intended to share common steps on how you can remove an ADS integrated virus.

I noticed that something was wrong with my computer during boot when a cmd screen pops up and exited. When i open autoruns, i saw somethin suspicious. See the screenshot below. By the value that it set in the registry, the : character shows that the file is stored using alternate data streams.

The C:\WINDOWS\system32:winsock32.exe was the value attached to a key in the startup parameters. If you try to find winsock32.exe anywhere in the drive, you won’t find it because it was stored in the NTFS Alternate Data Streams container.

Deleting/Removing the startup key in registry is useless unless you delete the exe file first. This will avoid it from rewriting back the value that I’ve deleted in the registry.