View Full Version : UPDATE: Keylogger and Alternate Data Streams

Aldolphus Mueller
03-24-2014, 02:54 PM
Well even though I have nothing but paid for registered software or known good freeware with a good reputation that was scanned with MalwareBytes before installation, it appears that there is a key logger embedded in my Windows machine. In addition to this, I've found hundreds, maybe thousands of files with alternate data streams (ADS).

The ADS means that there is a virtual second operating system on my Windows computer that can be activated by someone remotely wherein they can hide files inside my own files and within system files. It's very likely that you have both of these issues taking place on your Windows machine(s) and don't even know it.

Two programs you should download now and install are one; SpyShelter Premium (http://www.spyshelter.com/download-spyshelter) from Spy Shelter Stop-logger. They offer a 14 day free trial. This program has stopped many of my Windows system files and other software from activating or embedding what are called 'hooks' that then log everything I do on my computer through keyboard or mouse logging. Not only that but if you have Adobe Flash installed and are using it, that program or browser plugin will record your browser's activity and then report back to only God knows who.

I simply cannot secure my Windows system and doubt you can either. Just installed a version of Linux on another machine and will use it as much as possible for online activity.

The second issue is Alternate Data Streams. You might have a file that shows its size as being zero [0] bytes in size, but that file itself could be 2mbs and possess an ADS hidden to you with data that can be remotely activated or stored on your computer without your knowledge.

Some ADS are normal as they might contain the information for the file property when you right click the file and click on properties, but ADS are a nefarious thing and as far as I'm concerned a huge security risk.

My research leads me to believe that illegal materials could be put on your computer without your knowledge and then 'activated' or made visible later. Say when a computer is seized or examined for whatever reason.

For example, drivers that I have download for a printer I have was infected with alternate data streams among others. I can't say whether the basic drivers I've downloaded for my peripherals contained these ADS or whether the other files were infected by someone remotely, but there is no doubt that something or someone put them there and this on a brand new Windows installation on a brand new hard drive with a retail Windows 7 disk that I paid for myself some two and a half years ago now.

For all I know it could have been Microsoft since the NTFS file system allows for alternate data streams and was meant to allow Apple files to be compatible with Windows programs. That's the Reader's Digest version anyway.

Download AlternateStreamView (http://www.nirsoft.net/utils/alternate_data_streams.html) for your 32 (http://www.nirsoft.net/utils/alternatestreamview.zip) or 64 (http://www.nirsoft.net/utils/alternatestreamview-x64.zip) bit Windows operating system by clicking on the hyperlink embedded in the program name. Run AlternateStreamView on your primary system hard drive and look at the results. I had thousands of files with ADS and was able to remove them all with this program. I then scanned my external drives including USB thumb drives where the files on those devices were also infected with ADS.

AlternateStreamView will allow you to remove the alternatedatastream but once you do you need to make sure they aren't recreated which is where SpyShelter Premium (http://www.spyshelter.com/download-spyshelter) comes into the picture. The latter program will keep Windows (explorer, adobe flash, etc.) from creating alternate data streams within your files that you wouldn't otherwise know were there and logging your every move.

Here are a few log entries from SpyShelter Premium that will give you an idea as to what it prevents.

3/24/2014 8:54:40 AM,D:\Program Files\Security\alternatestreamview-x64\AlternateStreamView.exe,47,Allowed ;Creating alternate data stream (C:\ProgramData\TEMP:905844AA)
3/24/2014 9:09:05 AM,C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe,55,Blocked ;Recording keyboard input using DirectX
3/24/2014 9:09:06 AM,C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe,55,Blocked ;Recording keyboard input using DirectXThe first entry above was my allowing SpyShelter Premium to stop a temp file from creating an alternate data stream and then allowing me to remove the temp file itself. This was as I booted up my computer.

I don't know what program is creating that ADS, but I do know what the Flash Player Plugin is and it shouldn't be recording my keyboard input using DirectX or doing any other spying on my computer use.