I don't know about malware, but you can remove the ADS without special
software.
If the file is small enogh, copy it to a floppy, delete the original file
and copy the file back to the machine from the floppy.
If the file is too large for a floppy copy to CD and repeat the rest.
Confirm Stream Loss warning
[[FAT volumes support only the main, unnamed stream, so if you try to copy
or move a file to a FAT volume or floppy disk, you receive an
error message as shown below. If you copy the file, all named data
streams and other attributes not supported by FAT are lost.]]
from...
Multiple Data Streams
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c13621675.mspx
Confirm Stream Loss warning
http://www.microsoft.com/library/me...dtechnol/winxppro/reskit/ch13/f13zs15_big.jpg
HijackThis has an ADS scanning function.
---------------------------
HijackThis
---------------------------
Using ADS Spy is very easy: just click 'Scan', wait until the scan
completes, then select the ADS streams you want to remove and click 'Remove
selected'. If you are unsure which streams to remove, ask someone for help.
Don't delete streams if you don't know what they are!
The three checkboxes are:
Quick Scan: only scans the Windows folder. So far all known malware that
uses ADS to hide itself, hides in the Windows folder. Unchecking this will
make ADS Spy scan the entire system (i.e. all drives).
Ignore safe system info streams: Windows, Internet Explorer and a few
antivirus programs use ADS to store metadata for certain folders and files.
These streams can safely be ignored, they are harmless.
Calculate MD5 checksums of streams: For antispyware program development or
antivirus analysis only.
Note: the default settings of above three checkboxes should be fine for most
people. There's no need to change any of them unless you are a developer or
anti-malware expert.
---------------------------
OK
---------------------------
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In