AlternateStreamView is a small, simple and portable tool which will quickly scan any NTFS drives for files containing alternate data streams.
NTFS normally stores a file's data in just one data stream, but it can add more. Some programs do this legitimately: Internet Explorer tags all the files it downloads with a marker in an alternate data stream. This extra data isn't visible in Explorer, though, so some malware will also use the technology to hide itself.
To find out what might be lurking on your system, simply launch AlternateStreamView, choose the drive you'd like to check and click Scan. The program will immediately leap into action, examining every file on that drive and reporting anything that contains an extra stream.
When it's done you'll see a (probably) lengthy list of files, with the name of the stream they contain, the file path, and stream size. Most, if not all of these will be entirely legitimate: if you use IE, for instance, you'll see most of your favourites have a favicon stream which stores an icon for them. But if there is a malware issue, a large stream which you can't explain, then the program could provide a useful pointer for further research (just Googling for the relevant file name may help).
And if you really know what you're doing then AlternateStreamView offers plenty of additional tricks, including options to export a stream to a file, or delete streams entirely. (Beware of taking the latter approach, though. If a legitimate program is using streams to store configuration information, say, then problems may result if this disappears without warning.)
- Added 'Run As Administrator' option (Ctrl+F11), which allows you to easily run AlternateStreamView as administrator on Windows Vista/7/8/2008.