Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help Malware Rapidly Consuming Free Space [Solved]

Java:Agent-ELL [Trj] Java:Malware-gen [Trj] Jave:Agent-GTN [Trj]

  • This topic is locked This topic is locked

#16
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts
Junius, sorry for the delay in returning to you. My instructor wishes to apologize also as the weekend is sometimes not the best time for both of us. I do appreciate your posts and am glad the system has its 'normal' disk space back for now. I have been working on steps for cleaning and correcting the problems so when you get sometime please do the following:

Step1

Download aswMBR.exe to your desktop. If you already have this application, this is a new version I need you to download.

Double click the aswMBR.exe to run it

aswMBR1.png

Click the "Scan" button to start scan

If your computer supports Virtualization Technology, select Yes to use it for rootkit detection.

msgbox.png

On completion of the scan click Save Log, save it to your desktop and post in your next reply

aswMBR2.png

The tool will also produce a copy of the mbrdump labeled MBR.dat. Please zip that file and attach it to a reply.


Step2

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.

Things to reply back with:
  • Any questions you have.
  • aswMBR log text and mbr.dat file attached.
  • JRT.txt log text.
  • Is the system still having a steady leak of usable disk space?

  • 0

Advertisements


#17
Junius

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

Hi dbreeze,

 

No problem on the delays. I'm sure you and your instructor have a life away from this site. I would hope so anyway - :D

 

I'll complete the steps you requesed this evening and send the results back to you.

 

So far, C:\ drive is still holding at 412 GB of free space. There has been no drop in free space at all.


  • 0

#18
Junius

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

Hi dbreeze,

 

Ran into a problem:

 

Downloaded aswMBR and began the scan. Part way through the scan this happened:

 

The scan stopped this appeared:

 

==================================

Dialogue Box

 

Avast! Antirootkit has stopped working.

A problem caused the program to stop working correctly.

Windows will close the program and notify you if a solution is available.

Button (Close Program)

=================

When scan stopped it was at this point:

"01:11:57:863  AVAST engine scan C:\Users\Bob"

When it stopped the following appeared in yellow type in the scanner:

"nning: C:\Users\Bob\Documents\My eBooks\Eric and Daniel Firesale\Fast Content Producer"

 

===========================================

 

Action I took:

 

I clicked the *Close Program* button.

 

Program closed.

 

I made this Post to you.

 

Note: No logs were produced after program was closed. Hence, none posted here.

 

===========================

 

I'll wait for your reply and instructions before proceeding.

 

PS: C;\ drive is still holding at 412 GB available free space with *no* steady leakage of available disk space.


Edited by Junius, 29 July 2014 - 01:02 AM.

  • 0

#19
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts
Junius,

Thank you for the prompt update. Try and run the scan one more time, please.
  • 0

#20
Junius

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

dbreeze,

 

1. Re-running scan now. Will let you know the outcome.


Edited by Junius, 29 July 2014 - 02:04 AM.

  • 0

#21
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

:thumbsup:


  • 0

#22
Junius

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

Update:

 

Re-run of scan completed.

 

Same result.

 

Note: If it will help, I can delete the entire folder *Eric and Daniels Firesale*. Some of the files in it got infected with Malware/Viruses in the past and were moved the Avast! Virus Chest. There is nothing in the folder I can't live without. It is just a huge bundle of PLR (Private Label Rights) content I got in 2010 to re-brand and sell. I've already re-branded everything in the PLR bundle that was usable, etc.

 

I'll wait for your reply and instructions before proceeding.


  • 0

#23
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Junius,

 

If you are sure you don't need the files, then delete it and try once more (last time).  If it doesn't work this time, we will move on to a different scanner.  I appreciate your time and assistance in this matter.


  • 0

#24
Junius

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

Success!

 

Here's the Log

 

==========================

 

aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-07-29 03:20:55
-----------------------------
03:20:55.821    OS Version: Windows x64 6.1.7601 Service Pack 1
03:20:55.821    Number of processors: 4 586 0x2502
03:20:55.821    ComputerName: BOB-PC  UserName: Bob
03:20:57.443    Initialize success
03:20:57.443    VM: initialized successfully
03:20:57.786    VM: Intel CPU supported
03:20:59.396    VM: supported disk I/O iaStor.sys
03:21:02.859    AVAST engine defs: 14072802
03:21:06.353    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
03:21:06.353    Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 8
03:21:07.024    Disk 0 MBR read successfully
03:21:07.024    Disk 0 MBR scan
03:21:07.024    Disk 0 unknown MBR code
03:21:07.087    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
03:21:07.118    Disk 0 default boot code
03:21:07.180    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       598590 MB offset 206911
03:21:07.274    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        11787 MB offset 1226121216
03:21:07.960    Disk 0 scanning C:\Windows\system32\drivers
03:22:07.958    Service scanning
03:22:26.694    Modules scanning
03:22:26.709    Disk 0 trace - called modules:
03:22:26.725    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
03:22:26.725    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80063e0060]
03:22:26.740    3 CLASSPNP.SYS[fffff8800115243f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0xfffffa800608d050]
03:22:28.347    AVAST engine scan C:\Windows
03:23:14.367    AVAST engine scan C:\Windows\system32
03:25:28.371    AVAST engine scan C:\Windows\system32\drivers
03:25:46.109    AVAST engine scan C:\Users\Bob
03:42:44.276    AVAST engine scan C:\ProgramData
03:46:32.816    Scan finished successfully
03:47:09.741    Disk 0 MBR has been saved successfully to "C:\Users\Bob\Desktop\MBR.dat"
03:47:09.741    The log file has been saved successfully to "C:\Users\Bob\Desktop\aswMBR.txt"


===========================

 

MBR.dat log is attached.

 

=============================

 

Here's the JRT log

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Professional x64
Ran by Bob on Tue 07/29/2014 at  4:15:22.62
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted the following from C:\Users\Bob\AppData\Roaming\mozilla\firefox\profiles\rk8kmde7.default\prefs.js

user_pref("browser.uiCustomization.state", "{\"placements\":{\"PanelUI-contents\":[\"edit-controls\",\"zoom-controls\",\"new-window-button\",\"privatebrowsing-button\",\"save-



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 07/29/2014 at  4:21:25.84
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

=========================

 

C:\ drive status:

 

414 GB available free space. No steady leakage of available drive space.

 

 

I'll wait for your reply and instructions.


Edited by Junius, 29 July 2014 - 03:38 AM.

  • 0

#25
Junius

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

dbreeze,

Update: C:\ drive leakage

7/29th at 2:30 a.m. after delete of folder *Eric and Daniels Firesale*, avaialble free space on C:\ drive increased from 412 GB to 414 GB.

7/29th at 5:30 a.m. free space was at 414 GB.

(5:30 to 10:00 a.m. was away from computer)

7/29th at 10:00 a.m. avaialble free space *decreased* to 412 GB.

7/29th at 11 p.m. free space was at 412 GB.

(11 p.m. to 4:30 a.m. was away from computer)

7/30th at 4:30 a.m. free space has *decreased* to 393 GB (19 GB drop).

 

7/30th at 2:30 p.m. free space decreased to 392 GB.

 

(3:00 p.m. to 6:30 p.m. was away from computer)

 

7/30th at 7:00 p.m. free space increased to 393 GB

 

11:30 p.m. free space holding at 393 GB

 

Note: I have not added or deleted any files/data during the above time frames.

I'll continue to monitor and update you of any changes.


Edited by Junius, 30 July 2014 - 10:42 PM.

  • 0

Advertisements


#26
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts
Junius,

Thank you for hanging in there and getting the latest logs. The good news is we're not seeing any malware in the logs. The not-so-good news is that with the creep of losing disk space happening, it looks like it is a corrupt file / disk sector interfering with the Indexing function.

With that being said, I will clean our tools off your system and like for you to open a thread at our Win7 OS board here. You can post a link to this thread for their reference and I will be happy to supply any details or help they need.


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.
  • Download Delfix from here
  • Ensure Remove disinfection tools is ticked
    Also tick:
    • Activate UAC
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click Run
  • The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply
    Once you have the log file saved, please reboot your system to complete the clean up process.

    You can delete any log files left on your desktop as these are no longer needed.
Keep Windows Updated
Microsoft issues updates to Windows to close vulnerabilities as they are discovered. Staying updated helps protect your system from current exploits.
  • Click Start and then click Control Panel.
  • Click on the View by: in the upper right corner and select Large Icons (you can change this back later if you like).
  • Scroll down and click on Windows Update.
  • Click on Change settings.
  • Under Important Updates, click on Install updates automatically (recommended).
  • Select (click on) the other options on this page.
  • Select a day and time to have windows install the updates.
  • Click on Ok to change the settings.
  • If you want to change the view of the Control Panel display, click on the View by: in the upper right hand corner and select an option you prefer.
Keep other Important Programs Updated
Along with keeping Windows updated, it is a good idea to keep important programs updated. Java and Adobe Reader both need to be kept updated to the latest versions; malware writers utilize exploits in the unpatched versions to their advantages.

Java
Most security experts and the US CERT (part of the US Homeland Security) now recommend that users uninstall Java from their systems; if you don't have any programs that need Java on your system, you are safe to do this. You can read some of the articles on this here and here. I strongly suggest you uninstall Java unless you need it run certain software; in that case I would recommend that you disable or unplug Java from your web browsers and only enable it when you need it.

To disable / unplug Java in your browsers:To uninstall Java (on Win7):
  • Click Start and then click Control Panel.
  • If you need to, click View by: and select either Large Icons or Small Icons.
  • Click on Programs and Features.
  • Scroll down until you find Java and click on it to select that program.
  • (Older versions of Java may appear in the program list as J2SE, Java 2, Java SE or Java Runtime Environment.)
  • Click Uninstall.
  • If more than one version of Java shows in your program list, you should repeat the selection and uninstall until all of them are removed.
To check for the latest version of Java and installation steps:
  • Go to java.com and click on Do I have Java?.
  • On the next page, click on Verify Java Version.
  • If you get a security pop up entitled "Do you want to run this application?" with the Name: Java Detection and Publisher: Oracle America, Inc., click Run.
  • Follow the recommendations (if any) on the results screen.
  • If there is a new version (or none at all on your system), there will be a button on the page showing Agree and Start Free Download. Click on it to update or install Java.
  • The site will start a download of jxpiinstall.exe. Save the file to your desktop.
  • When the download is finished, close your browser.
  • Right click on the jxpiinstall.exe and select Run as Administrator.
  • On the opening window, check Change destination folder and then click Install>.
  • The program will now download the rest of the files needed to install Java.
  • On the Destination Folder window, click Next>.
  • On the next window, the install will present you the option of adding additional software (this is known as Foistware).
  • Uncheck the Set and keep Ask as my default search provider.
  • Uncheck the Install the Ask Toolbar.
  • Click Next> to finish the install.
  • When the installation is finished, you will be taken to a web page that will check to see if Java is working properly.
Adobe Reader
Adobe Reader is the second most targeted (by malware) common software. If all you ever do with Adobe Reader is view PDF files, then please consider replacing it with a lighter, free PDF reader that is not exploitable. One that we recommend is Sumatra PDF.

To update Adobe Reader:
  • Launch your Adobe Reader.
  • Click Help and then click on About Adobe Reader from the menu list.
  • If the version is 11.0.04 then you are up to date. If it is less than this and you are keeping Adobe Reader, you should update to the latest version.
  • The best place to get Adobe Reader is from Adobe (click on Adobe to go there now).
  • Click on Download in the menu bar on top of the Adobe web page.
  • Click on Adobe Reader in the list on the right hand side of the page.
  • On the next page, click on the check mark (to turn it off) beside the option to include the McAfee scanner in the download and install. Make sure the check is NOT marked (this is another example of Foistware).
  • Click the Install Now button and follow the directions on next page.
  • If you are prompted to Save the installer file, choose to save it to your desktop. Once it is saved, right click on the file and select Run as Administrator.
  • When the installation is finished, you can delete the installer file on your desktop.
Consider a program that will check for out-of-date programs on your system
Some programs don't have update checks built in or make you run the application to start the check for updates process. An easier way to stay on top of the current versions of your installed programs is to use a version checking program like Update Checker from FileHippo.com (you can get the software from here and read more about it on the same page).


You are now done! :yeah:

Now some information on programs to help keep you safe: You have a good handle on your security (for the most part) but I will include this section for your future reference.

First, an Antivirus program. You NEED one; free is just as good as paid-for as long as you keep them updated. ONLY use one at a time as having more than that will cause system problems. Here are some free ones to check out:
Microsoft Security Essentials
Avast! Free Antivirus

Next, a firewall is a must have now-a-days. The built in firewall in Windows 7 is fine (just make sure it is turned on (Start > Control Panel > Windows Firewall)). Or, if you like, you could choose one of the free ones listed here:
Emsisoft Online Armor - note that this installs as shareware but will convert to freeware in 30 days
Zone Alarm Free Firewall - note that this is bundled with foistware so be careful installing and read carefully the options

Also, consider adding MalwareBytes Antimalware to your arsenal of safe keeping programs. Use the free version (not the paid or trial version) and you won't have a problem with your antivirus scanner program. Keep it updated and run a scan with it once a week.

Lastly, if you use Firefox as your main web browser, consider adding the NoScript and AdBlockPlus add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view.

You may also find some information and tips at this thread: How did I get infected in the first place?
and
COMPUTER SECURITY - a short quide to staying safer online
 

I'll leave this topic open for a few days so that if you have any questions you can come back here.
  • 0

#27
Junius

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

dbreeze,

 

Thank you for your reply. Yes, I do have several questions. So please keep this thread open until I'm able to get back to you. Probably later tonight.

 

I'll perform the procedures you outlined above then get back to you with my questions, etc.

 

More later.


  • 0

#28
Junius

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

dbreeze,

 

DelFix ran. Here's the Log:

 

# DelFix v10.8 - Logfile created 01/08/2014 at 10:51:00
# Updated 29/07/2014 by Xplode
# Username : Bob - BOB-PC
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\Users\Bob\Downloads\Extras.Txt
Deleted : C:\Users\Bob\Downloads\OTL.Txt
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Classes\.cfxxe
Deleted : HKLM\SOFTWARE\Classes\cfxxefile
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #2052 [Scheduled Checkpoint | 07/26/2014 10:14:00]
Deleted : RP #2053 [Windows Update | 07/29/2014 13:29:17]

New restore point created !

########## - EOF - ##########

 

===============================================================

 

After posting the above DelFix log here I closed the NotePad file, instead of saving it.

 

I then rebooted my computer (by *restart* boot). Once reboot completed and DeskTop loaded DelFix program was no longer showing on my DeskTop.

 

C:\ drive free space increased from 392 GB (where it has been staying at) to 414 GB.

 

Disinfection tools (and logs created) you had me download and use to clean my computer are still on my DeskTop where I'd saved them. They are:

 

aswMBR

DeFogger

FRST64

JRT

OTL

 

Evidently DelFix program did not remove them from my computer.

 

Question: Should I go ahead and *uninstall* them via Control Panal>>Uninstall? And, delete the logs each program created?

 

NOTE: I downloaded and ran DelFix again saving the log created to my DeskTop this time. Then rebooted computer. Here is the log it created this time. Tools/logs/programs referrenced above are still on my DeskTop.

 

# DelFix v10.8 - Logfile created 01/08/2014 at 11:09:24
# Updated 29/07/2014 by Xplode
# Username : Bob - BOB-PC
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...


~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #2054 [End of disinfection | 08/01/2014 15:51:10]

New restore point created !

########## - EOF - ##########
 

 

Please advise if okay to uninstall these and delete logs created by them.

 

Note: I'll still have some questions/clarifications. Will post them here later.


Edited by Junius, 01 August 2014 - 10:46 AM.

  • 0

#29
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Junius,
 
I am looking into the DelFix 'error' as that should have removed all the tools (And their logs) from your desktop.  After you run Defogger to reenable your virtual drives once more, you can manually remove these tools from your system:
aswMBR
DeFogger
FRST64
JRT
OTL
 
If they show in your Programs and Features lists, please remove them from there by clicking on the Uninstall.  Otherwise you can just delete the files from your desktop.

 

 

 

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.


  • 0

#30
Junius

Junius

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts

dbreeze,

 

Thank you for you reply.

 

I ran DeFogger (re-enable).  No problems encountered.

 

I figured out the problem with DelFix not removing the files from my DeskTop. So they would not be scattered all over my DeskTop I'd created a folder on my DeskTop for them and stored them in the folder. I moved them from the folder i had them stored in on my DeskTop to actually showing on my DeskTop (out of the folder). Then ran DelFix again. This time all programs/files/logs were removed when DelFix ran.

 

Here's the Log Delfix created:

 

# DelFix v10.8 - Logfile created

02/08/2014 at 07:57:42
# Updated 29/07/2014 by Xplode
# Username : Bob - BOB-PC
# Operating System : Windows 7

Professional Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\Users\Bob\Desktop

\Addition.txt
Deleted : C:\Users\Bob\Desktop

\aswmbr.exe
Deleted : C:\Users\Bob\Desktop

\aswMBR.txt
Deleted : C:\Users\Bob\Desktop

\Defogger.exe
Deleted : C:\Users\Bob\Desktop

\defogger_disable.log
Deleted : C:\Users\Bob\Desktop

\defogger_enable.log
Deleted : C:\Users\Bob\Desktop

\Fixlog.txt
Deleted : C:\Users\Bob\Desktop\FRST

(2).txt
Deleted : C:\Users\Bob\Desktop\FRST.txt
Deleted : C:\Users\Bob\Desktop

\FRST64.exe
Deleted : C:\Users\Bob\Desktop\JRT.exe
Deleted : C:\Users\Bob\Desktop\JRT.txt
Deleted : C:\Users\Bob\Desktop\MBR.dat
Deleted : C:\Users\Bob\Desktop\MBR.zip
Deleted : C:\Users\Bob\Desktop\OTL.Txt
Deleted : C:\Users\Bob\Desktop\OTL.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #2055 [End of disinfection

| 08/01/2014 16:09:29]
Deleted : RP #2056 [Windows Update |

08/01/2014 16:25:48]

New restore point created !

########## - EOF - ##########
 

 

I need to check some things on my computer then I have some additional questions/clarifications to ask you. I'll post them later tonight.


Edited by Junius, 02 August 2014 - 07:18 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP