I have a problem here.

When I am booted into windows the free space on my C drive disappears slowly.
It starts at 900 MB and slowly works its way down to 0.
When it reaches 0 MB the computer freezes.
What could cause this?

I defragged the MFT yesterday, could that be causing this?

No.

You very likely have some spyware or virus that is doing that. Run HiJackThis and post the output here.

I hope this is what you are asking for?

Here is the result:

Logfile of HijackThis v1.97.7
Scan saved at 10:44:28 PM, on 19/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Programmer\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\sstray.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Programmer\Rainlendar\Rainlendar.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Spybot - Search & Destroy\SpybotSD.exe
C:\Programmer\Norton AntiVirus\OPScan.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.short-media.com/index.php?
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DU Meter] C:\Programmer\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Startup: Folding@home 4.00.lnk = C:\Programmer\Folding@Home\winFAH.exe
O4 - Startup: Rainlendar.lnk = C:\Programmer\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Pop-Up Blocker (HKLM)
O9 - Extra 'Tools' menuitem: Pop-Up Blocker (HKLM)
O9 - Extra button: TvGuide (HKLM)
O9 - Extra 'Tools' menuitem: TvGuide.dk (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://www.al-netbank.dk
O15 - Trusted Zone: http://valus.ekstrabladet.dk
O15 - Trusted Zone: http://www.heroes.dk
O15 - Trusted Zone: http://heroes.jubii.dk
O16 - DPF: {0A7F4407-A1C8-496A-9670-F13370CAAACC} (SysReg_DK Control) - http://81.19.245.211/system/SysREG_DK.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://adeskftp.autodesk.com/webpub/mapguide/ver5/mgaxctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37758.4857175926
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab

It could be the page-file. Try changing the page file to another drive (right click "My computer" >> Properties >> Performance >>"

I would also run Adaware and Spybot just in case.

Have you tried spybot?

Spybot reported the usual amount of spyware no oddities there.
NAV has caught onto something, it has Detected and fixed 16 files, dunno what virus it is, yet.
My page file is on another drive already.

EDIT: It found and cleaned 16 instances of Trojan.Byteverify.
I do not think that is causing the problem.

Disk space for deleted files is not truly freed until after the last open handle to the file is closed. So, it's possible that some task is continually writing to to a file that another has deleted.

Start>run>msconfig

You can disable many programs that are TSR (Terminate and stay resident) right there and reactivate them later. The well known programs such as Norton don't cause problems.

My suggestion is to go this route and leave ony the really credible programs up and running. If the problem goes away then reactivate one program at a time until you find the culprit.

Problem solved.
It appears that my free space isn't disappearing anymore.
Don't know what caused it.
I deleted a couple of old programs while I was in fail safe mode.
Maybe it was Bootvis, I had a couple of problems with it yesterday.
It froze during the boot analysis and it behaved odd after that.
Now I have deleted all of Bootvis as well.
Thanks for the help guys.

I will return if it keeps disappearing.

O16 - DPF: {0A7F4407-A1C8-496A-9670-F13370CAAACC} (SysReg_DK Control) - http://81.19.245.211/system/SysREG_DK.cab

Get rid of that.. That's a trojan that is connecting to someone else's home computer.

Make no mistake: It was the trojan that was causing the problem.

Ehh then it is still causing the problem.
I haven't removed that.
I will do it right now, thanks Prime.

I need a reinstall.
It is really acting up.
It freezes in windows for no apparent reason.
And then it refuses to boot.
I have to try three times before I get into windows.

I am going to reinstall tomorrow.
I just love installing windows. ;)

Alright, I am working on a friends computer. The pagefile is on a diffnt drive, we ran Norton and got the same trojan, msconfig isn't running anything out of the ordinary, and the log for hijackthis is below.

Logfile of HijackThis v1.97.7
Scan saved at 5:17:02 PM, on 1/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Keyspan\Digital Media Remote 2.0\KDMRdmn.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AIM\aim.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - Global Startup: Keyspan Digital Media Remote.lnk = C:\Program Files\Keyspan\Digital Media Remote 2.0\KDMRdmn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38004.5724074074


The same exact problem is happening here, and the space disappears what seems to be every 30 seconds, or so. Its random, I watched 1 MB disappear, and sometimes, 6 and i got angry and stopped watching.

Any help, greatly appreciated (obviously avoiding reinstall would be nice, but if so, would it have to be a format and reinstall....MJO?)

If it's only 1-6 MB it may just be normal temp files created by Windows during the course of normal usage. I can't spot anything sinister in the HijackThis! log.

Try clearing what you can from C:\Documents and Settings\username(s)\Local Settings\Temp (you won't be able to delete them all) and see what happens.

Also, do you have System Restore enabled?

The rate at which it decreases is steady. The computer hasn't been used at all and so far about 200 MB has disappeared over the past hour or so, which seems pretty strange for some tmp files and whatnot. Nonetheless, it is still decreasing...

System Restore was turned off and I assumed the restore points were all deleted. It hasn't been turned back on since.

Anyone with anything else, still appreciated...

And thanks for lookin at the hijackthis log

Monitor the rate of loss. Then when you go to bed (or anytime you won't be using the computer for a while) disconnect the computer from the Internet. (Unplug your modem or Network cable). See if the space-loss stops.

Have you tried clearing your browser cache?

Mine crashed when it reached 0 MB free space.
You have a problem if you comp. does the same thing.

I reinstalled Windows and haven't seen the problem since.
I formatted the partition containing windows as well.
Several MB disappeared every 10 seconds, it was really annoying.
I haven't figured out why they disappeared yet.

The odd thing is, I never found out what took up the space.
I didn't find any suspicious files.
Secondly it started from scratch when I reset the system.

I found this while surfing for an answer.

HD Fill
Hdfill.zip - 8,830 bytes Hdkill.exe - 14,848 bytes Hdkill2.exe - 14,848 bytes
Prank trojan
Tries to fill free harddrive space with up to 999999999 files in the main directory and the tries to create 999999999 files in the same directory the HD Fill is kept.¨


Could that have been the cause of the problem?

EDIT: Forgot the link.
http://www.glocksoft.com/trojan_list/HD_Fill.htm

gee.. Ya think? heh.

That would do it. It looks like there is an "HDkill" program. Did you run it? It might tell you if it found it.

You cannot download the trojans from that page, if thats what your asking prof ;)

And I have formatted my C drive and I haven't had the problem since.
But I haven't found other trojans capable of such things.

HD Fill
Hdfill.zip - 8,830 bytes Hdkill.exe - 14,848 bytes Hdkill2.exe - 14,848 bytes
Prank trojan
Sorry, I saw "Hdfill" and Hdkill" and assumed the "kill" program was a removal tool, ala "KILL_CIH" which is used to remove the CIH virus. I guess Hdkill is just a variant of Hdfill.

np prof,
My post wasn't very clear without the link.
It was my mistake.

Norton 2004 didn't pick it up BTW, it didn't mention it for me anyway.

Make sure you don't get it in the future. Protect that baby.

well folks, bad news.

I checked the website, used the software, found no problems.

We disconnected the internet from the "infected" computer... problem continues...

If anyone is still interested in finding out why, please by all means, but i cannot think of anything, and I mean ANYTHING.

Are you running Mapguide Server?

Neil

have you checked for this

if not give it a go and read about it.

HardFull-A Trojan Fills Hard Drive
HardFull.A is a Trojan that creates a file that fills itself with the text
Win32.Delf.du_Ful, thus increasing its size until it uses up all the hard drive
space
available.
http://nl.internet.com/ct.html?rtr=on&s=1,154h,1,f77l,hbtd,9s3s,a9gz

Well this same exact problem was happening with a friends computer and freespace as well... it would slowly degrade until it is no longer playable. Never figured it out.

He had an HP Laptop of some sort.

No, no mapguide server, don't even know what it is specifically.

The installation was fresh, so unless a trojan timed itself ridiculously well (which i doubt following many a scan of many varieties) it just seemed to be disappearing.

Sinec it was quite long ago, he has since reformatted with a new installation (new disk and key and all) of windows xp. I guess it stopped.

Still, very strange.