Free space disappearing slowly
I have a problem here.
When I am booted into windows the free space on my C drive disappears slowly.
It starts at 900 MB and slowly works its way down to 0.
When it reaches 0 MB the computer freezes.
What could cause this?
I defragged the MFT yesterday, could that be causing this?
When I am booted into windows the free space on my C drive disappears slowly.
It starts at 900 MB and slowly works its way down to 0.
When it reaches 0 MB the computer freezes.
What could cause this?
I defragged the MFT yesterday, could that be causing this?
0
Comments
You very likely have some spyware or virus that is doing that. Run HiJackThis and post the output here.
Here is the result:
Logfile of HijackThis v1.97.7
Scan saved at 10:44:28 PM, on 19/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Programmer\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\sstray.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Messenger\msmsgs.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Programmer\Rainlendar\Rainlendar.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Spybot - Search & Destroy\SpybotSD.exe
C:\Programmer\Norton AntiVirus\OPScan.exe
D:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.short-media.com/index.php?
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DU Meter] C:\Programmer\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Startup: Folding@home 4.00.lnk = C:\Programmer\Folding@Home\winFAH.exe
O4 - Startup: Rainlendar.lnk = C:\Programmer\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Pop-Up Blocker (HKLM)
O9 - Extra 'Tools' menuitem: Pop-Up Blocker (HKLM)
O9 - Extra button: TvGuide (HKLM)
O9 - Extra 'Tools' menuitem: TvGuide.dk (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://www.al-netbank.dk
O15 - Trusted Zone: http://valus.ekstrabladet.dk
O15 - Trusted Zone: http://www.heroes.dk
O15 - Trusted Zone: http://heroes.jubii.dk
O16 - DPF: {0A7F4407-A1C8-496A-9670-F13370CAAACC} (SysReg_DK Control) - http://81.19.245.211/system/SysREG_DK.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://adeskftp.autodesk.com/webpub/mapguide/ver5/mgaxctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37758.4857175926
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
I would also run Adaware and Spybot just in case.
NAV has caught onto something, it has Detected and fixed 16 files, dunno what virus it is, yet.
My page file is on another drive already.
EDIT: It found and cleaned 16 instances of Trojan.Byteverify.
I do not think that is causing the problem.
Start>run>msconfig
You can disable many programs that are TSR (Terminate and stay resident) right there and reactivate them later. The well known programs such as Norton don't cause problems.
My suggestion is to go this route and leave ony the really credible programs up and running. If the problem goes away then reactivate one program at a time until you find the culprit.
It appears that my free space isn't disappearing anymore.
Don't know what caused it.
I deleted a couple of old programs while I was in fail safe mode.
Maybe it was Bootvis, I had a couple of problems with it yesterday.
It froze during the boot analysis and it behaved odd after that.
Now I have deleted all of Bootvis as well.
Thanks for the help guys.
I will return if it keeps disappearing.
Get rid of that.. That's a trojan that is connecting to someone else's home computer.
I haven't removed that.
I will do it right now, thanks Prime.
It is really acting up.
It freezes in windows for no apparent reason.
And then it refuses to boot.
I have to try three times before I get into windows.
I am going to reinstall tomorrow.
I just love installing windows.
Logfile of HijackThis v1.97.7
Scan saved at 5:17:02 PM, on 1/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Keyspan\Digital Media Remote 2.0\KDMRdmn.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AIM\aim.exe
C:\unzipped\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - Global Startup: Keyspan Digital Media Remote.lnk = C:\Program Files\Keyspan\Digital Media Remote 2.0\KDMRdmn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38004.5724074074
The same exact problem is happening here, and the space disappears what seems to be every 30 seconds, or so. Its random, I watched 1 MB disappear, and sometimes, 6 and i got angry and stopped watching.
Any help, greatly appreciated (obviously avoiding reinstall would be nice, but if so, would it have to be a format and reinstall....MJO?)
Try clearing what you can from C:\Documents and Settings\username(s)\Local Settings\Temp (you won't be able to delete them all) and see what happens.
Also, do you have System Restore enabled?
System Restore was turned off and I assumed the restore points were all deleted. It hasn't been turned back on since.
Anyone with anything else, still appreciated...
And thanks for lookin at the hijackthis log
Have you tried clearing your browser cache?
You have a problem if you comp. does the same thing.
I reinstalled Windows and haven't seen the problem since.
I formatted the partition containing windows as well.
Several MB disappeared every 10 seconds, it was really annoying.
I haven't figured out why they disappeared yet.
The odd thing is, I never found out what took up the space.
I didn't find any suspicious files.
Secondly it started from scratch when I reset the system.
Could that have been the cause of the problem?
EDIT: Forgot the link.
http://www.glocksoft.com/trojan_list/HD_Fill.htm
And I have formatted my C drive and I haven't had the problem since.
But I haven't found other trojans capable of such things.
My post wasn't very clear without the link.
It was my mistake.
Norton 2004 didn't pick it up BTW, it didn't mention it for me anyway.
I checked the website, used the software, found no problems.
We disconnected the internet from the "infected" computer... problem continues...
If anyone is still interested in finding out why, please by all means, but i cannot think of anything, and I mean ANYTHING.
Neil
if not give it a go and read about it.
HardFull-A Trojan Fills Hard Drive
HardFull.A is a Trojan that creates a file that fills itself with the text
Win32.Delf.du_Ful, thus increasing its size until it uses up all the hard drive
space
available.
http://nl.internet.com/ct.html?rtr=on&s=1,154h,1,f77l,hbtd,9s3s,a9gz
He had an HP Laptop of some sort.
The installation was fresh, so unless a trojan timed itself ridiculously well (which i doubt following many a scan of many varieties) it just seemed to be disappearing.
Sinec it was quite long ago, he has since reformatted with a new installation (new disk and key and all) of windows xp. I guess it stopped.
Still, very strange.