Decompression bomb has activated on my C drive

[TainanDC]

Hello - I had a Win32:agent decompression bomb that I seem to have discovered too late. It appears to have activated and has expanded to take up my C drive space almost completely - only about 32mg left now.

I barely have enough system memory left to post a Hijack this txt file. Doesn't seem that I can even do this.
Can I be helped and how?

Thanks for any and all help.

[TainanDC]

OK...got this copied.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:23:09 PM, on 6/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\ZIPProgs\ZipGenius 6\zipgenius.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ZGTemp\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = msa.hinet.net
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: MRU-Blaster Silent Clean.lnk = D:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150246307013
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172972592578
O17 - HKLM\System\CCS\Services\Tcpip\..\{63A11AE1-2A9D-4E84-BCA5-414FCF30603C}: NameServer = 168.95.192.1 168.95.1.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - D:\Program Files\Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: System Restore Service (srservice) - Zone Labs, LLC - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5986 bytes

[polonus]

Hi TainanDC,

Here you can find the analysis of your HJT logfile for 3 consequent days:
http://hijackthis.de/logfiles/2d75326915507b428e74b15321290a66.html

polonus

[TainanDC]

Polonius - Hello and Thank very much. Here is the posted analysis:(edited)

[Y] Logfile of Trend Micro HijackThis v2.0.0 (BETA) - This should be the newest version.
[WINXP] Platform: Windows XP SP2 (WinNT 5.01.2600) -

[Y] D:\Program Files\Elements 4.0\PhotoshopElementsFileAgent.exe - Possibly nasty! According to our database this process runs normally in c:\programme\adobe\photoshop elements 3.0\! Check if you know this process and arrange a viruscheck where required. Adobe Photoshop Elements
---

[rY] D:\Pogram Files\ZIPProgs\ZipGenius 6\zipgenius.exe - Possibly nasty! According to our database this process runs normally in c:\programme\zipgenius 5\! Check if you know this process and arrange a viruscheck where required. ZipGenius
---
[Y] O15 - Trusted Zone: http://download.windowsupdate.com - If you did not add these pages to your trusted pages, they should be fixed.
[?] O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} - - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!
---

022 looks like a problem
015 - what to do?
016 also
D progs Zip Genius look questionable
D progs Photo Eements is probably OK as I install progs to my partitioned drive labelled as D

My drive is partitioned @ C = 29 Gs and D = 85 Gs. Both should be, and D id at, about 12 - 14 gigs.
C has been taken over almost completely. I need to find out what is bad and go about re-caiming this disk space.
Suggestions?

Thank you very much for your help. It is truly appreciated.

[TainanDC]

Hello - my time here is GMT + 8. I hope I didn't give the impression that I know how to solve my problem with what has been share so far. Still hopig to reclaim this drive space...

[polonus]

Hi TainanDC,

You have to check up what is consuming your CPU, it could be a problem with the automatic windows updater consuming almost all your cycles. You can solve that by putting it to manual update (and do this every patch Tuesday). If you have installed the zipgenius yourself there is no problem.
Look at the other items with Toolbar Cop to be download from here: http://www.majorgeeks.com/download4126.html to delete the 016 Active X.
Also download XRay PC from here: http://www.x-raypc.com/download.php and analyze online.

polonus

[Lisandro]

C has been taken over almost completely. I need to find out what is bad and go about re-caiming this disk space.
Suggestions?

If you scan with avast, won't it report the decompression bomb again?
Do you have the last report or avast log viewer shows this info (the name and the path of that file)?

[TainanDC]

Polonus & Tech -
DL'd the 2 progs and disabled the {266} 016 item.

I did install the ZipGenius myself .
Tech -
AVAST scans no longer show the decompression bomb as in my computer. It seems that I have removed it with assistance from what I've read in these forums.
My problem now is reclaiming C drive space.

What should I show now to further this?

[Lisandro]

My problem now is reclaiming C drive space.
What should I show now to further this?

If you open avast log viewer, isn't anything there that could help us regarding to the original file name and path.
I can't see another way than using a manual method, trying to find 'big' files and asking here if they're legit or they're part of the decompressed files from the bomb.

[igor]

You have to find out "where" the disk space is used. So, I'd suggest to check the size of the folders in the root of the drive, one by one (e.g. in Windows Explorer). One of them should be very big. Now, enter this folder, and do the same with its subfolders... etc. - until you arrive at the folder which has some big files inside (or a huge number of files? hard to say)

[Lisandro]

TreeSize tells you how your disk space is being used. It can be started from the context menu of a folder or drive and shows you the size of the selected folder, including its subfolders. Each folder can be expanded in Explorer-like manner to view the size of its subfolders. Scanning is done in a thread, so you can already see results while TreeSize is working without having to wait. The results can be printed in a report.

http://www.snapfiles.com/get/treesize.html

[TainanDC]

Tech -
Avast is not loading automatically and resident in my lower right hand task bar as previously.
Where should I look at in the log viewer? -
Info - blank
Notice - many messages
warning - many messages
error - many messages
critical - empty
alert - empty
emergency - empty

my concern immediately is that AVAST is not loading up and running with start-up
Running firefox and thunderbird, p-4 WinXP pro...now down to almost nothing left on C drive.
Thanks for your help

[TainanDC]

Thanks, I dl'ed and am looking with the Tree Size prog

My 'System Volume Information' is access denied

[TainanDC]

Strangely, Tree Size is showing my C drive as only 5 gb. It is almost 30 gb in size.

added: 16 MB of free space left. I delete progs to free space and within minutes something expands to fill the space.

[Lisandro]

My 'System Volume Information' is access denied

It's normal. Only that this folder has access rights only to system not to the users.

error - many messages
my concern immediately is that AVAST is not loading up and running with start-up

Error would be good.