Hello - I had a Win32:agent decompression bomb that I seem to have discovered too late. It appears to have activated and has expanded to take up my C drive space almost completely - only about 32mg left now.
I barely have enough system memory left to post a Hijack this txt file. Doesn’t seem that I can even do this.
Can I be helped and how?
Polonius - Hello and Thank very much. Here is the posted analysis:(edited)
[Y] Logfile of Trend Micro HijackThis v2.0.0 (BETA) - This should be the newest version.
[WINXP] Platform: Windows XP SP2 (WinNT 5.01.2600) -
[Y] D:\Program Files\Elements 4.0\PhotoshopElementsFileAgent.exe - Possibly nasty! According to our database this process runs normally in c:\programme\adobe\photoshop elements 3.0! Check if you know this process and arrange a viruscheck where required. Adobe Photoshop Elements
[rY] D:\Pogram Files\ZIPProgs\ZipGenius 6\zipgenius.exe - Possibly nasty! According to our database this process runs normally in c:\programme\zipgenius 5! Check if you know this process and arrange a viruscheck where required. ZipGenius
[Y] O15 - Trusted Zone: http://download.windowsupdate.com - If you did not add these pages to your trusted pages, they should be fixed.
[?] O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} - - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!
—
022 looks like a problem
015 - what to do?
016 also
D progs Zip Genius look questionable
D progs Photo Eements is probably OK as I install progs to my partitioned drive labelled as D
My drive is partitioned @ C = 29 Gs and D = 85 Gs. Both should be, and D id at, about 12 - 14 gigs.
C has been taken over almost completely. I need to find out what is bad and go about re-caiming this disk space.
Suggestions?
Thank you very much for your help. It is truly appreciated.
Hello - my time here is GMT + 8. I hope I didn’t give the impression that I know how to solve my problem with what has been share so far. Still hopig to reclaim this drive space…
You have to check up what is consuming your CPU, it could be a problem with the automatic windows updater consuming almost all your cycles. You can solve that by putting it to manual update (and do this every patch Tuesday). If you have installed the zipgenius yourself there is no problem.
Look at the other items with Toolbar Cop to be download from here: http://www.majorgeeks.com/download4126.html to delete the 016 Active X.
Also download XRay PC from here: http://www.x-raypc.com/download.php and analyze online.
If you scan with avast, won’t it report the decompression bomb again?
Do you have the last report or avast log viewer shows this info (the name and the path of that file)?
Polonus & Tech -
DL’d the 2 progs and disabled the {266} 016 item.
I did install the ZipGenius myself .
Tech -
AVAST scans no longer show the decompression bomb as in my computer. It seems that I have removed it with assistance from what I’ve read in these forums.
My problem now is reclaiming C drive space.
If you open avast log viewer, isn’t anything there that could help us regarding to the original file name and path.
I can’t see another way than using a manual method, trying to find ‘big’ files and asking here if they’re legit or they’re part of the decompressed files from the bomb.
You have to find out “where” the disk space is used. So, I’d suggest to check the size of the folders in the root of the drive, one by one (e.g. in Windows Explorer). One of them should be very big. Now, enter this folder, and do the same with its subfolders… etc. - until you arrive at the folder which has some big files inside (or a huge number of files? hard to say)
TreeSize tells you how your disk space is being used. It can be started from the context menu of a folder or drive and shows you the size of the selected folder, including its subfolders. Each folder can be expanded in Explorer-like manner to view the size of its subfolders. Scanning is done in a thread, so you can already see results while TreeSize is working without having to wait. The results can be printed in a report.
Tech -
Avast is not loading automatically and resident in my lower right hand task bar as previously.
Where should I look at in the log viewer? -
Info - blank
Notice - many messages
warning - many messages
error - many messages
critical - empty
alert - empty
emergency - empty
my concern immediately is that AVAST is not loading up and running with start-up
Running firefox and thunderbird, p-4 WinXP pro…now down to almost nothing left on C drive.
Thanks for your help
Hi maybe we could have a deep look at the suspect drive. I assume you are booting from C drive
Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:
File - Additional Folder Scans
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
I first want to thank all who contributed to the thread. I very much appreciate the attempts at helping with this problem.
My computer finally went unusable friday night, its now Monday late afternoon, and I had to just shut it down. After pondering the situation for a couple of days I decided the only thing I could do was ‘bite the bullet’ and format my C drive.
This drive is a partition drive - 1 drive partitioned to make 2 drives - and I was able to save the info on the other drive (my ‘D’ drive). I, of course did lose some data and still haven’t got my email up and working yet - but my computer is running again and doing well.
When this was first discovered I researched as much as I could about “Win32:agent” trojans and ‘decompression/time bombs’ to try and figure out how to deal with this. I am not a computer expert by any means. While the Win32:agent appears to be quite well known - the ‘decompression bomb/time bomb’ malware seems to be little understood beyond how it actually functions - which is quite well explained. A lot of ‘experts’ seem to think that this problem isn’t all that serious and make more of a technical discussion out of how to build one/what it is rather than how to deal with it when it activates.
I was never able to find anything of this nature. I still don’t know what to do if one activates - but it is an insidious thing to watch your drive space being slowly devoured and not being able to do a darn thing about it.
I hope this helps someone else, and again, I sincerely thank the folks who gave a hand in trying to help.
As I am a fan of AVAST I’ll be lurking on the forums for the next bit of knowledge I find of use.
All the best,
TainanDC