Decompression bomb has activated on my C drive

Hello - I had a Win32:agent decompression bomb that I seem to have discovered too late. It appears to have activated and has expanded to take up my C drive space almost completely - only about 32mg left now.

I barely have enough system memory left to post a Hijack this txt file. Doesn’t seem that I can even do this.
Can I be helped and how?

Thanks for any and all help.

OK…got this copied.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:23:09 PM, on 6/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\ZIPProgs\ZipGenius 6\zipgenius.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ZGTemp\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = msa.hinet.net
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [StorageGuard] “C:\Program Files\VERITAS Software\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [ZoneAlarm Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”
O4 - HKLM..\Run: [TrojanScanner] D:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [FreeRAM XP] “D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe” -win
O4 - Startup: MRU-Blaster Silent Clean.lnk = D:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150246307013
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172972592578
O17 - HKLM\System\CCS\Services\Tcpip..{63A11AE1-2A9D-4E84-BCA5-414FCF30603C}: NameServer = 168.95.192.1 168.95.1.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - D:\Program Files\Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: System Restore Service (srservice) - Zone Labs, LLC - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 5986 bytes

Hi TainanDC,

Here you can find the analysis of your HJT logfile for 3 consequent days:
http://hijackthis.de/logfiles/2d75326915507b428e74b15321290a66.html

polonus

Polonius - Hello and Thank very much. Here is the posted analysis:(edited)

[Y] Logfile of Trend Micro HijackThis v2.0.0 (BETA) - This should be the newest version. [WINXP] Platform: Windows XP SP2 (WinNT 5.01.2600) -

[Y] D:\Program Files\Elements 4.0\PhotoshopElementsFileAgent.exe - Possibly nasty! According to our database this process runs normally in c:\programme\adobe\photoshop elements 3.0! Check if you know this process and arrange a viruscheck where required. Adobe Photoshop Elements

[rY] D:\Pogram Files\ZIPProgs\ZipGenius 6\zipgenius.exe - Possibly nasty! According to our database this process runs normally in c:\programme\zipgenius 5! Check if you know this process and arrange a viruscheck where required. ZipGenius

[Y] O15 - Trusted Zone: http://download.windowsupdate.com - If you did not add these pages to your trusted pages, they should be fixed.
[?] O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} - - Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words ‘dialer’, ‘casino’, ‘free plugin’ etc, it should be fixed!

022 looks like a problem
015 - what to do?
016 also
D progs Zip Genius look questionable
D progs Photo Eements is probably OK as I install progs to my partitioned drive labelled as D

My drive is partitioned @ C = 29 Gs and D = 85 Gs. Both should be, and D id at, about 12 - 14 gigs.
C has been taken over almost completely. I need to find out what is bad and go about re-caiming this disk space.
Suggestions?

Thank you very much for your help. It is truly appreciated.

Hello - my time here is GMT + 8. I hope I didn’t give the impression that I know how to solve my problem with what has been share so far. Still hopig to reclaim this drive space… :wink: :wink:

Hi TainanDC,

You have to check up what is consuming your CPU, it could be a problem with the automatic windows updater consuming almost all your cycles. You can solve that by putting it to manual update (and do this every patch Tuesday). If you have installed the zipgenius yourself there is no problem.
Look at the other items with Toolbar Cop to be download from here: http://www.majorgeeks.com/download4126.html to delete the 016 Active X.
Also download XRay PC from here: http://www.x-raypc.com/download.php and analyze online.

polonus

If you scan with avast, won’t it report the decompression bomb again?
Do you have the last report or avast log viewer shows this info (the name and the path of that file)?

Polonus & Tech -
DL’d the 2 progs and disabled the {266} 016 item.

I did install the ZipGenius myself .
Tech -
AVAST scans no longer show the decompression bomb as in my computer. It seems that I have removed it with assistance from what I’ve read in these forums.
My problem now is reclaiming C drive space.

What should I show now to further this?

If you open avast log viewer, isn’t anything there that could help us regarding to the original file name and path.
I can’t see another way than using a manual method, trying to find ‘big’ files and asking here if they’re legit or they’re part of the decompressed files from the bomb.

You have to find out “where” the disk space is used. So, I’d suggest to check the size of the folders in the root of the drive, one by one (e.g. in Windows Explorer). One of them should be very big. Now, enter this folder, and do the same with its subfolders… etc. - until you arrive at the folder which has some big files inside (or a huge number of files? hard to say)

TreeSize tells you how your disk space is being used. It can be started from the context menu of a folder or drive and shows you the size of the selected folder, including its subfolders. Each folder can be expanded in Explorer-like manner to view the size of its subfolders. Scanning is done in a thread, so you can already see results while TreeSize is working without having to wait. The results can be printed in a report.

http://www.snapfiles.com/get/treesize.html

Tech -
Avast is not loading automatically and resident in my lower right hand task bar as previously.
Where should I look at in the log viewer? -
Info - blank
Notice - many messages
warning - many messages
error - many messages
critical - empty
alert - empty
emergency - empty

my concern immediately is that AVAST is not loading up and running with start-up
Running firefox and thunderbird, p-4 WinXP pro…now down to almost nothing left on C drive.
Thanks for your help

Thanks, I dl’ed and am looking with the Tree Size prog

My ‘System Volume Information’ is access denied

Strangely, Tree Size is showing my C drive as only 5 gb. It is almost 30 gb in size.

added: 16 MB of free space left. I delete progs to free space and within minutes something expands to fill the space.

It’s normal. Only that this folder has access rights only to system not to the users.

Error would be good.

Hi maybe we could have a deep look at the suspect drive. I assume you are booting from C drive

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

File - Additional Folder Scans

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

I first want to thank all who contributed to the thread. I very much appreciate the attempts at helping with this problem.
My computer finally went unusable friday night, its now Monday late afternoon, and I had to just shut it down. After pondering the situation for a couple of days I decided the only thing I could do was ‘bite the bullet’ and format my C drive.
This drive is a partition drive - 1 drive partitioned to make 2 drives - and I was able to save the info on the other drive (my ‘D’ drive). I, of course did lose some data and still haven’t got my email up and working yet - but my computer is running again and doing well.
When this was first discovered I researched as much as I could about “Win32:agent” trojans and ‘decompression/time bombs’ to try and figure out how to deal with this. I am not a computer expert by any means. While the Win32:agent appears to be quite well known - the ‘decompression bomb/time bomb’ malware seems to be little understood beyond how it actually functions - which is quite well explained. A lot of ‘experts’ seem to think that this problem isn’t all that serious and make more of a technical discussion out of how to build one/what it is rather than how to deal with it when it activates.

I was never able to find anything of this nature. I still don’t know what to do if one activates - but it is an insidious thing to watch your drive space being slowly devoured and not being able to do a darn thing about it.

I hope this helps someone else, and again, I sincerely thank the folks who gave a hand in trying to help.
As I am a fan of AVAST I’ll be lurking on the forums for the next bit of knowledge I find of use.
All the best,
TainanDC