Disk full in 20 minutes

Hello,

I think my laptop is infected by a virus who fills up my C partition in about 20 minutes every time I restart it.

I am running Avast Free on Windows 7 Professional SP1 64x. Avast did not catch anything wrong.

When running Windows in Security Mode nothing happens.

I have searched the Internet on this kind of virus but I did not find any record.

Somebody knows any virus who may be responsible for this behaviour ?

Thank you very much.

Jayme Jeffman

Nothing I have heard off

Lets have a look see

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

This problem I have already had.

I have found a lot of disk space used under the %AppData% folder in a Google folder.

So I have decided to uninstall all Google applications including Chrome and Google Earth plugins. It was almost 70 GB used in that folder.

Yesterday before I have turned off the computer it had only 48 MB left on C partitition.

Today, after I ran CCleaner and disable Google Talk plugins, I am monitoring disk space and activity with Microsoft Resource Monitor. It seems it has no virus activity until now.

I have downloaded the 64 version of FarBar and ran it. Here goes the log files attached.

Thank you very much.

Google Earth does take up a lot of room

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-07-23 22:32 - 2015-07-23 22:32 - 00000000 ____D C:\Users\jjeffman\AppData\Local\{BC216550-F213-401A-B61B-46B70B37E0FD} 2015-07-23 22:30 - 2015-07-23 22:31 - 00000000 ____D C:\Users\jjeffman\AppData\Local\{5EE8C6DD-51C2-475D-A74F-4C2204151423} 2015-07-23 22:16 - 2015-07-23 22:16 - 00000000 _____ C:\Windows\system32\REN9839.tmp 2015-07-23 18:30 - 2015-07-23 18:30 - 00003134 _____ C:\Windows\System32\Tasks\{C0CDCC3C-DF3C-4DAC-B4DC-66B701705853} 2015-07-22 19:48 - 2015-07-22 19:48 - 00000000 ____D C:\Users\jjeffman\AppData\Local\{68CE3BFD-0FD3-4034-8AC3-C9C85975A2D0} 2015-06-24 14:16 - 2015-06-24 14:16 - 0000000 _____ () C:\Users\jjeffman\AppData\Local\{04E3DEC7-E6D8-4D5C-82AC-572AFEF4B4DA} 2015-06-24 14:16 - 2015-06-24 14:16 - 0000000 ____H () C:\Users\jjeffman\AppData\Local\BIT45B6.tmp Task: {0E7035B7-F90F-40B4-B817-05F657194B11} - \71634a7f-512d-471b-9785-ca3df8a729a1-1-7 No Task File <==== ATTENTION Task: {1596EB59-5471-4D4B-9F87-F680ABE33E53} - System32\Tasks\{232F8F5B-4BC7-4175-AEFB-01EDB09B0F85} => pcalua.exe -a E:\Temp\cs2_setup.exe -d E:\Temp Task: {2FE26413-6D3F-4A0A-A51A-F702B0852474} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3873803031-4150282436-3825153626-1000UA => C:\Users\jjeffman\AppData\Local\Google\Update\GoogleUpdate.exe Task: {44F7C5E2-4997-4F15-A294-7ECB082FFD0F} - \71634a7f-512d-471b-9785-ca3df8a729a1-1-6 No Task File <==== ATTENTION Task: {483D3C14-A143-4A9E-83CA-07CEC6950FB5} - \71634a7f-512d-471b-9785-ca3df8a729a1-6 No Task File <==== ATTENTION Task: {6B688B9E-26AD-4A80-9FFB-E5D98EC93183} - \71634a7f-512d-471b-9785-ca3df8a729a1-5_user No Task File <==== ATTENTION Task: {A4A2D3F4-AA38-45B4-871E-849700FFBF36} - \71634a7f-512d-471b-9785-ca3df8a729a1-7 No Task File <==== ATTENTION Task: {BE53D297-5730-4F6E-87D8-76349886B910} - \71634a7f-512d-471b-9785-ca3df8a729a1-4 No Task File <==== ATTENTION Task: {F1371647-7E6F-46B4-8EB8-F895CCAB9FBF} - \71634a7f-512d-471b-9785-ca3df8a729a1-5 No Task File <==== ATTENTION Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3873803031-4150282436-3825153626-1000Core.job => C:\Users\jjeffman\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3873803031-4150282436-3825153626-1000UA.job => C:\Users\jjeffman\AppData\Local\Google\Update\GoogleUpdate.exe RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thank you very much.

Here goes the Fixlog.txt file.

I just tidied up… How is the computer now ?

EmptyTemp: => 4.2 GB temporary data Removed.

Thank you very much for helping me.

I have normal disk activity and the disk unused space seems to be almost constant and its modifications might be result of my work on the computer.

Did you find any risk or threat on the files I have sent you ? Was my computer infected ?

No there was no infection :slight_smile:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Well, if it has not infection :), but suddenly my hard drive C partition was increased by around 70 GB in less than 30 minutes, what was going on ?

The system process was continuously writing data to disk and 1.5 GB disk space being occupied each minute, was it not a virus ? Or is Windows 7 itself a virus ?

Why are you telling me to remove disinfection tools ?

Thank you very much.

Why are you telling me to remove disinfection tools ?
Because they are not tools you can use unless trained, and latest updated version must be downloaded when needed ;)

When you uninstalled google earth you removed a programme that updates itself with some large amounts of data on a daily basis

Maybe, do you think that an application could fill up to 70 GB in the AppData folder just to get an acceptable performance? Supposing the user have an unlimited disk space ?

I don’t feel like to install any Google applications anymore.

I have downloaded the application you’ve told me to, and I will run it to clean up the disinfection tools.

Thank you very much.