Malware and disk space issue

Hi All,

I’ve been browsing the forum for awhile trying to find someone with my issue but have had no luck, so here it goes:

I had been noticing my disk space was getting lower and lower, even upon deleting files and uninstalling programs from my laptop (I went from 11 Gb yesterday morning to 5 Gb last night to 1.13 Gb this morning).

After running a scan for malware, there were 28 infected files (I’ll have to post the log results in a bit). I thought after cleaning those files, my constantly decreasing disk space issue would be solved but it continues.

My question is even after removing the infected files, shouldn’t I have reclaimed that space? Or do I need to somehow manually go in a find the “multiplied” files and delete them?

You can determine which programme is taking up the disc space by using a small programme

Please download TreeSize (by JAM Software) from the link below and save it to your Desktop.

Download Mirror #1

[*]Double-click on TreeSizeProfessional-Demo.exe to run TreeSize.
[*]Click Run at the security warning, if it appears.
[*]Select your language and press OK.
[*]Click Next, Accept the agreement and click Next a further three times.
[*]Untick all of the boxes then click Next.
[*]Wait for TreeSize to install then tick Launch TreeSize Professional as Administrator and click Finish
[]TreeSize should now open. If it doesn’t, it can be found in your Start Menu under JAM Software.
[
]TreeSize will now scan your hard drive. On large hard drives, this could take a while to complete so please be patient.
[]The scan finishes when there are no more hour glass icons over the folders listed in TreeSize.
[
]From the tree list on the left you will be able to determine which programme is taking the space

Thank you for your reply. Hopefully by the time I get home today, I still have enough disk space remaining to download the program you mentioned above.

This is a trial version so as soon as you have the data you need you can uninstall it :slight_smile:

Here is my Malware scan log - I am currently running the program suggested above to find out what files are taking up so much space.

When I returned home, my disk space bumped up to 3.2 (from 1.1 Gb this morning).

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.25.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Valerie :: OMX-PC [administrator]

8/25/2013 9:29:51 PM
mbam-log-2013-08-25 (21-29-51).txt

Scan type: Full scan (C:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 404408
Time elapsed: 2 hour(s), 4 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCR\CLSID{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} (PUP.Optional.BrowseFox.A) → Delete on reboot.
HKCR\CLSID{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} (PUP.Optional.WeCare.A) → Quarantined and deleted successfully.
HKCR\TypeLib{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.Conduit) → Bad: (http://search.conduit.com?SearchSource=10&CUI=UN34779143221180115&UM=2&ctid=CT3289663&SSPV=TB_TS7) Good: (http://www.google.com) → Quarantined and repaired successfully.

Folders Detected: 4
C:\Users\Valerie\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Roaming\OpenCandy\038AA3E2283E450D800156465FB97001 (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Roaming\OpenCandy\FAA61371CD59409186FC29F61F505909 (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Roaming\OpenCandy\OpenCandy_FAA61371CD59409186FC29F61F505909 (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.

Files Detected: 18
C:\Program Files\LimeWire.NetworkShare\LimeWireWin5.5.14.exe (PUP.Optional.AskToolbar) → Quarantined and deleted successfully.
C:\Program Files\LimeWire.NetworkShare\LimeWireWin5.5.16.exe (PUP.Optional.AskToolbar) → Quarantined and deleted successfully.
C:\ProgramData\ReadOnlyInstaller.msi (PUP.Optional.WeCare.A) → Quarantined and deleted successfully.
C:\Users\Valerie.frostwire5\updates\frostwire-5.6.3.windows.exe (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Local\Temp\divD44A.tmp\mism.exe (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Local\Temp\ct3288691\ism.exe (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Roaming\FrostWire.AppSpecialShare\frostwire-5.1.5.windows.exe (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Roaming\OpenCandy\038AA3E2283E450D800156465FB97001\SmartbarExeInstaller.exe (PUP.Optional.SmartBar.A) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Roaming\OpenCandy\FAA61371CD59409186FC29F61F505909\OpenCandySliderASPCA_20120302.msi (PUP.Optional.WeCare.A) → Quarantined and deleted successfully.
C:\Users\Valerie\Desktop\st-softonic-sntb.exe (PUP.Optional.SweetPacks.A) → Quarantined and deleted successfully.
C:\Users\Valerie\Desktop\FrostWire\FrostWire 5\frostwire-installer.exe (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Valerie\Desktop\FrostWire\FrostWire 5\OCSetupHlp.dll (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Valerie\Downloads\LimeWireWin.exe (PUP.Optional.AskToolbar) → Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\94FABOVH\updater-startnow-200-2.5-d[1].exe (PUP.Optional.SweetPacks.A) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Roaming\OpenCandy\FAA61371CD59409186FC29F61F505909\1354.ico (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Roaming\OpenCandy\FAA61371CD59409186FC29F61F505909\EBB77268-338F-4C6A-8590-AD88FED26F4A (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Roaming\OpenCandy\FAA61371CD59409186FC29F61F505909\OCBrowserHelper_1.0.3.85.dll (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Valerie\AppData\Roaming\OpenCandy\FAA61371CD59409186FC29F61F505909\WeCare_ASPCA_Standard_p27v1.exe (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.

(end)

Ahh lots of toolbar type Junk

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Scan

https://dl.dropbox.com/u/73555776/AdwCleaner.GIF

Once done select the report button and post the log

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs