Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 206
  • Last Modified:

File expands mysteriously from 150Megs to 21Gigs - slows down system and scans

I use XP Pro, PC Cillin Security suite, Spysweeper, and beta Windows Defender on my computer. Daily updates and scans.

Went to defrag my small (80GB) hard drive about two weeks ago and was amazed to see that 35.5 gigs were in use. I just don't download many files or load all that many programs, but I let it pass.

Then the last couple of days, the operation seemed sluggish and PC Cillin began taking over 2 hours to run a scan that normally takes about 18 minutes. I noticed it was crawling on its own internet security files. So I went to the Trend Micro Folder and discovered that the Internet Security 2006 folder was now 21.5 gigs!?! What's as amazing ( to me anyway) is when I entered the folder and alligned all the files and subfolders by size, there was nothing unusually large at all visible. They should not have added up to more than about 150megs at most.  Called Trend Micro tech and they said the normal size should be 100 to 200 Megs. They had never heard of anything like this and had no explanation.

Maybe in too much of a hurry to streamline, I deleted the humongous folder and then uninstalled and reinstalled PC Cillin. FWIW I then ran scans with all of my resident programs + an online Bit Defender scan and all came up clear. And the PC Cillin scan was back to taking only 18 minutes or so.

  Now also back to using just 14.5 gigs, but very puzzled and more alert.   Computer seems to be running fine again 12 hours later. So far anyway.

 Have any of you experienced or heard of this sort of phenomenon before? Can a virus bloat a folder with apparently invisible files? Bizarre. Thanks very much in advance for any comments .
0
RiverLights
Asked:
RiverLights
  • 4
  • 3
4 Solutions
 
r-kCommented:
It's possible your PC was hacked and was being used to store about 20 GB of hidden bootleg files (music, videos etc.).

To be on the safe side, download and run RootkitRevealer from:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html

Don't do much else while the scan is in progress (it can take an hour or more). If anything interesting is found post back a summary here.

Also, check the usernames on your PC to be sure no unexplained username was added.

Finally, run "netstat -ab" from a command prompt to what network ports are open, and by which programs.
0
 
phototropicCommented:
RiverLights,

Are you running any P2P software on your machine : Limewire, Bearshare, WinMx, etc.?
I had a client recently who had an 80gb. HDD which was always full (0% free space) whatever files or folders he deleted.
His 15 year old son had installed KaZaa. When we checked the harddrive, Kazaa was running at about 62 gb and was full of 1000's of porn mpegs. We deleted KaZaa and everything went back to normal.

If you run P2P you need to be careful.
0
 
RiverLightsAuthor Commented:
Upfront Disclaimer. I'm modestly competent at using a computer...at least capable of learning....but my knowledge of the innerworkings is miniscule. Nothing like an expert.
Also I am new here, so do not have the hang of the point system yet; but I see I can add points, and the real possibility of a hack here more than justifies kicking em up to 400.

Photropic, that's excelllent advice - thank you!- and I will keep it in mind. I do not use any P2P software that I know of, and am the only user of this computer ( unless someone has broken in).

R-K, many thanks to you also.

I ran the rootkit scan. In my case it only took a few minutes. It noted one discrepancy.

C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf

size was 38.06KB

Description was "Hidden from windows API"

I also did the command prompt, and got a slew of results about my cable modem broadband connection; but at this point it is pretty much Greek to me. In a hurry at the moment, but will reneter the prompt and take a closer look.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
RiverLightsAuthor Commented:
Took a couple minutes and went to my Windows prefetch files, and discovered that discrepancy (file) was created today. I scanned the specific file with PC Cillin. Then went to the free Kaspersky file scan site. Both showed it clean, but I am not sure that means much at this point. Had read somewhere that Trojans often successfully hide in prefetch files.....
0
 
r-kCommented:
The Rootkit scan looks clean, so no need to worry about that any more.

For Usernames, you can check as follows:

 Start -> Control Panel -> (Click on "Switch to Classic View") -> Administrative Tools -> Computer Management

and on the left side expand "Local Users and Groups" and then "Users"

In the right side you should see a list of usernames. Ignore the ones with a red X through them. The account named "Administrator" is always there, but examine the rest and if you find anything you don't expect you can post its name here.

Re. "netstat -ab" what you can do is to save that to a text file, as follows:

> netstat -ab > net.txt

This saves the results to a file named "net.txt"
Open that file by double clicking on it, it will open Notepad, you can then copy-and-paste the results here.
0
 
RiverLightsAuthor Commented:
Sorry, R-K, I had already checked user names. I'm the only one. And I entered a Netstat -n command and found 3 local addresses. One I recognize as mine, and two others. ( but I have no idea if that means anything).

Thanks for the text file tip...lemme do that right now....

here's where my all thumbs novice qualities kick in. I couldn't find the file, but then opened Notebook itself and found it listed there. Here's the readout

<<Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    distantlights:epmap    distantlights:0        LISTENING       1088
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  -- unknown component(s) --
  [svchost.exe]

  TCP    distantlights:microsoft-ds  distantlights:0        LISTENING       4
  [System]

  TCP    distantlights:1030     distantlights:0        LISTENING       3376
  [alg.exe]

  TCP    distantlights:4664     distantlights:0        LISTENING       2168
  [GoogleDesktopIndex.exe]

  TCP    distantlights:6999     distantlights:0        LISTENING       2104
  [tmproxy.exe]

  TCP    distantlights:40000    distantlights:0        LISTENING       2396
  [TmPfw.exe]

  TCP    distantlights:netbios-ssn  distantlights:0        LISTENING       4
  [System]

  TCP    distantlights:1026     localhost:40000        ESTABLISHED     1436
  [PcCtlCom.exe]

  TCP    distantlights:40000    localhost:1026         ESTABLISHED     2396
  [TmPfw.exe]

  TCP    distantlights:1523     localhost:6999         TIME_WAIT       0
  UDP    distantlights:isakmp   *:*                                    800
  [lsass.exe]

  UDP    distantlights:1330     *:*                                    1348
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    distantlights:1040     *:*                                    1348
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    distantlights:microsoft-ds  *:*                                    4
  [System]

  UDP    distantlights:4500     *:*                                    800
  [lsass.exe]

  UDP    distantlights:40116    *:*                                    1436
  [PcCtlCom.exe]

  UDP    distantlights:1387     *:*                                    3780
  [iexplore.exe]

  UDP    distantlights:ntp      *:*                                    1224
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    distantlights:1444     *:*                                    3732
  [OUTLOOK.EXE]

  UDP    distantlights:1900     *:*                                    1428
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    distantlights:2051     *:*                                    1168
  [SAgent2.exe]

  UDP    distantlights:ntp      *:*                                    1224
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    distantlights:netbios-dgm  *:*                                    4
  [System]

  UDP    distantlights:netbios-ns  *:*                                    4
  [System]

  UDP    distantlights:1900     *:*                                    1428
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

Again, many thanks for your help. ( should I delete that prefetch file just to be safe?)

0
 
r-kCommented:
No, no need to delete the prefetch file. That is quite normal.

Your netstat list also looks normal, so there is no indication of any problem there.

I am inclined to suspect some bug in Trend Micro at this point, but is a bit baffling.

Maybe if the system is running fine you can just keep an eye on whether it happens again.

You can also run the free online scan from the Microsoft Live web site:

 http://safety.live.com/site/en-US/default.htm

Click on the yellow "Full Service Scan" button there. It takes a while to run but is fairly thorough.
I don't expect you'll find anything to explain the problem, but you never know.

Good luck.
0
 
RiverLightsAuthor Commented:
The assistance and education much appreciated. The Microsoft scan was clean too.
I have a hunch it was a PC Cillin glitch too. Will stay alert. Thanks again.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now