Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus moves around in Windows folder using 50.6gb free space


  • Please log in to reply
18 replies to this topic

#1 ValleA

ValleA

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 27 October 2015 - 01:54 AM

Hi All,  I have an odd virus that traditional scans can't get.  I've tried Malaware Bytes, Norton Power eraser, Avast as my normal protection and ran an Avast boot scan as well.  Here's what's happening.  My 150gb drive recently had 50gb disappear so I went searching for what's using the space.  I found the Windows file uses over 50gb of space so I checked the properties of each sub-folder in order of appearance.  "Globalization" took up 50.6gb the first time I checked it's properties, then I closed it and checked again and it was 30.6mb.  I continued down the list and found Logs was 50.6gb, closed it, checked again and it was 273mb.  Then prefetch was 50.6gb and when checked a second time it was 0, then "tasks" was 50.6gb, second time it was 39.7kb, and this goes on and on indefinitely, I can chase the 50.6gb to another sub-folder but the second time it's gone.  I found that if I quickly close "properties" while it's counting up to 50.6 that it doesn't "jump".  It seems to "jump" to another sub-folder when it's done being counted.  So I copied "tasks" to a thumb drive and then chased the virus until it showed up in "tasks" again (one of it's favorites), stopped it halfway and tried to delete the subfolder so i could get rid of the virus, replace it with the good version on the thumb drive, but it wouldn't delete, said it was "in use." 

 

So how do I get rid of this fake 50gb space consuming virus? 

 

I'm running Windows 7 pro 64bit.

Thanks!



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 27 October 2015 - 07:00 AM

Hi ValleA :)

My name is Aura and I'll be assisting you with your issue. Is it possible for you to download WinDirStat, then execute it, make it scan your C: drive and once the scan is complete, take a screenshot of the program's window (make sure it's maximized) so I can see it?

mq1pzD6.pngHow to take a screenshot using the Snipping Tool
Follow the instructions below to take a screenshot using Windows' Snipping Tool:
  • Press on the Win Key + R to open the Run box;
  • Enter SnippingTool and press on Enter;
  • The Snipping Tool will open, asking you to choose the area to take in the screenshot;
  • Left click on the area where you want to start the screenshot, keep it, and drag the cursor across the screen;
  • Once done, release the left button to take the screenshot;
  • In the editing window, click on the File menu then Save As;
  • Save the screenshot in a folder that you can access easily;
  • Attaching the screenshot in your reply
    • Go in your thread and click on the Reply to this topic button in the top-right corner;
      85hPFGu.png
    • Below the text box you'll have the option to Attach files. Click on the Choose Files... button, navigate to your screenshot and select it;
      LKVBzF7.png
    • Once done, add a comment to your reply and post it;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 ValleA

ValleA
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 27 October 2015 - 10:24 AM

Hi Aura,  Thank you for assisting me.  I ran windirstat as you asked but there is no attach file option on my screen so I can't attach it.  I have it though.  And on the side "post options" there is nothing there to check to enable attachiing files.  What to do?

Valle



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 27 October 2015 - 10:27 AM

My bad, I keep on forgetting that you cannot attach files in the AII section! You can upload the picture on Imgur.com and post the link to it here :)

https://imgur.com/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 ValleA

ValleA
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 27 October 2015 - 10:30 AM

https://imgur.com/a/pzOBy



#6 ValleA

ValleA
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 27 October 2015 - 10:34 AM

Did that work?  I've never used imgur.  I see on that bottom that it said a fatal error occured.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 27 October 2015 - 10:37 AM

It worked yes, thank you :)

Now, I can see that your Windows folder is taking 49.5GB and your user folder is taking 38GB. Now, can you expand the Windows folder in WinDirStat, take a new screenshot, upload it to Imgur and post it here please? :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 ValleA

ValleA
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 27 October 2015 - 10:42 AM

https://imgur.com/G5MIUgO



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 27 October 2015 - 10:47 AM

Your WinSxS folder is taking up around 14.2GB of space, which is entirely normal. This is where every Windows Update is downloaded and applied (Manifests, payloads files mostly) so I would leave that be. Now, you have around 20.1GB of file in the "Installer" directory. This is a bit less normal. Follow the instructions below please.
  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Spcusrh.pngRun as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command below and press on Enter;
    dir C:\Windows\Installer > "%userprofile%\Desktop\Output.txt"
  • This will create a file called Output.txt on your Desktop. Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;

Edited by Aura, 27 October 2015 - 10:47 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 ValleA

ValleA
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 27 October 2015 - 11:12 AM

https://drive.google.com/open?id=0B8INZqATIiEBQzJsS0MtaWFuRjA



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 27 October 2015 - 12:02 PM

It looks like I need your permission to download this file. Is it possible to make the download link public so I can download it without sending you an email approval first? :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 ValleA

ValleA
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 27 October 2015 - 12:10 PM

It says anyone with the link can view.     https://drive.google.com/file/d/0B8INZqATIiEBQzJsS0MtaWFuRjA/view?usp=sharing 



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 27 October 2015 - 12:22 PM

So you have a few big files in there. The sad thing with the Installer folder is that you cannot lightly delete files from its directory, as it could force you to reinstall some programs after.

http://blogs.technet.com/b/joscon/archive/2012/01/18/can-you-safely-delete-files-in-the-windir-installer-directory.aspx

There's some utilities that checks for the files in the Installer folder and let you know which one you could delete, but they aren't 100% safe to use.

https://www.raymond.cc/blog/safely-delete-unused-msi-and-mst-files-from-windows-installer-folder/

In other words, the best way to clean this folder is to uninstall the programs you don't need. This isn't a malware or a virus, just a Windows-related issue.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 ValleA

ValleA
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 27 October 2015 - 12:26 PM

But this all completely ignores the file that jumps in my windows folder as I explained in great detail.  I am not mis-reading the properties when I click on the subfolders.  It moves around.



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 27 October 2015 - 01:15 PM

Could be a glitch with the size properties. Are you able to give me a screenshot where the size of another folder (not the Installer one) is of 50GBs? I would like to see a screenshot where I can see the Windows Explorer, and the Properties window of the folder.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users