Jump to content

Help requested with possible infection on Windows 10 PC


ProMod117
Go to solution Solved by Maurice Naggar,

Recommended Posts

I have a possible infection on my wife's Windows 10 PC.  She came to me last week indicating that the machine was out of hard drive space.  Sure enough, Drive C is down to 150MB of free space.  I'm not seeing were all the files are that would be consuming this space (unless they are hidden).

 

Anyway, Malware bytes stopped running at some point, possibly due to the lack of space.  I'm thinking maybe she got infected at some point.  Can we look for a problem?

 

Farbar log and Addition attached.

 

Thanks,

Paul

FRST.txt Addition.txt

Link to post
Share on other sites

Hi.
Per the FRST report ( Windows says to it) that the C drive ( the SSD) has a very small amount of free space. Note that physically the SSD is quite small too.  Drive c: () (Fixed) (Total:111.19 GB)   (Free:   0.15 GB) (Model: Samsung SSD 840 Series)

My first suggestion to you is to use the built-in CLEANMGR ( applet comes with MS Windows ). Use it to cleanup/delete temporary files _ possibly some un-needed system files. I mean by strictly only using Cleanmgr.

https://www.tenforums.com/tutorials/3012-open-use-disk-cleanup-windows-10-a.html

You want to

  • clear temporary internet files +
  • Temporary files +
  • Recycle Bin
  • Previous Windows Installation files ( one assumes that the current OS is otherwise running good).
  • Offline webpages
Link to post
Share on other sites

That's the strange thing.  There are only 12 GB of programs installed. It's like something is using the space that.  Not sure how long she was getting the warning message before she said anything.  Windows only needs <50GB plus 12 GB of installed programs should leave plenty of space.

CLEANMGR cleared very little. Up to 245MB now...

Link to post
Share on other sites

Hello @ProMod117 

Going to simply highlight a couple of sample system events logged by Windows:
Error: (09/18/2022 08:09:40 AM) (Source: Microsoft-Windows-Defrag) (EventID: 264) (User: )
Description: The storage optimizer couldn't complete defragmentation on (C:) because: The disk being optimized is full. (0x8900001F)

Error: (09/16/2022 07:09:17 AM) (Source: ESENT) (EventID: 413) (User: )
Description: svchost (4616,R,98) SRUJet: Unable to create a new logfile because the database cannot write to the log drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -529.

Did someone possibly manually run the Windows Defrag applet ?
Does this system possibly have a "jet printer" attached ?

Additionally, there is a failing Microsoft Windows Update:
Error: (09/22/2022 03:56:09 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070070: 2022-09 Cumulative Update for Windows 10 Version 21H1 for x6

Take a moment to Uninstall "Java 8 Update 221". That is very old version.
There are apparent leftover traces of Google Chrome browser. Did someone manually rip it out ?

* * *

This custom-script job will run exclusively and also at the end, it will do a Windows Restart ( reboot). This is intended to run some system checks, selected cleanups, as well as run the Windows System File Checker. Hopefully it will also be a help to remove temporary files so that more disc space is freed.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRST64.exe  on the D drive Desktop folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  POSITRON machine  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Desktop   folder

Fixlist.txt    <<< - - - - -

Then, Start the Windows Explorer and then, go  to the D drive Desktop    folder.


RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Link to post
Share on other sites

id someone possibly manually run the Windows Defrag applet ?  -  I suppose my wife may have not knowing you're not supposed to defrag SSDs....

Does this system possibly have a "jet printer" attached ?   -  No, just a Canon MF741C laser.

Take a moment to Uninstall "Java 8 Update 221". That is very old version.  -  Done


There are apparent leftover traces of Google Chrome browser. Did someone manually rip it out ?  -  Not that I know of. She should be aware of the uninstall feature of Control Panel (but I wouldn't guarantee that!)

Worth noting, I found an Adobe Premiere cache folder with about 40gb of old work files. She said she has it set to delete old work files but apparently she doesn't or it doesn't work. I originally installed that on C drive with the hopes it would run a little faster. I'll have to see if I can designate work files to be on D drive or reinstall to D drive.

 

Will post FIXLOG.txt once complete. Currently running.

 

Thanks,

Paul

Link to post
Share on other sites

After running your script and cleaning up some Adobe cached files, I now have about 30GB free space.

Have some strays (I think) in the Root directory taking up 6.1GB under the following names;

hiberfil.sys 3.2gig

pagefile.sys 2.9 gig

swapfile.sys

Dumpstack.log

Dumpstack.log.tmp

bootTel.dat

 

Still looking to see what is remnants from yesteryear.

 

Thanks,

Paul

 

 

Link to post
Share on other sites

PS. Look on the C drive. Do you see a folder "Windows.old" ?

If and when you are settled in with the current version of this Windows , and you are sure you would not want to go back to the prior one,  you can do some cleanups   and regain some disc space.

This can be started by first getting to a Elevated Command Prompt

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

 

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

 

cleanmgr.exe /AUTOCLEAN

and tap the Enter key,    When it is all done, just close the window.

 

The following folders will be removed:

C:\$Windows.~BT\*
C:\$Windows.~LS\*
C:\$Windows.~WS\*
C:\ESD\Download\*
C:\ESD\Windows\*
C:\$WINDOWS.~Q\*
C:\$INPLACE.~TR\*
C:\Windows.old\*
C:\Windows\Panther

Link to post
Share on other sites

  • Solution

Given a situation where free-space is a top consideration, whenever you do a new setup, you need to select the CUSTOM install option every time ( if available). Take your time and go careful whenever installing.

This other tip, I meant to relay to you earlier. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article.
Please see this Guide

Link to post
Share on other sites

  • 2 weeks later...

This system is good-to-go. This here is for tools cleanup.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe. 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.