Results 1 to 10 of 10
  1. #1
    New Lounger
    Join Date
    Nov 2011
    Location
    United Socialist States of America
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Virus or malware symptom: temp\cache\(lots of garbage)

    Last week I was working to clean up a neighbor's laptop (win 7 home premium, 64 bit). Her primary use is web based email and online gaming (not high performance FPS style, rather cards, backgammon, etc). I can't remember which gaming site she uses but she's a paid memeber.

    She had old Windows Defender installed so one of the first things I did was update her to MS Security Essentials. I uninstalled a bunch of browser bars and freshened Reader and Flash. Then I did full scans with Security Essentials, MalwareBytes, MalwareBytes antiroot, IOBit Malware fighter, CCleaner, etc.

    All those things cleaned up a bunch of garbage but one problem remained and still remains. I was unable to find a description of anything similar and none of the tools found it. The symptom seems like malware of some sort...

    If the laptop is connected to the network (via wi-fi) it will immediate create a directory under her temp directory -- c:\users\owner\AppData\temp\cache and then start filling that directory with other directories with numerical names (e.g. 4820, 33901, blah blah). It then fills those directories with mostly .txt files.

    When I left it alone for a few hours it had created over 300MB of junk in over 2000 directories under c:\users\owner\AppData\temp\cache. Needless to say that Windows Explorer is not good at deleting that many files.

    If I disabled the wi-fi then this activity stopped immediately. As I said before, I never solved the problem. I tried to attenuate the problem by creating a batch file that removes the ...\temp\cache directory and scheduled it to run every 15 minutes. If I waited longer than that it had too much time to create directories and files so the RD command took too long to run.

    Has anyone heard of this malware symptom? Have you managed to fix it?

    Thanks in advance,
    Ken

  2. #2
    Silver Lounger mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    2,187
    Thanks
    210
    Thanked 213 Times in 205 Posts
    Sounds like something on her computer is phoning home. If you could determine what that is, you could block it in her router.

    You mentioned "wifi". I assume the same behavior occurs if she plugs into the router with an ethernet cable rather than using wifi. If not, then maybe she has a neighbor who has hacked her network. Check the router logs to see who has been logging on via wifi.

    Another suggestion: download and install the free-trial of a name-brand antivirus program -- e.g. Trend Micro -- and do a complete scan. Perhaps you will find other malware.

    Also, download and run ShellExView (you don't need to install it, just run it): http://www.snapfiles.com/get/shellexview.html. You can use ShellExView to disable DLLs. Disable everything but the Microsoft stuff and the items pertaining to her antivirus program. See if the problem disappears. If so, then reenable a few items at a time, then reboot, to see if the problem recurs. You may be able to track it down that way.

  3. #3
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    2,138
    Thanks
    102
    Thanked 208 Times in 181 Posts
    Hi, Ken.

    Anything running from within the c:\users\owner\AppData\ sub -folders or storing that amount of data there should be treated as potential malware and investigated thoroughly. I would advise following a malware checkup/removal process and get a trained malware specialist to check it over with you. Many fora have specialist teams for this, I use Majorgeeks forum, Sysnative, techsupportforum, ...

    Jim, ShellExView can be downloaded easily from Nir Sofer's own site: http://www.nirsoft.net/utils/shexview.html, it saves risking any add-ons by visiting generalist download sites that need to pay their way by serving ads or potentially worse, along with the download.
    Last edited by satrow; 2014-03-06 at 13:13.

  4. The Following User Says Thank You to satrow For This Useful Post:

    mrjimphelps (2014-03-06)

  5. #4
    New Lounger
    Join Date
    Nov 2011
    Location
    United Socialist States of America
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    mrjimphelps,

    I was working in her laptop at my house using my wifi. I live in a rural town. I can see two or three networks besides mine but the signals are too weak to connect, and my own wi-fi is not broadcasting its SSID. People can't connect to my wi-fi without me doing the setup for them. But I will check her router's DHCP and/or connection logs next time I'm up there. ("Hacking her network - feh - I guessed her wi-fi password in ONE try with my only fore-knowledge being that she's on Comcast.)

    I did download two IOBit anti-virus / anti-malware tools. They cleaned up some stuff but not this. I downloaded two others but they wanted me to jump through a hoop or two to activate the trial so I dumped them.

    Also, download and run ShellExView
    I have never heard of that so I'll download it and check it out.
    Last edited by vorlonken; 2014-03-06 at 20:19.

  6. #5
    New Lounger
    Join Date
    Nov 2011
    Location
    United Socialist States of America
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by satrow View Post
    Anything running from within the c:\users\owner\AppData\ sub -folders or storing that amount of data there should be treated as potential malware and investigated thoroughly.
    Right, that's what my entire post was about... I'll check out one of the other forums you suggested.

  7. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    Florida USA
    Posts
    19
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Have you tried Process Monitor (http://technet.microsoft.com/en-us/s...rnals/bb896645)? You can set the path in it and then see 'what' is using/creating it.

  8. #7
    New Lounger
    Join Date
    Nov 2011
    Location
    United Socialist States of America
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    No, thank you for the suggestion. I have asked my neighbor to bring her laptop back to me for additional troubleshooting so I'll give your suggestion a try when I get the machine.
    -Ken

  9. #8
    3 Star Lounger
    Join Date
    Mar 2010
    Location
    USA
    Posts
    258
    Thanks
    49
    Thanked 32 Times in 25 Posts
    It sounds counter intuitive on (3) below:
    (1) Download anti-virus software, etc. from another PC. Make bootable USB flash or CD/DVD from them.
    (2) Hardware disconnect from network [pull the net cable, shut off PC's AND router's wifi].
    (3) **DISABLE** Ms Security Essentials or uninstall it!!!

    The only time to allow networking, is to boot DIRECTLY from antivirus USB flash/disc. That is, clean boot without Windows operating. The networking allows the anti-virus software to update.

    Why disable Ms Essentials? My hard experience on one of the toughest intrusions:
    While in Windows Safe Mode, the intrusion still competes from being erased by Ms Essentials.
    The codes in it shut down the PC *before* Ms Essentials from finishing the cleansing.

    Security Essentials is designed to detect AND clean upon reboot/power-up, EVEN in Safe Mode(!). It is good ... and also bad.

    The intrusion detects the cleansing and simply shuts down the PC.
    Now you have boot-shutdown-reboot cycles forever until you pull the plug or the battery from laptop.

    Disabling Security Essentials allows Safe Mode to boot up (while still with the intrusion in it). The other anti-virus software can then do their magic.

    The best is boot up by a DVD/CD or USB flash drive and then eradicate.

    The mistake I made: The network allowed continued download-repopulate-regenerate after cleansing.
    So, must disconnect networking to do eradication.

    Hop this helps.

  10. #9
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    USA
    Posts
    165
    Thanks
    3
    Thanked 21 Times in 17 Posts
    When you ran Malwarebytes Anti-Malware, did you run the quick scan or the full scan? If you did the quick scan, try it again with the full scan (could take about an hour, depending on how much data is on the hard drive).

    Security Essentials and IObit have below average malware detection. See these reports: http://securitywatch.pcmag.com/secur...antivirus-test and http://www.pcmag.com/article2/0,2817,2419549,00.asp So, you should uninstall those two and replace them with a single product that’s more effective (whether you have to jump through hoops, or not). A couple of free choices are Avast (http://www.avast.com) or AVG (http://free.avg.com). Avast has the standard full system scan, but also a boot scan. To get the most from the scans, some changes should be made to the installed default. To adjust the full scan: Status screen > Settings > Active Protection > File System Shield > 1. Actions > Move to Chest as the first action for virus, PUPs, etc., and 2. Sensitivity > Enable PUP and suspicious files. For the boot scan: Status screen > Scan > Boot-time scan > Settings > 1. Enable scan for PUPs, and 2. When a threat is found, move to chest. Check the quarantine (virus chest) when done to see if anything was captured. Avast has a tendency to be over sensitive, so if there’s anything in there, first make sure it’s not a false positive.

    If standard anti-malware software doesn’t bring a solution, you could try a specialized clean-up tool, such as Comodo Cleaning Essentials (http://www.comodo.com/business-secur...essentials.php).
    Last edited by cloudsandskye; 2014-03-19 at 18:01.

  11. #10
    Silver Lounger mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    2,187
    Thanks
    210
    Thanked 213 Times in 205 Posts
    I suggest a two-step cleaning process -- all products are free:

    1. Windows Defender Offline. Use this for the initial cleaning. It's not the best, but it will get some things.

    2. Trend Micro Housecall -- a manual scan program. Run it in Safe Mode with Networking. Do a full scan, not a quick scan.

    Then, after doing these, download and install the various free antivirus tools available on the Trend Micro website. These will help you stay clean.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •