What is my computer doing?
-
So I'm sitting here on my linux partition , trying to figure out what's up with Windows. I've got about 1.5 gigs free on my windows drive. After my computer has been on for a little while, something starts writing like mad to my c:\windows\temp folder. It just about maxes out my hard drive, writing files that can be up to 300 megs in size (although they can be much much smaller). The stuff also is given erroneous time stamps. More than a little suspicious. Clearly a virus or some other sort of malware is the obvious culprit, but I couldn't find anything after scanning with Kaspersky and some spyware scanners. The other thing that is a little strange is the stuff that gets written. Most of it is junk, but some text does get written. The two I just found were both MS stuff. The first is a short reference webpage for the ATL function AtlHiMetricToPixel(it's actually the inner frame on this page[^], minus the css) which was then followed by about 1.4 megs of binary data. The other was about 300 megs and the first chunk was a huge xml document that looked like it was some c# help document, with nodes related to .net classes and stuff. This was also followed by a ton of binary data. If I can't figure it out by weekend, I'll probably reformat, because it does happen every time I use windows, after about an hour, and it just isn't cool. But I am a little curious about the fact that I couldn't find anything at all wrong with my computer. What does everyone think? Got to be a virus, right? Any suggestions for trying to isolate and identify this little monster? :confused::confused::confused:
-
So I'm sitting here on my linux partition , trying to figure out what's up with Windows. I've got about 1.5 gigs free on my windows drive. After my computer has been on for a little while, something starts writing like mad to my c:\windows\temp folder. It just about maxes out my hard drive, writing files that can be up to 300 megs in size (although they can be much much smaller). The stuff also is given erroneous time stamps. More than a little suspicious. Clearly a virus or some other sort of malware is the obvious culprit, but I couldn't find anything after scanning with Kaspersky and some spyware scanners. The other thing that is a little strange is the stuff that gets written. Most of it is junk, but some text does get written. The two I just found were both MS stuff. The first is a short reference webpage for the ATL function AtlHiMetricToPixel(it's actually the inner frame on this page[^], minus the css) which was then followed by about 1.4 megs of binary data. The other was about 300 megs and the first chunk was a huge xml document that looked like it was some c# help document, with nodes related to .net classes and stuff. This was also followed by a ton of binary data. If I can't figure it out by weekend, I'll probably reformat, because it does happen every time I use windows, after about an hour, and it just isn't cool. But I am a little curious about the fact that I couldn't find anything at all wrong with my computer. What does everyone think? Got to be a virus, right? Any suggestions for trying to isolate and identify this little monster? :confused::confused::confused:
Here's a tool I once used when I needed to track down a mystery writer: FileMon Lots of other cool tools on that site.
:suss: Pssst. You see that little light on your monitor? That's actually a government installed spy camera. Smile and wave to big brother!
Painted on the side of a dog trainer's van: SIT HAPPENS -
So I'm sitting here on my linux partition , trying to figure out what's up with Windows. I've got about 1.5 gigs free on my windows drive. After my computer has been on for a little while, something starts writing like mad to my c:\windows\temp folder. It just about maxes out my hard drive, writing files that can be up to 300 megs in size (although they can be much much smaller). The stuff also is given erroneous time stamps. More than a little suspicious. Clearly a virus or some other sort of malware is the obvious culprit, but I couldn't find anything after scanning with Kaspersky and some spyware scanners. The other thing that is a little strange is the stuff that gets written. Most of it is junk, but some text does get written. The two I just found were both MS stuff. The first is a short reference webpage for the ATL function AtlHiMetricToPixel(it's actually the inner frame on this page[^], minus the css) which was then followed by about 1.4 megs of binary data. The other was about 300 megs and the first chunk was a huge xml document that looked like it was some c# help document, with nodes related to .net classes and stuff. This was also followed by a ton of binary data. If I can't figure it out by weekend, I'll probably reformat, because it does happen every time I use windows, after about an hour, and it just isn't cool. But I am a little curious about the fact that I couldn't find anything at all wrong with my computer. What does everyone think? Got to be a virus, right? Any suggestions for trying to isolate and identify this little monster? :confused::confused::confused:
A couple things. Get off your Linux partition it won't do you much good. {Ignore the stuff I put in here about handle.exe (steps 4 & 5 after reboot to normal mode) I realized after typing it out that filemon does the same thing as handle.} A. Download ZoneAlarm Free from ZoneLabs. B. Download Spybot Search & Destroy 1.4 from download.com C. Download Ad-Aware SE Personal from download.com (it's lost it's former glory but still good). D. Download HiJackThis from merijn.org. E. Download RegMon when you are over getting FileMon and you will most certainly want "Handle" while you are there. F. Install and update all those applications with the latest information (you're going to reformat anyway so it's worth a try). 1. Boot into safe mode (hope you are running Win2K or WinXP). After the POST (following reboot) press F8 until you get prompted to pick a boot level. You want safe mode, no networking. 2. First configure ZoneAlarm's program control to "Ask for permission" and then deny everything when asked. 3. Set ZoneAlarm's trusted and internet firewalls to the highest level of protection. 4. Run Spybot Search & Destroy (that you updated when you installed in Normal Mode, right?). ---- A. Immunize using Spybots Immunize function. You should see about 6500+ protections now enabled. ---- B. Search & Destroy, "Check for problems". Remove whatever it finds. 5. Run Ad-Aware SE using a similar tactic as Spybot S & D. 6. Don't worry about HiJackThis for now. It's something that is not necessary unless you are in really bad shape. --- Reboot to Normal Mode --- 1. Make sure that ZoneAlarm is still cranked up solid and running. 2. Fire up filemon and regmon. See what they report. You can filter down on what you are after. 3. If you still see the files being written to then you need to use handle and see who's writing to them. (I'm pretty sure that both filemon and regmon show you what's writing to them so in after thought handle.exe won't be necessary.) - Edited. 4. When you downloaded handle.zip you picked some place to save it. For simplicity copy that file or extract it to C:\. 5. Now open a command window look at your system clock in the system tray and note the time. If it's 9:55 then type the following no quotes: "at 21:57 /interactive cmd.exe" hit enter. This will schedule windows to open a command window for you with SYSTEM level authority. Once that window opens type the following: cd C:\handle {hit enter} you should now be in the handle directory where handle.exe is. handle.exe > C:\open
-
So I'm sitting here on my linux partition , trying to figure out what's up with Windows. I've got about 1.5 gigs free on my windows drive. After my computer has been on for a little while, something starts writing like mad to my c:\windows\temp folder. It just about maxes out my hard drive, writing files that can be up to 300 megs in size (although they can be much much smaller). The stuff also is given erroneous time stamps. More than a little suspicious. Clearly a virus or some other sort of malware is the obvious culprit, but I couldn't find anything after scanning with Kaspersky and some spyware scanners. The other thing that is a little strange is the stuff that gets written. Most of it is junk, but some text does get written. The two I just found were both MS stuff. The first is a short reference webpage for the ATL function AtlHiMetricToPixel(it's actually the inner frame on this page[^], minus the css) which was then followed by about 1.4 megs of binary data. The other was about 300 megs and the first chunk was a huge xml document that looked like it was some c# help document, with nodes related to .net classes and stuff. This was also followed by a ton of binary data. If I can't figure it out by weekend, I'll probably reformat, because it does happen every time I use windows, after about an hour, and it just isn't cool. But I am a little curious about the fact that I couldn't find anything at all wrong with my computer. What does everyone think? Got to be a virus, right? Any suggestions for trying to isolate and identify this little monster? :confused::confused::confused:
If I remember correctly, MSDN Documentation writes out to the temp folder as you use it. So much so, that I have to clean out my Temp folder regularly while using MSDN Docs for development. Barry Etter