One of the computers on our network has a 60 GB partition on it’s hard drive. It is the main partition where windows is installed and is used by one of our developers. Windows kept popping up an information box from the task bar saying that the hard drive was full.
I checked the C drive properties and there was less than 1 GIG of space left. After I did a disk clean up and removed some unneccessary programs I was able to free up 2GB of free space. Enough to work. We have Anti-virus and Anti Spyware on our network, but I downloaded and installed some freware versions updated them, turned off System Restore and booted into safemode. The programs I installed were AVG anti-spyware, Spybot, Ad-Aware, and Avira anti-virus. None of them detected anything beyond a few cookies though.
I checked the root of the C drive for suspicious files of directories and noticed that there was a directory named 1. The folder size was 42.9 GB with a size on disk of 43.1 GB and it contained 180,838 files. Obviously the source of the low disk space. I thought this was strange so I checked the contents before I deleted it and found the contents stranger than a mysterious folder appearing out of nowhere.
The contents where as follows:
180,804 files had the following naming convention:
1962x through 182766x with a file type file
odd files (1963x,1965x, etc) where all zero bytes and even files where 680bytes.
This was followed by 32 files with yzy file type. they where named
ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_ABCDEFGHIJKLMNOPQRSTUVWXYZ_2 through ABCDEF…_34.
files _2 through _22 where each 2GB. Files 23-25 where 256 MB. Files 26-28 where each 32MB, and 29-34 where 1.32 kb for the odd and 68 bytes for the even files.
I used sdelete to get rid of the files. It can be downloaded from http://www.microsoft.com/technet/sysinternals/Utilities/SDelete.mspx
once I copied it over to my windows directory I opened the command line and typed
sdelete -p 10 -s C:\1
This securely deletes the directory and all subdirectories using 10 passes. This might of been a little bit of overkill though. It’s been 20 minutes and so far sdelete has only got rid of 28,000 (100mb) files and these are the smaller ones. I will keep everyone updated on how it goes and if the files come back. (I hope not!)
Does anyone else think that this is a virus or can it be something else such as user error? What would you have done if you were in my position? I could have reinstalled but I think this will turn out to be a great learning experience when i figure out how all those files got there.
