RE: Hard Drive keeps filling up

• Previous message: Virgil Cui: "RE: Need your help!!!"
• Maybe in reply to: Harris Samuel W PORT: "Hard Drive keeps filling up"
• Next in thread: Alexander Suhovey: "RE: Hard Drive keeps filling up"
• Reply: Alexander Suhovey: "RE: Hard Drive keeps filling up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: Tue, 23 Sep 2003 13:54:23 -0700

  I would head on over to http://www.sysinternals.com and download some of
their monitoring software ( Filemon, Process Explorer, ListDLLs etc... ) and
see if you can find out which process has one of these files open in the
directory where all the tmp files are. If you want to view the contents of
the tmp file I would use HexWorkshop (http://www.hexworkshop.com) or HexEdit
(http://www.expertcomsoft.com) to view the files just to take a look inside
of them.

  Another items is to start shutting down processes from either Task Manager
or the Services control panel one by one to see if you can find out what is
filling of the files. Also, look in the two RUN keys in the registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

to see if you can find any program that shouldn't be starting up. Also, if
you are running a machine that has MSCONFIG on it ( WinXP and I think some
of the variants of Win9x have it also ) as it will list the startup
processes.

Mark Hicks

-----Original Message-----
From: Harris Samuel W PORT [mailto:HarrisSW@mail.ports.navy.mil]
Sent: Monday, September 22, 2003 11:09 AM
To: security-basics@securityfocus.com
Subject: Hard Drive keeps filling up

        I have been having a problem for a week now and can't seem to
detect
the culprit. This is on my home network. On my wife's machine, the OS is
Windows XP, 2.8G, Broadband connected, with 802.11g Linksys wireless
router.
I have 3 firewalls running on it, zonelabs, tiny and the firewall
included
with XP. I have an online subscription to McAfee virus software, and it
is
kept up to date as new updates are issued. I have checked Task Manager
and
shut down the processes that I knew wouldn't cause me a problem, the
rest
seem innocent enough, (to my knowledge). I've done netstat several times
and haven't discovered any obvious unknown connections. I have even
locked
the firewall down (Zonelabs) on several occasions, to eliminate the
possibly
that it was being accessed by an unknown process or program. I have
Ad-Aware
and Spy-Bot on the computer. I have all the updates to XP installed.
I
have used the Shavlik software and have updated everything it comes up
with, I have used the Microsoft Security Analyzer to check for any
security
problems and have installed all that was called for.
        Now for the problem. 2 weeks ago my daughter called me up and
was
frantic, because she had been instant messaging and some putz came on
and
told her to invite him in or she would be sorry. She didn't and she was.
He
infected her with some worm that proceeded to fill up her hard drive. I
had
given her an old computer that I had and it only had a 12G hard drive. I
used VNC to check her computer out and tried to stop the bleeding, but
it
was too much for me. Well, a few days later I get a message that my
computer
is almost out of space. I have an 80G hard drive. I looked at the file
system but couldn't find the files that were big enough to fill it up
like
that. I was performing a scan with McAfee (which detected nothing by the
way) and noticed that the computer was spending an inordinate amount of
time
on a .tmp file. I looked at the folder that was in question, and bingo I
found all the used space. There were several files in the folder that
all
ended in .tmp. One I remember was McV90.tmp. There were others, but that
is
the one I remember. It was 48G all by itself. I tried to open it to view
it,
but couldn't find a program that I had that could open it up. I deleted
the
file and regained my space back. A couple of days later the space was
being
eaten up again. I deleted it again and began monitoring it every few
hours
to see if there was any more action. I couldn't detect much for a few
hours,
then it started up again.
        I shut the firewall, so if it was external to the computer, then
I
would stop any outgoing action. The firewall came up with a few
complaints,
but nothing out of the ordinary (I think it wasn't out of the ordinary)
This
didn't seem to stop the process, so I am assuming the problem is in the
computer. I have a Windows 2000, Redhat, 9.0, Redhat 8.0 on the rest of
my
network. No problems with any of them. I have googled, I have McAfee'd,
I
have done a few other search engines, but I come up empty as to what
this
is. Spybot and Ad-Aware found nothing, as I run them daily. Any ideas
where
to go next? I am fresh out of ideas at the moment

Sam

------------------------------------------------------------------------

---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
_________________________________________________________________
Share your photos without swamping your Inbox.  Get Hotmail Extra Storage 
today! http://join.msn.com/?PAGE=features/es
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Virgil Cui: "RE: Need your help!!!"
• Maybe in reply to: Harris Samuel W PORT: "Hard Drive keeps filling up"
• Next in thread: Alexander Suhovey: "RE: Hard Drive keeps filling up"
• Reply: Alexander Suhovey: "RE: Hard Drive keeps filling up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]