XP hard drive full up. Bug?

Discussion in 'other security issues & news' started by porty, Feb 28, 2005.

Thread Status:
Not open for further replies.
  1. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    A customer's XPP machine suddenly won't boot, either regularly, Last Good or Safe mode.

    I took out the drive and installed it as a passenger in another machine. I ran a virus check which came up clean but Tree Size revealed that there's only 18mb free space left on this 20gb drive. This is curious as the elderly customer only does a bit of bookwork and some emailing, and the last time I looked his usage wouldn't have been over 5 or 6gb total.

    A closer look at Tree Size reveals that the usage breaks down to 2gb in bits and pieces, 1gb in program files, 3gb in Windows, and the rest, 13.6gb is in the System Volume Information folder.

    This seems real strange and I'm wondering if a bug is responsible.

    Does anyone know what might have occurred here? Or how it can be fixed? I guess I could try and empty the System Volume Information folder but I don't know if this would be wise.

    TX
     
  2. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Is it possible somebody ran a drive eraser program to wipe free space? If they did and it was interrupted, with certain drive cleaning programs, it can cause exactly what you have described. The programs fill the free space with large files to overwrite the free space. When the program concludes, those files are deleted. If it was interrupted, with several of these type programs it can cause havoc with large files scattered all over the drive never deleted. A drive that is full or near-full can cause boot problems. Jusat thought I would mention this as - you never know.

    Good luck!
     
  3. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    Gerard, that's a good point. Yes, I guess that's quite possible that some well-meaning friend of my customer has done that.

    I just need a way to overcome the problem while the drive is in it's current location in my workshop PC ;)

    Cheers
     
  4. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    Nothing worked - ended up having to reinstall.

    Thanks, Gerard.
     
  5. PaRaNoiD_JaCK

    PaRaNoiD_JaCK Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    5
    I`d say you were hacked and they were using that folder to store their data there. Because System Volume Information folder by default is inaccessible they will use this due to the majority of users do not know how to make it accessable.

    To access you just need to add your user name to it`s security profile and grant yourself full control.

    Another place they can hide files which are hidden is in the recycle bin.

    By creating a folder like .hidden as an example within the users recycle bin will not be accessable via explorer. You need to create this folder via command prompt.

    C:\RECYCLER\S-1-5-21-527237240-706699826-725345543-500\.hidden

    To make this folder visible in explorer you can simply delete INFO2 and desktop.ini files in the recyle bin. You can view these files via command prompt using dir /a.

    I`ve seen many compromised system using these methods aswell as rootkits being used and the best option in the end is to reformat and re-install.

    :)
     
Loading...
Thread Status:
Not open for further replies.