Disk Space Disappearing

Status
Not open for further replies.
Seems like a virus or rootkit, but...

I am having an issue with a server with disk space disappearing into nowhere. On the data partition (drive D) of the SBS 2003 server, every day ~1GB of disk space gets eaten up. This even happens on the weekends when no one is on the office using the system. Also, I cannot find any files or folders that are increasing in size. Out of 193GB, drive D now has 70GB remaining. However, when I do a folder-by-folder audit, only 9.5GB is used on drive D (unhiding all files first). I have even tried tools like DiskTective and TreeSize to find where the space is but with no new finds, they both report 9.5GB in files but only 70GB out of 193GB available on disk. The paging file is stored on drive C, Exchange badmail is not growing in size... I'm lost for an explanation. The only other thing that I noted is that the AutoProtect setting of Symantec Endpoint Protection on the server reports a malfunction. However, a full system scan reveals nothing.

Last weekend I disconnected the DSL modem from the network and the space stabilized / stopped decreasing for that time period. So it looks like whatever is happening is somehow Internet related. I have run many AV programs, rootkit detectors, malware detectors, and the like - all with no hits.

First, I would like to find what is using my drive space but cannot find any related files. Does anyone know of software to perform a more comprehensive audit? Then, I need to find whatever is eating the space and stop it. I do not know where to look next.

Ideas? Thanks!
 
Write down your disk free and used then do the below!

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.

Then get back with the name the backup software you are using.

Mike

EDIT: OK so you may not have System restore installed on Svr2003, but you know it can be installed right. So proceeed!
 
Go ahead and clean you have no Restore points to remove.

Just do the ERUNT below and clean.

Sys Restore to Server 2003
http://www.msfn.org/win2k3/sysrestore.htm
=========================================

On a Server you need redundancy so get the below. ERUNT has never failed me but SR if it works it is Grand. But I have found when you most need it, it has gone south. It either finds no restore points or if it does it can't restore them and malware gets the via the normal Restore point or attacked directly by malware.

I keep SR but always with ERUNT as a kicker.

ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.

Mike
 
- Successfully installed Sys Restore and created a restore point.

- Ran disk cleanup as described

- Installed and ran ERUNT

There is no change in the amount of space available on my D partition. The files that are taking up this space remain hidden and undetectable.

I am using an online backup utility called IronMountain LiveVault for my backups (you can find it at the web site of the same name).

Any suggestions?

Thank you for your time!
 
Status
Not open for further replies.
Back