Mystery DVD images inside  System Volume Information dir

Posted on 2007-10-17
Last Modified: 2013-12-02
I was checking the fragmentation on a client's server when some unusual caught my eye.  The path of some files like:
After Giving myself access to the volumes I found a bunch of DVD images squirreled away in there!

Is this a known exploit or an inside job?

This server is behind a firewall and is running Tomcat for some websites it houses.  I don't see anything unusual in the task list that is obviously an issue.  Any ideas on this?


Question by:freymish
    LVL 26

    Expert Comment

    It's the System Restore Folder. Per Microsoft:

    The System Volume Information folder is a hidden system folder that the System Restore tool uses to store its information and restore points.

    Article here:

    How to gain access to the System Volume Information folder
    LVL 4

    Author Comment

    My question is actually how those files got there.  Not by any normal means I'm sure.
    LVL 26

    Expert Comment

    If the file dates match the rest of what is in that folder, then, yes, they probably got there through "normal means" just by virtue of having been picked up in the system restore that was done at that time. If you follow the link I gave above, it describes how one can access the folder through manual means. So, if the file dates don't match the rest of those in the folder, I think it would be reasonable to assume that somebody followed the instructions explained in that link, and hid the files there. Did you read the article and check the Security on the folder?
    LVL 32

    Accepted Solution

    That folder is a common target for hackers to store bootleg music and movies, so it is nearly certain that your system has been hacked. Suggest you take a close look at all programs running and starting, and eliminate the bootleg ftp server that is probably installed, then proceed to the clean-up stage. Don't delete the files right away unless you need space, because the dates and times can provide useful clues.

    Here are some things you can do:

    (1) Examine all user accounts, disable or delete any accounts known to be fraudulent, then change passwords on all admin accounts, using at least 10 chars and avoid common names and words.

    (2) Download RootkitRevealer ( and do a scan. Post the log here if it shows anything suspect. If the log is very long then just post the first 30 lines or so. Be sure to save the log in any case.

    (3) Download Autoruns from:
    (a) Run the program. It lists a bunch of things that start when Windows starts.
    (b) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
        Important -> Then click the Refresh button in the toolbar.
    (c) This will give you a shorter, more meaningful list.
    (d) Post the log here if anything interesting.

    (4) Run "netstat -an" from a command prompt, save the output to a text file (e.g. "netstat -an > list.txt") then copy-and-paste the list here. If you like you can just post the suspect entries, or replace your ip with xx.xx

    (5) If you identify any files installed by the hacker, search the rest of your C: drive for any other files created/modified around that date and time. Also, rather than deleting files left behind by the hackers, move them to another disk or CD for possible later study.

    (6) After things have been cleaned up, download and run MBSA from: and do a scan and follow as many steps as reasonable.
    LVL 32

    Expert Comment

    Thanks, hope you were able get things cleaned up.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Let’s list some of the technologies that enable smooth teleworking. 
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    The viewer will learn common shortcuts with easy ways to remember them. The viewer will then learn where to find all of the keyboard shortcuts, how to create/change them, and how to speed up their workflow.
    An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now