• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 215
  • Last Modified:

Mystery DVD images inside System Volume Information dir

I was checking the fragmentation on a client's server when some unusual caught my eye.  The path of some files like:
After Giving myself access to the volumes I found a bunch of DVD images squirreled away in there!

Is this a known exploit or an inside job?

This server is behind a firewall and is running Tomcat for some websites it houses.  I don't see anything unusual in the task list that is obviously an issue.  Any ideas on this?


  • 2
  • 2
1 Solution
It's the System Restore Folder. Per Microsoft:

The System Volume Information folder is a hidden system folder that the System Restore tool uses to store its information and restore points.

Article here:

How to gain access to the System Volume Information folder

freymishAuthor Commented:
My question is actually how those files got there.  Not by any normal means I'm sure.
If the file dates match the rest of what is in that folder, then, yes, they probably got there through "normal means" just by virtue of having been picked up in the system restore that was done at that time. If you follow the link I gave above, it describes how one can access the folder through manual means. So, if the file dates don't match the rest of those in the folder, I think it would be reasonable to assume that somebody followed the instructions explained in that link, and hid the files there. Did you read the article and check the Security on the folder?
That folder is a common target for hackers to store bootleg music and movies, so it is nearly certain that your system has been hacked. Suggest you take a close look at all programs running and starting, and eliminate the bootleg ftp server that is probably installed, then proceed to the clean-up stage. Don't delete the files right away unless you need space, because the dates and times can provide useful clues.

Here are some things you can do:

(1) Examine all user accounts, disable or delete any accounts known to be fraudulent, then change passwords on all admin accounts, using at least 10 chars and avoid common names and words.

(2) Download RootkitRevealer (http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx) and do a scan. Post the log here if it shows anything suspect. If the log is very long then just post the first 30 lines or so. Be sure to save the log in any case.

(3) Download Autoruns from: http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
(a) Run the program. It lists a bunch of things that start when Windows starts.
(b) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.
(c) This will give you a shorter, more meaningful list.
(d) Post the log here if anything interesting.

(4) Run "netstat -an" from a command prompt, save the output to a text file (e.g. "netstat -an > list.txt") then copy-and-paste the list here. If you like you can just post the suspect entries, or replace your ip with xx.xx

(5) If you identify any files installed by the hacker, search the rest of your C: drive for any other files created/modified around that date and time. Also, rather than deleting files left behind by the hackers, move them to another disk or CD for possible later study.

(6) After things have been cleaned up, download and run MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx and do a scan and follow as many steps as reasonable.
Thanks, hope you were able get things cleaned up.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now