Hard Disk Space Disappearing...

Seems like a virus or rootkit, but...

I am having an issue with a server with disk space disappearing into nowhere. On the data partition (drive D) of the SBS 2003 server, every day ~1GB of disk space gets eaten up. This even happens on the weekends when no one is on the office using the system. Also, I cannot find any files or folders that are increasing in size. Out of 193GB, drive D now has 70GB remaining. However, when I do a folder-by-folder audit, only 9.5GB is used on drive D (unhiding all files first). I have even tried tools like DiskTective and TreeSize to find where the space is but with no new finds, they both report 9.5GB in files but only 70GB out of 193GB available on disk. The paging file is stored on drive C, Exchange badmail is not growing in size... I'm lost for an explanation. The only other thing that I noted is that the AutoProtect setting of Symantec Endpoint Protection on the server reports a malfunction. However, a full system scan reveals nothing.

Last weekend I disconnected the DSL modem from the network and the space stabilized / stopped decreasing for that time period. So it looks like whatever is happening is somehow Internet related. I have run many AV programs, rootkit detectors, malware detectors, and the like - all with no hits.

First, I would like to find what is using my drive space but cannot find any related files. Does anyone know of software to perform a more comprehensive audit? Then, I need to find whatever is eating the space and stop it. I do not know where to look next.

Ideas? Thanks!

 

Your problem is not malware. I suspect you have Backup Exec being used on this server as well as I had the same problem and my 66GB drive reached 9GB before finding the solution. But it is a problem with your VSS(Volume Shadow Copy Service). To verify this I used a program called spacemonger found here: http://www.sixty-five.cc/download/ which will give you a visual representation on where the data is located on your hard drive. I suspect after running it you will see that there is one large folder that can be determined what's in it. This is because you don't have permission to access it as the SYSTEM is the only one that can. This folder is C:\SYSTEM VOLUME INFORMATION. When you click properties you will note that the folder contains nothing, now look at the permissions and change them so administrators have default access to the folder. Open the folder and viola you should have a dozen or so so non-program associated files ranging in size from 200MB to 4GB (Least in my case). You can't delete these because some are in use currently and are being written to. So this is the crazy part. Every single one of those files is not even a actual file they are all TEMP files. The way you clear it out is to go into your "SERVICES" and stop and start the "VOLUME SHADOW COPY" Service and instantly all the space that has been disappearing should instantly be available. It's the craziest thing, if this is the same problem I had. You can read about it here: http://seer.entsupport.symantec.com/docs/269989.htm and it should explain how it happened and why. Hopefully this works for you. Watch that folder because mine is still propagating data into it.

 

Hi All!

Beside this is old thread, the problem is, as I believe, still present somehow.

You can check VSS status in explorer. You can also use command: "vssadmin list shadowstorage" to check if there are stucked shadow copies.

I have found on my work, that occasionally power users and other users make personal folders. You can check this situation easily with some disk exploring program, in this thread are mentioned SpaceMonger, it`s ok. You look only for folders with 0 kb space requirement. It means that you can`t see even the disk space the folder is taking. This is the case usually with personal folders. You see only 0 kb, even if there are a lot of data. It`s the permissions, administrators of course can override everything, but best practise would be inform users about situation.

Hope you find this usefull!