i Encountered quite by accident.
Went to a remote server (Win 2003 x64) and discovered. that the C: absolutely no place.
It turned out that the folder C: \ Windows \ Temp has quickly grown to unprecedented size, while for the last 2 days (more than 40 GB).
It contains some. Tmp files. apparently quite meaningless content.
At серваке is NOD32, updates are also indicated. How to get there zymosis - representations have no idea.
Just as there is with the log file dw.log launch a Dw20.exe. While the first date in the log coincides with the date (March 2) of the first large tmp file.
Prompt, please, that this may be, and if a virus, what to treat?
Thank you.
dw.log contains the following:
Code:
.................................................. .......................NEW LOG
13:43:53 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
NEW LOG
14:26:32 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
NEW LOG
14:28:34 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
NEW LOG
14:31:06 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
NEW LOG
14:33:42 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
NEW LOG
14:35:34 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
And more ... in the event log for security in this period (from 2 to 4 March) are very much the events of Logon / Logoff with the name of a Web account:
Code:Event Type: Success Audit
Event Source: Security
Event Category: Logon / Logoff
Event ID: 538
Date: 04.03.2009
Time: 22:03:48
User: PHOENIX-SERVER \ IUSR_PHOENIX-SERVER
Computer: PHOENIX-SERVER
Description:
User Logoff:
User Name: IUSR_PHOENIX-SERVER
Domain: PHOENIX-SERVER
Logon ID: (0x0, 0x1050E50)
Logon Type: 8
Reply With Quote
Bookmarks