windows\temp more than 40GB with PHOENIX2000
i Encountered quite by accident.
Went to a remote server (Win 2003 x64) and discovered. that the C: absolutely no place.
It turned out that the folder C: \ Windows \ Temp has quickly grown to unprecedented size, while for the last 2 days (more than 40 GB).
It contains some. Tmp files. apparently quite meaningless content.
At серваке is NOD32, updates are also indicated. How to get there zymosis - representations have no idea.
Just as there is with the log file dw.log launch a Dw20.exe. While the first date in the log coincides with the date (March 2) of the first large tmp file.
Prompt, please, that this may be, and if a virus, what to treat?
Thank you.
dw.log contains the following:
Code:
Quote:
NEW LOG
13:43:53 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
NEW LOG
14:26:32 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
NEW LOG
14:28:34 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
NEW LOG
14:31:06 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
NEW LOG
14:33:42 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
NEW LOG
14:35:34 03-02-2009
ship dw20.exe 12.0.6010.5000
Generic Mode
.................................................. .......................
And more ... in the event log for security in this period (from 2 to 4 March) are very much the events of Logon / Logoff with the name of a Web account:
Code:
Quote:
Event Type: Success Audit
Event Source: Security
Event Category: Logon / Logoff
Event ID: 538
Date: 04.03.2009
Time: 22:03:48
User: PHOENIX-SERVER \ IUSR_PHOENIX-SERVER
Computer: PHOENIX-SERVER
Description:
User Logoff:
User Name: IUSR_PHOENIX-SERVER
Domain: PHOENIX-SERVER
Logon ID: (0x0, 0x1050E50)
Logon Type: 8
Re: windows\temp more than 40GB with PHOENIX2000
PHOENIX2000 Could himself search Dw20.exe!Windows errors related to dw20.exe? dw20.exe is the Application Error Reporting client included with Microsoft Office 2003, a tool that collects information automatically whenever an Office application crashes and allows users to send a report directly to Microsoft.
Re: windows\temp more than 40GB with PHOENIX2000
But highly doubt that this is how it is connected.
Why then the mountain. Tmp files and the enormous amount of Security Event?
This web server is not terminalnik. It IIS + SQL Server, not even office.
Re: windows\temp more than 40GB with PHOENIX2000
File size and time of their creation leads to the idea that the dumps. Perhaps that is where it often starts and dohnet. View logs or IIS, perhaps you have code that creates a COM-object office, which for some reason дохнут, well and gadyat respectively.
