1

Recently I found a process is deleting large amount of files on my harddisk, and I started trying to catch that process. This is my findings:

  1. it deletes files at random interval, but once it started, it will delete hundreds of files / tens of GB silently, and the deleted files did not appear in recycle bin so I can't restore them. It doesn't delete all files. For example, in a folder it deletes all subfolders started with A-M, and folders started with N-Z were remained.
  2. However, each time when it deletes, it just deletes from my Google Drive folder and my backup folder (folder name is BACKUP)
  3. It doesn't action every day. My observation is that it deletes about once in 3-7 days, I suspect it's at a random interval
  4. It happens when my computer turned on after a shutdown for hours.
  5. VERY INTERESTING I managed to capture the deletion action by using Directory Monitor. First it captured the deleted is done by C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE and under user "NT AUTHORITY\SYSTEM". Which is a DELL driver for Intel(R) Thunderbolt Controller Driver. Immediately I stoped the Intel Thunderbolt Controller process, then it the deletion still continue but the process is *C:\Program Files (x86)\Google\Drive\googledrivesync.exe (user is my name), then I stop Google Drive program, then the deletion still continue but the process is C:\Windows\explorer.exe (user is my name). Then I closed all file explorer windows and finally the deletion stops.
  6. I performed full scan using Windows Defender and AVG Antivirus, no virus is found.

I tried to restored my system using an absolute clean image (this is the factory image), then I have to install all softwares to make the PC able to work, then after a few days the deletion happens again. The most recent software I installed before the first occurrence of this virus is Docker for Windows, and some Dell driver updates, they are all downloaded from official sites.

Does anyone have idea what virus it is?

Some logs from Directory Monitor:

===first process (Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE)===

Deleted (28/7/2017 18:27:29): X:\BACKUP\Drivers\Network\Tenda\Original *NT AUTHORITY\SYSTEM using C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE*
Deleted (28/7/2017 18:27:29): X:\BACKUP\Drivers\Network\Tenda\Original\User Guide\PDF *NT AUTHORITY\SYSTEM using C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE*
Deleted (28/7/2017 18:27:29): X:\BACKUP\Drivers\Wacom\PenTablet_499-6.exe *NT AUTHORITY\SYSTEM using C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE*

===second process (googledrivesync.exe)===
Deleted (28/7/2017 18:27:30): X:\DATA\CloudDrive\f1\design.png *MY-DELL\MyUserName using C:\Program Files (x86)\Google\Drive\googledrivesync.exe*
Deleted (28/7/2017 18:27:30): X:\DATA\CloudDrive\f1\Function list.gdoc *MY-DELL\MyUserName using C:\Program Files (x86)\Google\Drive\googledrivesync.exe*
Deleted (28/7/2017 18:27:30): X:\DATA\CloudDrive\f1\Group_full.gslides *MY-DELL\MyUserName using C:\Program Files (x86)\Google\Drive\googledrivesync.exe*

===third process (explorer.exe)===
Deleted (28/7/2017 18:27:31): X:\DATA\CloudDrive\V\WC\Sales Deck\images\burden-299864.jpg *MY-DELL\MyUserName using C:\Windows\explorer.exe*
Deleted (28/7/2017 18:27:31): X:\DATA\CloudDrive\V\WC\Sales Deck\images\Millennial-FOT-1.jpg *MY-DELL\MyUserName using C:\Windows\explorer.exe*
Deleted (28/7/2017 18:27:31): X:\DATA\CloudDrive\V\WC\Sales Deck\images\HongKong19.jpg *MY-DELL\MyUserName using C:\Windows\explorer.exe*

===Additional information about BACKUP folder as per @'TECHIE007=======

The BCKUP folder is just a regular folder storing my hardware drivers and system images for system recovery purpose. It's stored in X:\BACKUP. The X: drive a single harddisk storing all my data. There are folders like: X:\BACKUP... X:\DATA... X:\MEDIA...

Regularily I would copy the whole X: drive to an external harddisk as a backup copy.

I have a C: drive which is a SSD and only for system and installed software.

Meanwhile, for easy portability, each folder in X: have a symbolic link created in C:, e.g. I have C:\BACKUP which is a symbolic link to X:\BACKUP, C:\MEDIA links to X:\MEDIA etc.

I also noticed that when all files are deleted in the BACKUP folder, the C:\BACKUP symbolic link is also deleted, but the folder X:\BACKUP is still there but the content is empty. So I think the malware is actually deleting C:\BACKUP*.* instead of X:\BACKUP, and after all files in C:\BACKUP are deleted, the malware deletes the folder C:\BACKUP which only remove the symbolic link, so that's why the X:\BACKUP folder is still there with empty content.

Hope this helps find a new clue.

Improve this question
17
  • try malwarebytes. Defender is useless and AVG is average. You may have to do an offline scan.(boot from CD,DVD, or USB). Reload windows in a couple hours, OR spend dozens of hours trying to clean it. Choose 1
    – cybernard
    Commented Jul 28, 2017 at 14:47
  • bleepingcomputer.com/forums/t/533167/… PCDR sounds allot like pc doctor... Also that is not the folder official dell drivers use ...
    – SvennD
    Commented Jul 28, 2017 at 14:48
  • combofix is better option
    – Techie Gossip
    Commented Jul 28, 2017 at 14:56
  • @cybernard I downloaded the malwarebytes for a scan, it only found the conduitsearch.toolbar which doesn't seem to be associated with it. Will do a clean system re-install and scan it again.
    – LazNiko
    Commented Jul 28, 2017 at 15:48
  • @SvennD I went through that post and can't find the scheduled tasks and folders mentioned in the post :(
    – LazNiko
    Commented Jul 28, 2017 at 15:48

1 Answer 1

Reset to default
0

Update: Dell have acknowledged that their driver installer deletes user files. They have blacklisted the driver to make sure that it is not distributed to further systems. For those already experiencing this problem, good luck getting your files back.

Quite a few people, including myself, are experiencing this problem. It appears to be related to a Dell Thunderbolt driver installer that runs every day. I ran a Sysinternals Process Monitor trace that proves that this driver installer does all the deleting.

I don't know for sure why it only deletes files from a specific folder, but it is my most important folder that I always have open in the file explorer. Perhaps there is some interaction between the driver and the file explorer.

More details can be found in this Dell thread. http://en.community.dell.com/support-forums/software-os/f/4997/t/20017763

I have posted quite a complete breakdown of my finding there, but it is waiting for a Dell moderator, so I have included a copy below.

Same here, over the last 5 working days (I believe the first time it happened was Thursday, August 17, 2017) it has repeatedly deleted a folder containing 10K+ files that I had to restore from backup every day. A monumental waste of my time.

I got so fed up with my files disappearing that I ran a SysInternals Process Monitor trace and let's just say that I have caught this driver installer with its pants down, this process traverses files under c:\data\dropbox and deletes them all!

Why the installer is running every day is beyond me. Also, why it is only deleting this folder under c:\data and not other ones under c:\data is not clear. The only thing I can think of is that I have this folder ALWAYS open in file explorer.

Other people are reporting similar problems, see Virus / suspicious process deletes many folders and files via various processes name

I had a look at the update of the various Dell update utilities running on my system (why so many). Dell Command Update's history and activity log don't show they have executed anything.

The installer is signed by Dell Inc, I have checked it with virus scanners and it comes through clean.

Dell Support assist shows 'Powered by PC_Doctor', which explains the PCDR in the path of the driver, so my guess is that this schedules the daily update. However, the process ID shown for the parent process (that started the driver installer) is not for a process that is currently running, so I cannot say for sure what started this installer.

Does anyone have any idea about where the log file for this driver installer can be found. I looked in %temp% and c:\windows\temp, but there is nothing there that matches the timestamp.

The Windows Event log shows the following every day

System event log entries (every day at a random time, event ID 7045)

A service was installed in the system.

Service Name: PCDSRVC{3B54B31B-D06B6431-06020200}_0 - PCDR Kernel Mode Service Helper Driver Service File Name: c:\program files\dell\supportassist\pcdsrvc_x64.pkms Service Type: kernel mode driver Service Start Type: demand start Service Account:

as well as

Beginning a Windows Installer transaction: C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\setup.msi. Client Process Id: 16568.

I am happy to delete this problematic file, but my fear is that it will come back an delete files again. As it is impossible to trace what it has deleted over time more and more files will just disappear from my system.

It is pretty clear who is at fault here, now Dell will need to take ownership and sort this out. I am paying for premium support and will contact my Dell support rep.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .