Recently I found a process is deleting large amount of files on my harddisk, and I started trying to catch that process. This is my findings:
- it deletes files at random interval, but once it started, it will delete hundreds of files / tens of GB silently, and the deleted files did not appear in recycle bin so I can't restore them. It doesn't delete all files. For example, in a folder it deletes all subfolders started with A-M, and folders started with N-Z were remained.
- However, each time when it deletes, it just deletes from my Google Drive folder and my backup folder (folder name is
BACKUP
) - It doesn't action every day. My observation is that it deletes about once in 3-7 days, I suspect it's at a random interval
- It happens when my computer turned on after a shutdown for hours.
- VERY INTERESTING I managed to capture the deletion action by using Directory Monitor. First it captured the deleted is done by
C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE
and under user "NT AUTHORITY\SYSTEM". Which is a DELL driver for Intel(R) Thunderbolt Controller Driver. Immediately I stoped the Intel Thunderbolt Controller process, then it the deletion still continue but the process is*C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(user is my name), then I stop Google Drive program, then the deletion still continue but the process isC:\Windows\explorer.exe
(user is my name). Then I closed all file explorer windows and finally the deletion stops. - I performed full scan using Windows Defender and AVG Antivirus, no virus is found.
I tried to restored my system using an absolute clean image (this is the factory image), then I have to install all softwares to make the PC able to work, then after a few days the deletion happens again. The most recent software I installed before the first occurrence of this virus is Docker for Windows, and some Dell driver updates, they are all downloaded from official sites.
Does anyone have idea what virus it is?
Some logs from Directory Monitor:
===first process (Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE)===
Deleted (28/7/2017 18:27:29): X:\BACKUP\Drivers\Network\Tenda\Original *NT AUTHORITY\SYSTEM using C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE*
Deleted (28/7/2017 18:27:29): X:\BACKUP\Drivers\Network\Tenda\Original\User Guide\PDF *NT AUTHORITY\SYSTEM using C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE*
Deleted (28/7/2017 18:27:29): X:\BACKUP\Drivers\Wacom\PenTablet_499-6.exe *NT AUTHORITY\SYSTEM using C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE*
===second process (googledrivesync.exe)===
Deleted (28/7/2017 18:27:30): X:\DATA\CloudDrive\f1\design.png *MY-DELL\MyUserName using C:\Program Files (x86)\Google\Drive\googledrivesync.exe*
Deleted (28/7/2017 18:27:30): X:\DATA\CloudDrive\f1\Function list.gdoc *MY-DELL\MyUserName using C:\Program Files (x86)\Google\Drive\googledrivesync.exe*
Deleted (28/7/2017 18:27:30): X:\DATA\CloudDrive\f1\Group_full.gslides *MY-DELL\MyUserName using C:\Program Files (x86)\Google\Drive\googledrivesync.exe*
===third process (explorer.exe)===
Deleted (28/7/2017 18:27:31): X:\DATA\CloudDrive\V\WC\Sales Deck\images\burden-299864.jpg *MY-DELL\MyUserName using C:\Windows\explorer.exe*
Deleted (28/7/2017 18:27:31): X:\DATA\CloudDrive\V\WC\Sales Deck\images\Millennial-FOT-1.jpg *MY-DELL\MyUserName using C:\Windows\explorer.exe*
Deleted (28/7/2017 18:27:31): X:\DATA\CloudDrive\V\WC\Sales Deck\images\HongKong19.jpg *MY-DELL\MyUserName using C:\Windows\explorer.exe*
===Additional information about BACKUP folder as per @'TECHIE007=======
The BCKUP folder is just a regular folder storing my hardware drivers and system images for system recovery purpose. It's stored in X:\BACKUP. The X: drive a single harddisk storing all my data. There are folders like: X:\BACKUP... X:\DATA... X:\MEDIA...
Regularily I would copy the whole X: drive to an external harddisk as a backup copy.
I have a C: drive which is a SSD and only for system and installed software.
Meanwhile, for easy portability, each folder in X: have a symbolic link created in C:, e.g. I have C:\BACKUP which is a symbolic link to X:\BACKUP, C:\MEDIA links to X:\MEDIA etc.
I also noticed that when all files are deleted in the BACKUP folder, the C:\BACKUP symbolic link is also deleted, but the folder X:\BACKUP is still there but the content is empty. So I think the malware is actually deleting C:\BACKUP*.* instead of X:\BACKUP, and after all files in C:\BACKUP are deleted, the malware deletes the folder C:\BACKUP which only remove the symbolic link, so that's why the X:\BACKUP folder is still there with empty content.
Hope this helps find a new clue.