There is a Windows 7x32 SP1 system I am supporting. It started slowing down and show BSOD over the last few weeks and I was called in to look at it. I noticed disk space was almost 10MB. I immediately cleared some space to give the about 3/4 GB of space. Then I watched Task Manager and noticed DLLHOST.exe was taking lots of RAM and saw it making connections to akamai and many other non-mainstream IPs and downloading significant amounts of data. I would kill the process tree and it would return. Symantec Endpoint found nothing, but eventually I ran TDDSKiller and it discovered rootkit.boot.pihar.c and restated the machine and removed it. This stopped the dllhost.exe behavior.
I have run SFC /scannow and MalwareBytes RootKit program and nothing has been found since. Also a CHKDSK on boot has been run and it did make many repairs.
The strangeness is that the drive shows 232GB total size with 3.32 GB free. When I run WinDirStat or TreeSize Free they both show only ~58 GB of data.
I suspect the rootkit has been downloading and storing stuff on the disk (for some reason, P2P?) and it is hidden and I can't find it. Are there any tools to help in this situation? That is over 150 GB of unavailable space.
Edited by hamluis, 19 July 2014 - 02:56 PM.
Moved from Win 7 to Am I Infected - Hamluis.