Mystery subdirectory in 'Recycler'
Posted 05 November 2005 - 02:57 PM
I'm one of the network administrators for my company. I was looking through our users home directories for *.exe's. These are usually games and stuff that they are not allowed to bring into work.
Normally speaking, because of the restrictions we place on user accounts, users are restricted from directly accessing their local hard drives and they do not have a "Recycle Bin" in their network home directory. In the course of looking for exe's, however, I found 5 users who had a "Recycler" subdirectory in their "My Documents" directory. It was flagged as system and hidden. Looking inside of it, there was only another subdirectory. The subdirectory had a name something like S-1-5-21-2087260228-1248616834-60295696-3921 (don't Google that name, I'm not sure I typed it correctly). Their names all followed that same naming convention except the last 4 numbers which were different for each of my users who had a "recycler" subdirectory. Like the "recycler" directory, these directories were also flagged as system and hidden.
Inside of each of those "S-1-5-etc" directories were several files. Some had WPD extensions (Word Perfect documents, we use WP at work), some had XLS, TXT or DOC extensions. Each of these mystery subdirectories also contained at least 1 file with an EXE extension; that's how I found these mystery directories in the first place.
The files in all these mystery subdirectories had names beginning with D@ followed by a unique number which, for most part, increased over time. D@1.WPD, D@2.XLS, D@3.WPD, D@4.TXT, so on. The WPD, DOC and XLS files are normal document files. There were no files with normal looking names and, as far as I can tell, that is not the normal naming convention used by a true Recycle bin directory.
I wasn't able to find out much about the EXE's. They didn't have the exact same date/time stamps nor were they the same size. Googling the file names was a waste of effort because both Google and Yahoo's search engine dump the @ from the search.
As I said, a "recycle" directory is not normal in our environment. Could these files be evidence that these users are infected with a keylogger? Any help or advice would be greatly appreciated.
Posted 05 November 2005 - 06:47 PM
Firewall: ZoneLabs Personal Firewall
AntiVirus: McAfee VirusScan Pro
Security: Windows Updates
Posted 06 November 2005 - 12:06 AM
See http://support.micro...kb;en-us;187122 and/or http://support.micro...kb;en-us;171694
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here