Hi For some reason, Windows 2000 is eating up my hard disk space. I have located the problem to a single file: eventhandle.dll, located in the winnt\system32 directory. It's size increases everyday, and currently it's 700 MB large. What kind of file is it, and is it safe to delete it ?

I have just scanned my registry and there is no such "dll" in it. I had a "*.dll" that a MS techie did not recognise as part of the system so he suggested that I rename the *.dll to *.old, reboot, and see if any problems occurred. You might try the same. If there are no problems then I would delete it after a few computer sessions. Hope this helps you, and please post some feed back if it works.

If you can, burn it to a CD or zip it up and put it somewhere. Then rename the original file to something different like dog.txt or something that tickles your fancy. Then re-boot and see if you are able to start up and run everything fine. I would be concerned that it's some sort of worm or poorly programmed file. I quickly searched www.sarc.com and it didn't show up as a worm file. Below is the link to Microsoft's technet, it didn't show up as a legit file there either. Oh make sure you have a W98se boot disk before you rename it in case you can't reboot and have to boot up with a floppy to put it back. You can find a link to some good boot disk extracts at www.bootdisk.com. Technet: http://support.microsoft.com/default.aspx?scid=/servicedesks/fileversion/dllinfo.asp&SD=TECH&FR=0 Good luck! Vanessa

Thanks for your help! I have moved the file to another disk, rebooted, and used the system without any problems. So I deleted the file and my pc still works perfectly. Except... the file comes back, and is currently 147 MB.... Well, at least I know I can safely delete it.

In fact you do have a worm! Don't dismiss this only because you can delete the file - if you are not behind a firewall you are most probaby serving all of your documents to anyone with the correct password on IRC... and btw. I got it too... This eventhandle.dll file is in fact a text file - a log of a IRC file serving program called iroffer. Check the first question in authors FAQ (http://iroffer.org/faq.html) It is actually not hard to remove - First of all get a program called FileMon (www.sysinternals.com) - this will tell you which programs are accessing which files. Enable filter to only show you eventhandle.dll and you will see what app is writing to this file... In my case it was masking itself as netsvc.exe ... remove any reference to this .exe from registry, kill the process, delete this .exe (it is most probably in windows/system32 filder), restart computer and then cross your finger it doesn't come back!!!

Thank you very very much for your help, nEJC. It was indeed the file netsvc.exe that was writing to the file. I deleted it and deleted all the registry references to the file. I also found a configuration file. Is there a way to use this to track where it's coming from? Do you know how this worm is spread? I'm generally very carefull with downloading & e-mail attachments. Thank you very, very, very much!