C drive filling up but nothing there

[bamacre]

Do you have Norton Anti-virus, or similar software?

Right click on your recycling bin and see if one of the options is Delete Norton Protected Files, or something like that.

 

[ViRGE]

Originally posted by: bigsnyder
<div class="FTQUOTE"><begin quote>Originally posted by: Slugbait
If it's an older build and you don't clean often, it could be your criticals.

Go to c:\windows and delete $NTUninstallKBxxxxxxx. Also delete $hf_mig$.

Then drill down to SoftwareDistribution\Download and delete all files and folders (don't delete the Download folder itself, just the contents).</end quote></div>


What exactly are these folders? What are the possible side effects from deleting them?

C Snyder

Those are the uninstallers for various Windows updates.

 

[RebateMonger]

Yeah, you can safely delete the unintallers for older Windows updates. No reason not to. But you won't recover 75GB of data from those. Maybe 1GB if you've got a five-year-old XP computer and never deleted the old updates.

 

[xitshsif]

http://www.jam-software.com/tr...reesize_personal.shtml

 

[myocardia]

You've likely got a huge drwtsn32.log file. It will be located at C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson, if that's your problem. It's what usually stumps people, when space on their boot partition starts mysteriously disappearing.

 

[BehindEnemyLines]

You said you checked for lost fragments, but did you do the following to delete the lost fragements?:

Look for the following folders (it may or may not exist): found.xxx such as found.000. This fold is hidden so you've to go to My Computer > Tools > Folder Options > View. Put a dot in the following: "show hidden files and folders". Uncheck the following: "Hide protected operated system files". Now look for the folder in the drive letter you checked earlier. If you see this folder, you can safely delete it. If not, then....

 

[Slugbait]

Originally posted by: wolfiesmithuk
Yes plenty of $NTUninstallKBxxxxxxx and $hf_mig$ but they are listed under the windows folder and although 445MB are not the culprit.

Yup, that where I told you they would be. Yup, I told you that would be an unlikely resolution to your problem.

The FTP thing sounds to be something I should be doing but you'll have to be a bit more basic with me on this. I'm nosing around in there but what is an FTP????

FTP=File Transfer Protocol. As the name implies, FTP transfers files between computers. There are numerous different FTP programs out there...even your browser can connect to an FTP server.

Back to my suspicion: you ARE the FTP server. This happened to my wife's machine about five or six years ago. Warez people scour the 'net with bot scripts looking for vulnerable machines with admin privileges where they can store their movies/music/software to be distributed to others. My wife's machine had 80 gigs of crap uploaded to her hard drive by the time we discovered it...get this, over half of the created sub-folders had no content yet. They'd only been inside her machine for about a week.

As you go thru your list of running services, look at the description: most programs provide a very specific description, so anything that is described as FTP would be the culprit. If the description is vague or empty, google it. Then follow my instructions listed previously, especially the one where you deprecate your privileges...

 

[wolfiesmithuk]

No I dont have any Recycle Bin utilities

 

[wolfiesmithuk]

Originally posted by: myocardia
You've likely got a huge drwtsn32.log file. It will be located at C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson, if that's your problem. It's what usually stumps people, when space on their boot partition starts mysteriously disappearing.

16915KB

 

[wolfiesmithuk]

<div class="FTQUOTE"><begin quote>Originally posted by: Slugbait
<div class="FTQUOTE"><begin quote>Originally posted by: wolfiesmithuk
Yes plenty of $NTUninstallKBxxxxxxx and $hf_mig$ but they are listed under the windows folder and although 445MB are not the culprit. </end quote></div>
Yup, that where I told you they would be. Yup, I told you that would be an unlikely resolution to your problem.
<div class="FTQUOTE"><begin quote>The FTP thing sounds to be something I should be doing but you'll have to be a bit more basic with me on this. I'm nosing around in there but what is an FTP????</end quote></div>
FTP=File Transfer Protocol. As the name implies, FTP transfers files between computers. There are numerous different FTP programs out there...even your browser can connect to an FTP server.

Back to my suspicion: you ARE the FTP server. This happened to my wife's machine about five or six years ago. Warez people scour the 'net with bot scripts looking for vulnerable machines with admin privileges where they can store their movies/music/software to be distributed to others. My wife's machine had 80 gigs of crap uploaded to her hard drive by the time we discovered it...get this, over half of the created sub-folders had no content yet. They'd only been inside her machine for about a week.

As you go thru your list of running services, look at the description: most programs provide a very specific description, so anything that is described as FTP would be the culprit. If the description is vague or empty, google it. Then follow my instructions listed previously, especially the one where you deprecate your privileges...
</end quote></div>

I've gone through these on a one by one basis. Cannot find anything, I've Googled the non described ones and a fair number of the described ones as well. I've disabled one "Remote Registry" but that seems to be the only suspect item. I'll keep monitoring these though

 

[wolfiesmithuk]

Originally posted by: BehindEnemyLines
You said you checked for lost fragments, but did you do the following to delete the lost fragements?:

Look for the following folders (it may or may not exist): found.xxx such as found.000. This fold is hidden so you've to go to My Computer > Tools > Folder Options > View. Put a dot in the following: "show hidden files and folders". Uncheck the following: "Hide protected operated system files". Now look for the folder in the drive letter you checked earlier. If you see this folder, you can safely delete it. If not, then....

No "found" files. Again despite having all files visible there is not any indication of anywhere near the 70Gigs of space that I am missing.

 

[wolfiesmithuk]

Thanks to everyone who has offered advice and suggestions.

 

[wolfiesmithuk]

Originally posted by: dealmaster00
<div class="FTQUOTE"><begin quote>Originally posted by: wolfiesmithuk
<div class="FTQUOTE"><begin quote>Originally posted by: dealmaster00
Longshot, but you could try this:

You'll want to see how much data is in your system volume information folder. (C:\system volume information)

You don't have permission to this folder by default. To get permission go here: http://support.microsoft.com/kb/309531

Report back on how much data is in it.</end quote></div>

0 bytes because on the recommendation of RebateMonger I'd cleared the system restore points out of the system.</end quote></div>

Did you unlock the folder? E.g., can you open it? If you can't, it will say 0 bytes.

Finally got in, you can only access the security options in safe mode, and found 265MB

 

[Slugbait]

Looks like you've run the gamut...nothing to explain a 70 gig loss. I would suggest you drop your clean image and start again, because I still believe something nefarious is going on with your machine. And after dropping the clean image, make sure to configure your security before creating a new image.

If you don't have an imaging utility, I suggest you get one and rebuild.

 

[ViRGE]

Originally posted by: Slugbait
Looks like you've run the gamut...nothing to explain a 70 gig loss. I would suggest you drop your clean image and start again, because I still believe something nefarious is going on with your machine. And after dropping the clean image, make sure to configure your security before creating a new image.

If you don't have an imaging utility, I suggest you get one and rebuild.

I'd be willing to wager you're right about the system being owned, and that whoever owned it is using a rootkit to hide what they're doing. It may be worth the time to boot up Knoppix or another live-CD and look at the hard drive that way. This bypasses any security concerns and would make it pretty obvious if the system is indeed hiding things with a rootkit.

 

[Slugbait]

Originally posted by: ViRGE
I'd be willing to wager you're right about the system being owned, and that whoever owned it is using a rootkit to hide what they're doing. It may be worth the time to boot up Knoppix or another live-CD and look at the hard drive that way. This bypasses any security concerns and would make it pretty obvious if the system is indeed hiding things with a rootkit.

Excellent prognosis and suggestion. I hadn't considered a rootkit, since I haven't come across something like this that couldn't be easily seen before. However, he doesn't know what FTP is, so going beyond format c: might be confusing and more of a hassle. Even if the discovery process validates our concerns, that's still time away from getting the machine back.

Unless he wants to keep what's there, of course.

But I'm gonna remember knoppix now, thanks V.

 

[xtknight]

You sure you ran chkdsk on it? With a /f (fix) parameter? The "free space" attribute on the partition is something that has to be stored (it can't be recalculated every time) and it could very well have been corrupted. I've had it happen before.

You can use the Ubuntu Feisty LiveCD, mount a partition to a mount point, and run Baobab (Disk Space Analyzer), included with Ubuntu, on the NTFS mount point in question.

 

[wolfiesmithuk]

Originally posted by: Slugbait
<div class="FTQUOTE"><begin quote>Originally posted by: ViRGE
I'd be willing to wager you're right about the system being owned, and that whoever owned it is using a rootkit to hide what they're doing. It may be worth the time to boot up Knoppix or another live-CD and look at the hard drive that way. This bypasses any security concerns and would make it pretty obvious if the system is indeed hiding things with a rootkit.</end quote></div>

Excellent prognosis and suggestion. I hadn't considered a rootkit, since I haven't come across something like this that couldn't be easily seen before. However, he doesn't know what FTP is, so going beyond format c: might be confusing and more of a hassle. Even if the discovery process validates our concerns, that's still time away from getting the machine back.

Unless he wants to keep what's there, of course.

But I'm gonna remember knoppix now, thanks V.

You are correct in that this is getting beyond my expertise however I'll try what I can of these latest suggestions and if anything comes up trumps I'll let you know.

I guess that given the rate at which the drive is filling I have a little time yet before the C drive is filled so unless anything else (symptoms) start appearing then I dont have to do anything. I do appreciate though that I seem to be wide open to virus and/or whatever else through this gateway into my hard disk.

I've never "imaged" befor as I dont worry too much about clearing out and starting again, I've done that a few times, but I'm an inveterate upgrader who is usually starting/restarting slightly too far down the price scale to future proof more than about 12 to 18 months down the line and because of this I'm often replacing enough equipment to make a total restart less of a hassle than trying to delete and/or upgrade drivers. In fact the situation I'm in now with my Gigabyte motherboard and its ability to take quad core and future CPU's + SATA + the latest video cards is probably as upto date and future proofed as I've ever been.

However thanks again to everyone who has contributed.

 

[Acanthus]

At this point, id just format.

 

[Slugbait]

Originally posted by: wolfiesmithuk
I've never "imaged" befor as I dont worry too much about clearing out and starting again, I've done that a few times...

Worry a bit more, you probably only have a couple more times that you can activate Windows.

If you have a clean image that is already activated, you don't have to worry about being denied later.

 

[Baluba]

HI GUYS

I found the topic because I have the same problem... a 30 Gbytes partition C:, with only 18 Gbytes of data but I always get to no more tha 200 Mbytes free...

It happens this way... I move some big files to another drive, so for example I have 1 Gbyte free... I have a look at drive C often to see if free space goes down... nope...

I run Process Explorer http://www.microsoft.com/techn...s/ProcessExplorer.mspx to look for strange running applications, I find none I don't know or trust...

I use DiskView http://www.microsoft.com/techn...eAndDisk/DiskView.mspx to see where my space is gone and I find a bunch of system files, when I click on them (they show in green), no filename appears

so I thought - rootkit! - and I was thinking about data streams too...

I tried some anti-rootkit programs to no avail...
I tried some programs to look for streams... but I found just a few little ones

The space that I had gained by moving files gets occupied the next time I reboot!!!!!

So I am down to no more than 200 Mbytes, which is bad for drive C
I have Zonealrm and AVG 7.5 plus I have Spybot Search and Destroy and Ad-aware Se Personal, then I just installed WinPatrol... nothing...

I even tried file Monitor http://www.microsoft.com/techn...leAndDisk/Filemon.mspx to see the activity to my disk but I could not get to the wrongdoer... I put it in the start folder...

ANY IDEA? I THINK I AM kind of A PRO BUT I CAN NOT GET TO THE BASTARD DOING THIS TO ME!

thanks a lot

Guido from Biella, Italy

 

[ViRGE]

A good rootkit is effectively impossible to remove. You're going to have to reformat your system and reinstall Windows if that's the problem.

 

[tennesota]

What version of Windows is installed on the machine?