Those are the uninstallers for various Windows updates.Originally posted by: bigsnyder
<div class="FTQUOTE"><begin quote>Originally posted by: Slugbait
If it's an older build and you don't clean often, it could be your criticals.
Go to c:\windows and delete $NTUninstallKBxxxxxxx. Also delete $hf_mig$.
Then drill down to SoftwareDistribution\Download and delete all files and folders (don't delete the Download folder itself, just the contents).</end quote></div>
What exactly are these folders? What are the possible side effects from deleting them?
C Snyder
Yup, that where I told you they would be. Yup, I told you that would be an unlikely resolution to your problem.Originally posted by: wolfiesmithuk
Yes plenty of $NTUninstallKBxxxxxxx and $hf_mig$ but they are listed under the windows folder and although 445MB are not the culprit.
FTP=File Transfer Protocol. As the name implies, FTP transfers files between computers. There are numerous different FTP programs out there...even your browser can connect to an FTP server.The FTP thing sounds to be something I should be doing but you'll have to be a bit more basic with me on this. I'm nosing around in there but what is an FTP????
Originally posted by: myocardia
You've likely got a huge drwtsn32.log file. It will be located at C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson, if that's your problem. It's what usually stumps people, when space on their boot partition starts mysteriously disappearing.
Originally posted by: BehindEnemyLines
You said you checked for lost fragments, but did you do the following to delete the lost fragements?:
Look for the following folders (it may or may not exist): found.xxx such as found.000. This fold is hidden so you've to go to My Computer > Tools > Folder Options > View. Put a dot in the following: "show hidden files and folders". Uncheck the following: "Hide protected operated system files". Now look for the folder in the drive letter you checked earlier. If you see this folder, you can safely delete it. If not, then....
Originally posted by: dealmaster00
<div class="FTQUOTE"><begin quote>Originally posted by: wolfiesmithuk
<div class="FTQUOTE"><begin quote>Originally posted by: dealmaster00
Longshot, but you could try this:
You'll want to see how much data is in your system volume information folder. (C:\system volume information)
You don't have permission to this folder by default. To get permission go here: http://support.microsoft.com/kb/309531
Report back on how much data is in it.</end quote></div>
0 bytes because on the recommendation of RebateMonger I'd cleared the system restore points out of the system.</end quote></div>
Did you unlock the folder? E.g., can you open it? If you can't, it will say 0 bytes.
I'd be willing to wager you're right about the system being owned, and that whoever owned it is using a rootkit to hide what they're doing. It may be worth the time to boot up Knoppix or another live-CD and look at the hard drive that way. This bypasses any security concerns and would make it pretty obvious if the system is indeed hiding things with a rootkit.Originally posted by: Slugbait
Looks like you've run the gamut...nothing to explain a 70 gig loss. I would suggest you drop your clean image and start again, because I still believe something nefarious is going on with your machine. And after dropping the clean image, make sure to configure your security before creating a new image.
If you don't have an imaging utility, I suggest you get one and rebuild.
Originally posted by: ViRGE
I'd be willing to wager you're right about the system being owned, and that whoever owned it is using a rootkit to hide what they're doing. It may be worth the time to boot up Knoppix or another live-CD and look at the hard drive that way. This bypasses any security concerns and would make it pretty obvious if the system is indeed hiding things with a rootkit.
Originally posted by: Slugbait
<div class="FTQUOTE"><begin quote>Originally posted by: ViRGE
I'd be willing to wager you're right about the system being owned, and that whoever owned it is using a rootkit to hide what they're doing. It may be worth the time to boot up Knoppix or another live-CD and look at the hard drive that way. This bypasses any security concerns and would make it pretty obvious if the system is indeed hiding things with a rootkit.</end quote></div>
Excellent prognosis and suggestion. I hadn't considered a rootkit, since I haven't come across something like this that couldn't be easily seen before. However, he doesn't know what FTP is, so going beyond format c: might be confusing and more of a hassle. Even if the discovery process validates our concerns, that's still time away from getting the machine back.
Unless he wants to keep what's there, of course.
But I'm gonna remember knoppix now, thanks V.
Worry a bit more, you probably only have a couple more times that you can activate Windows.Originally posted by: wolfiesmithuk
I've never "imaged" befor as I dont worry too much about clearing out and starting again, I've done that a few times...