Sign-in / Sign-up
Your question

Lost Disk Space

Tags:
  • Disk Space
  • Windows XP
Last response: in Windows XP
July 25, 2005 5:07:24 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Hi, I'm using XP Home with SP2. When I Look at the properties of the C:
drive, it says I have used approx 55GB with 19GB left. The Defrag
utility says the same. However, when I look at all the space used in
all the directories on C: I appear only to have used about 25GB, which
is actually more like what I think I'm using. Can anyone please point
me to what might be using up the huge amount of extra space - it's a
hell of a lot to go missing and I'd like to retrieve it :-(
--
Sam

More about : lost disk space

July 25, 2005 5:07:25 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

In news:D c2o6c$dem$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com,
Sam <sam.sam@samsam.com> had this to say:

My reply is at the bottom of your sent message:

> Hi, I'm using XP Home with SP2. When I Look at the properties of the
> C: drive, it says I have used approx 55GB with 19GB left. The Defrag
> utility says the same. However, when I look at all the space used in
> all the directories on C: I appear only to have used about 25GB, which
> is actually more like what I think I'm using. Can anyone please point
> me to what might be using up the huge amount of extra space - it's a
> hell of a lot to go missing and I'd like to retrieve it :-(

Start here and let me know what you see:

SequoiaView:
http://www.win.tue.nl/sequoiaview/

Are you on broadband? Without active security scanning? Without a firewall
in place perhaps? Do you have viewing hidden files enabled?

Start > run > type "control folders" (without the quotes) > hit enter > View
tab > SHOW hidden files and Protected files.

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes
Anonymous
July 25, 2005 5:07:25 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

You might check the paging file to see if it is taking up more space than
needed. Also system restore and the recycle bin's disk space usage can be
adjusted to free some space on the HD.

If you burn DVD's and save the ISO as a backup or forgot to delete them
after a copy was restored, just 6 DVD ISO files at 4.3+ gb could gobble up
free space quick.. Not to mention numerous CD ISO files as well as MP3 and
JPEG and the list goes on. You may just need to clean out the computer.

j;-)

"Sam" wrote:

> Hi, I'm using XP Home with SP2. When I Look at the properties of the C:
> drive, it says I have used approx 55GB with 19GB left. The Defrag
> utility says the same. However, when I look at all the space used in
> all the directories on C: I appear only to have used about 25GB, which
> is actually more like what I think I'm using. Can anyone please point
> me to what might be using up the huge amount of extra space - it's a
> hell of a lot to go missing and I'd like to retrieve it :-(
> --
> Sam
>
Related resources
July 25, 2005 6:36:04 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Galen said ...
> In news:D c2o6c$dem$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com,
> Sam <sam.sam@samsam.com> had this to say:
>
> My reply is at the bottom of your sent message:
>
> > Hi, I'm using XP Home with SP2. When I Look at the properties of the
> > C: drive, it says I have used approx 55GB with 19GB left. The Defrag
> > utility says the same. However, when I look at all the space used in
> > all the directories on C: I appear only to have used about 25GB, which
> > is actually more like what I think I'm using. Can anyone please point
> > me to what might be using up the huge amount of extra space - it's a
> > hell of a lot to go missing and I'd like to retrieve it :-(
>
> Start here and let me know what you see:
>
> SequoiaView:
> http://www.win.tue.nl/sequoiaview/
>
> Are you on broadband? Without active security scanning? Without a firewall
> in place perhaps? Do you have viewing hidden files enabled?
>
> Start > run > type "control folders" (without the quotes) > hit enter > View
> tab > SHOW hidden files and Protected files.
>
> Galen
>
Thanks Galen. BB - yes. Firewall is ZA free V6. CA eTrust AV. Hidden
files were shown. Protected file were not shown. This has made a
difference of about 2GB so I can now see about 28GB, but the disk still
has 55 GB used. Treesize tells me C: uses 28 GB. Sequoia is a bit
different and difficult for me to interpret but at the top RHS, there
are two files, C:\hiberfil.sys and C:\pagefile.sys which are not in
themselves large (about 600MB each) but the data at the bottom of
sequoia, when I hover over those files, tell me the Dir (that will be C:
\) is 51GB. I cannot see a subdir which is anything approaching this,
though and trying to add up all the sub dirs on the sequoia page gives
me the old 28GB approx.
--
Sam
July 25, 2005 6:36:05 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

In news:D c2tck$ofc$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com,
Sam <sam.sam@samsam.com> had this to say:

My reply is at the bottom of your sent message:

> Galen said ...
>> In news:D c2o6c$dem$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com,
>> Sam <sam.sam@samsam.com> had this to say:
>>
>> My reply is at the bottom of your sent message:
>>
>>> Hi, I'm using XP Home with SP2. When I Look at the properties of
>>> the C: drive, it says I have used approx 55GB with 19GB left. The
>>> Defrag utility says the same. However, when I look at all the
>>> space used in all the directories on C: I appear only to have used
>>> about 25GB, which is actually more like what I think I'm using.
>>> Can anyone please point me to what might be using up the huge
>>> amount of extra space - it's a hell of a lot to go missing and I'd
>>> like to retrieve it :-(
>>
>> Start here and let me know what you see:
>>
>> SequoiaView:
>> http://www.win.tue.nl/sequoiaview/
>>
>> Are you on broadband? Without active security scanning? Without a
>> firewall in place perhaps? Do you have viewing hidden files enabled?
>>
>> Start > run > type "control folders" (without the quotes) > hit
>> enter > View tab > SHOW hidden files and Protected files.
>>
>> Galen
>>
> Thanks Galen. BB - yes. Firewall is ZA free V6. CA eTrust AV.
> Hidden files were shown. Protected file were not shown. This has
> made a difference of about 2GB so I can now see about 28GB, but the
> disk still has 55 GB used. Treesize tells me C: uses 28 GB.
> Sequoia is a bit different and difficult for me to interpret but at
> the top RHS, there are two files, C:\hiberfil.sys and C:\pagefile.sys
> which are not in themselves large (about 600MB each) but the data at
> the bottom of sequoia, when I hover over those files, tell me the Dir
> (that will be C: \) is 51GB. I cannot see a subdir which is anything
> approaching this, though and trying to add up all the sub dirs on the
> sequoia page gives me the old 28GB approx.

It's not looking good... What I'm curious about now would be something
called a rootkit. The concept is not new but only recently have they become
known in the Windows environment. (And they always said Windows was less
secure?) Rootkits have been around the *NIX realm for a long time now but
the idea/knowledge that they could be effective in Windows (more so on a
permissions based OS than that seen in 9x) is only recently becoming
something the public (and even some experts) are aware of.

Take a peek here. I'm wonding if you have some sort of fancy worm or the
like. I guess you probably wouldn't notice (that's the point after all) any
additional traffic...

http://research.microsoft.com/rootkit/

Simple curiousity... Broadband... Is it slower than normal at times? I don't
mean marginally, I mean have you noted any serious slowdowns?

IF <-- that's a big IF
You are "infected" (it's not really an infection but a true hack, a complete
usurption of power and the means to hide it) then it's not going to be a
good day for you...

This is a rather long drawn out process if indeed you are compromised.
Flattening your box means just that as all data would become suspect.
Hiberfil and pagefile are normal. One is for when you operate and the other
is your page file. Those sizes seem rational. Have you noticed ANY odd
behavior?

Let's guess that they weren't complete... Start > Run > "cmd" without the
quotes > enter > netstat > enter > netstat -n > enter > netstat -a > enter
and compare the results... Anything beyond what you can find by rooting
about in a trace route utility or doing lookups of the IP addresses?

I guess I'm mostly just facinated (sorry about that) because if this is the
case then you will have the first actual case I've seen for Windows.
*chuckles* Too bad you probably live on the other side of the globe, I'd
like to actually examine something like that.

Anyhow, with your handy RootkitRevealer, take a peek. Disconnect from the
internet (ASAP) and turn off your modem physically. Disable your AV and
other software that's scanningn actively and scan with the RootkitRevealer.
From there you can use the command lines (shown on the site) to really get
into the nitty gritty. While I doubt that, if this is the case, there's a
whole lot you can do you can certainly be in a position to learn a great
deal and while I don't envy you (nor your potential upcoming loss of data) I
do wish that I could be there to witness it. Call it morbid facination if
you will...

Anyhow, for the short term... Go to www.kaspersky.com and get the trial
version of KAV. Install it (disable your current AV) and update it. Scan
with that as well. For now stick with just the trial version - I'm pretty
sure it works just fine for 30 days. TrojanHunter (www.trojanhunter.com) is
also good for a 30 day trial. Beyond that update them and scan in safe
mode... Then take a peek and see if the antispyware apps bring anything
interesting to light... A bunch and some simple instructions listed here:

Malware Cleaning :
http://kgiii.info/windows/all/general/malwarefix.html

Assuming those bring nothing up post back and let us know if you came up
clean and we'll see where to go from there but that's where I'd start.
Actually start at the bottom of this list and work your way up to the
RootkitRevealer as the results of that can seem misleading (and horible as
it's called a few things suspect on a brand new installation here) and more
than likely will just make you angry than fixing anything or leading you to
fixing anything I should say.

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes
July 25, 2005 10:05:11 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Galen said ...
> In news:D c2tck$ofc$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com,
> Sam <sam.sam@samsam.com> had this to say:
>
> My reply is at the bottom of your sent message:
>
> > Galen said ...
> >> In news:D c2o6c$dem$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com,
> >> Sam <sam.sam@samsam.com> had this to say:
> >>
> >> My reply is at the bottom of your sent message:
> >>
> >>> Hi, I'm using XP Home with SP2. When I Look at the properties of
> >>> the C: drive, it says I have used approx 55GB with 19GB left. The
> >>> Defrag utility says the same. However, when I look at all the
> >>> space used in all the directories on C: I appear only to have used
> >>> about 25GB, which is actually more like what I think I'm using.
> >>> Can anyone please point me to what might be using up the huge
> >>> amount of extra space - it's a hell of a lot to go missing and I'd
> >>> like to retrieve it :-(
> >>
> >> Start here and let me know what you see:
> >>
> >> SequoiaView:
> >> http://www.win.tue.nl/sequoiaview/
> >>
> >> Are you on broadband? Without active security scanning? Without a
> >> firewall in place perhaps? Do you have viewing hidden files enabled?
> >>
> >> Start > run > type "control folders" (without the quotes) > hit
> >> enter > View tab > SHOW hidden files and Protected files.
> >>
> >> Galen
> >>
> > Thanks Galen. BB - yes. Firewall is ZA free V6. CA eTrust AV.
> > Hidden files were shown. Protected file were not shown. This has
> > made a difference of about 2GB so I can now see about 28GB, but the
> > disk still has 55 GB used. Treesize tells me C: uses 28 GB.
> > Sequoia is a bit different and difficult for me to interpret but at
> > the top RHS, there are two files, C:\hiberfil.sys and C:\pagefile.sys
> > which are not in themselves large (about 600MB each) but the data at
> > the bottom of sequoia, when I hover over those files, tell me the Dir
> > (that will be C: \) is 51GB. I cannot see a subdir which is anything
> > approaching this, though and trying to add up all the sub dirs on the
> > sequoia page gives me the old 28GB approx.
>
> It's not looking good... What I'm curious about now would be something
> called a rootkit. The concept is not new but only recently have they become
> known in the Windows environment. (And they always said Windows was less
> secure?) Rootkits have been around the *NIX realm for a long time now but
> the idea/knowledge that they could be effective in Windows (more so on a

Nothing strange noticed at all. Will try the above thanks but I'm not
very technical and also there's having the time. Will get back here
when I find something, or not.
--
Sam
July 26, 2005 12:44:20 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Sam said ...
> > > Thanks Galen. BB - yes. Firewall is ZA free V6. CA eTrust AV.
> > > Hidden files were shown. Protected file were not shown. This has
> > > made a difference of about 2GB so I can now see about 28GB, but the
> > > disk still has 55 GB used. Treesize tells me C: uses 28 GB.
> > > Sequoia is a bit different and difficult for me to interpret but at
> > > the top RHS, there are two files, C:\hiberfil.sys and C:\pagefile.sys
> > > which are not in themselves large (about 600MB each) but the data at
> > > the bottom of sequoia, when I hover over those files, tell me the Dir
> > > (that will be C: \) is 51GB. I cannot see a subdir which is anything
> > > approaching this, though and trying to add up all the sub dirs on the
> > > sequoia page gives me the old 28GB approx.
> >
> > It's not looking good... What I'm curious about now would be something
> > called a rootkit. The concept is not new but only recently have they become
> > known in the Windows environment. (And they always said Windows was less
> > secure?) Rootkits have been around the *NIX realm for a long time now but
> > the idea/knowledge that they could be effective in Windows (more so on a
>
> Nothing strange noticed at all. Will try the above thanks but I'm not
> very technical and also there's having the time. Will get back here
> when I find something, or not.
>
Galen,

Well now, I've had an interesting evening, although not quite as you may
have expected.

I downloaded KAV and installed it - unfortunately, try as I might to get
it to work, it kept causing my PC to freeze, fall over, etc.! I was
beginning to get a bit paranoid! I uninstalled KAV. I ran an online
virus scan from Trend Micro and that showed up nothing at all. After a
number of re-boots following my KAV problems, the disk size was still
showing the same anomalies. Thinking back, I've probably had this
problem for at least a week or so.

Thinking that I might have to call my PC support number (it's < 1 year
old and I am on a support contract) I decided I'd better re-install
Norton Internet Security, which came with the PC as standard but which I
uninstalled two months ago because of speed problems etc. This re-
installation took a very long time due to multiple passes with
LiveUpdate being necessary and Norton's usual snail's pace installing
the updates. After many re-boots etc., after NIS was completely in
place and I'd suppressed Zonealarm and CA eTrust I decided to look at
the dik size again. Well, the problem has disappeared - C: properties
report 29GB used, 42 free - as I expect since NIS has used some disk
space on installation. Equally, Sequoia now reports the new disk usage
as does Defrag.!! In Sequoia, the pagefile and hibernate file are in a
Dir of size 27.4GB - as I'd expect more or less.

So - wtf has been going on? I'm happy now but perplexed as to what was
the problem. Many thanks for your advice, though.
--
Sam
July 26, 2005 12:44:21 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

In news:D c3iv4$qqa$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com,
Sam <sam.sam@samsam.com> had this to say:

My reply is at the bottom of your sent message:

> Sam said ...
>>>> Thanks Galen. BB - yes. Firewall is ZA free V6. CA eTrust AV.
>>>> Hidden files were shown. Protected file were not shown. This has
>>>> made a difference of about 2GB so I can now see about 28GB, but the
>>>> disk still has 55 GB used. Treesize tells me C: uses 28 GB.
>>>> Sequoia is a bit different and difficult for me to interpret but at
>>>> the top RHS, there are two files, C:\hiberfil.sys and
>>>> C:\pagefile.sys which are not in themselves large (about 600MB
>>>> each) but the data at the bottom of sequoia, when I hover over
>>>> those files, tell me the Dir (that will be C: \) is 51GB. I
>>>> cannot see a subdir which is anything approaching this, though and
>>>> trying to add up all the sub dirs on the sequoia page gives me the
>>>> old 28GB approx.
>>>
>>> It's not looking good... What I'm curious about now would be
>>> something called a rootkit. The concept is not new but only
>>> recently have they become known in the Windows environment. (And
>>> they always said Windows was less secure?) Rootkits have been
>>> around the *NIX realm for a long time now but the idea/knowledge
>>> that they could be effective in Windows (more so on a
>>
>> Nothing strange noticed at all. Will try the above thanks but I'm
>> not very technical and also there's having the time. Will get back
>> here when I find something, or not.
>>
> Galen,
>
> Well now, I've had an interesting evening, although not quite as you
> may have expected.
>
> I downloaded KAV and installed it - unfortunately, try as I might to
> get it to work, it kept causing my PC to freeze, fall over, etc.! I
> was beginning to get a bit paranoid! I uninstalled KAV. I ran an
> online virus scan from Trend Micro and that showed up nothing at all.
> After a number of re-boots following my KAV problems, the disk size
> was still showing the same anomalies. Thinking back, I've probably
> had this problem for at least a week or so.
>
> Thinking that I might have to call my PC support number (it's < 1 year
> old and I am on a support contract) I decided I'd better re-install
> Norton Internet Security, which came with the PC as standard but
> which I uninstalled two months ago because of speed problems etc.
> This re- installation took a very long time due to multiple passes
> with LiveUpdate being necessary and Norton's usual snail's pace
> installing the updates. After many re-boots etc., after NIS was
> completely in place and I'd suppressed Zonealarm and CA eTrust I
> decided to look at the dik size again. Well, the problem has
> disappeared - C: properties report 29GB used, 42 free - as I expect
> since NIS has used some disk space on installation. Equally, Sequoia
> now reports the new disk usage as does Defrag.!! In Sequoia, the
> pagefile and hibernate file are in a Dir of size 27.4GB - as I'd
> expect more or less.
>
> So - wtf has been going on? I'm happy now but perplexed as to what
> was the problem. Many thanks for your advice, though.

I think the only correct (and honest) response is "buggered if I know."
Perhaps something was being held quarantined? Perhaps the install of NIS
killed what ever it was that was going bonkers? I really don't know. :)  At
least it's working and it seems to be okay. I'd keep an eye on it and hope
for the best. Somethings just aren't meant to be known, perhaps someone else
will have seen this in the past and will shed some light on it?

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes
July 26, 2005 11:00:59 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Galen said ...
> > So - wtf has been going on? I'm happy now but perplexed as to what
> > was the problem. Many thanks for your advice, though.
>
> I think the only correct (and honest) response is "buggered if I know."
> Perhaps something was being held quarantined? Perhaps the install of NIS
> killed what ever it was that was going bonkers? I really don't know. :)  At
> least it's working and it seems to be okay. I'd keep an eye on it and hope
> for the best. Somethings just aren't meant to be known, perhaps someone else
> will have seen this in the past and will shed some light on it?
>
> Galen
>
I don't like unsolved mysteries but this one looks like it will remain
so - but I'll certainly keep a look out for a recurrence.
--
Sam
July 26, 2005 11:14:11 AM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Sam said ...
> Galen said ...
> > > So - wtf has been going on? I'm happy now but perplexed as to what
> > > was the problem. Many thanks for your advice, though.
> >
> > I think the only correct (and honest) response is "buggered if I know."
> > Perhaps something was being held quarantined? Perhaps the install of NIS
> > killed what ever it was that was going bonkers? I really don't know. :)  At
> > least it's working and it seems to be okay. I'd keep an eye on it and hope
> > for the best. Somethings just aren't meant to be known, perhaps someone else
> > will have seen this in the past and will shed some light on it?
> >
> > Galen
> >
> I don't like unsolved mysteries but this one looks like it will remain
> so - but I'll certainly keep a look out for a recurrence.
>
Sorry to reply to my own post - the latest check shows that there is
still a discrepancy, though. properties of C: say used = 28.9GB.
Selecting all directories and files in C:\, the properties say used =
25.7GB. I am not going to investigate this but will start to get
worried if anything strange happens or if the discrepancy grows.
--
Sam
July 26, 2005 2:20:07 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

In news:D c4ns3$mid$1@nwrdmz03.dmz.ncs.ea.ibs-infra.bt.com,
Sam <sam.sam@samsam.com> had this to say:

My reply is at the bottom of your sent message:

> Sam said ...
>> Galen said ...
>>>> So - wtf has been going on? I'm happy now but perplexed as to what
>>>> was the problem. Many thanks for your advice, though.
>>>
>>> I think the only correct (and honest) response is "buggered if I
>>> know." Perhaps something was being held quarantined? Perhaps the
>>> install of NIS killed what ever it was that was going bonkers? I
>>> really don't know. :)  At least it's working and it seems to be
>>> okay. I'd keep an eye on it and hope for the best. Somethings just
>>> aren't meant to be known, perhaps someone else will have seen this
>>> in the past and will shed some light on it?
>>>
>>> Galen
>>>
>> I don't like unsolved mysteries but this one looks like it will
>> remain so - but I'll certainly keep a look out for a recurrence.
>>
> Sorry to reply to my own post - the latest check shows that there is
> still a discrepancy, though. properties of C: say used = 28.9GB.
> Selecting all directories and files in C:\, the properties say used =
> 25.7GB. I am not going to investigate this but will start to get
> worried if anything strange happens or if the discrepancy grows.

Did you ever let the rootkit tool run? It's a really odd situation you have
there and it's worth at least checking that though - to be frank - that too
could be fooled into ignoring stuff. *chuckles*

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes
July 26, 2005 8:06:16 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Galen said ...
> Did you ever let the rootkit tool run? It's a really odd situation you have
> there and it's worth at least checking that though - to be frank - that too
> could be fooled into ignoring stuff. *chuckles*
>
no I didn't but attempt will do so at some stage.
--
Sam
July 26, 2005 10:34:45 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Sam said ...
> Galen said ...
> > Did you ever let the rootkit tool run? It's a really odd situation you have
> > there and it's worth at least checking that though - to be frank - that too
> > could be fooled into ignoring stuff. *chuckles*
> >
> no I didn't but attempt will do so at some stage.
>
Just ran Rootkitrevealer twice. The results are below. Most of the
entries refer to keirnet/K9 which is a Bayesian spam filter I've been
using for about 2 years on this and my previous PC. Does this reveal
anything?



C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles
\h91wf1ji.default\parent.lock 26/07/2005 17:04 0 bytes
Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8223.tmp
26/07/2005 12:34 16.00 KB Visible in Windows API, MFT,
but not in directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files
\Content.IE5\KHA70T6R\wbk32.tmp 26/07/2005 17:04 4.90 KB
Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files
\Content.IE5\KHA70T6R\wbk34.tmp 26/07/2005 17:04 2.70 KB
Visible in Windows API, but not in MFT or directory index.
C:\Program Files\KeirNet\K9\Emails\Recent\72627B94.kml 24/07/2005 19:00
1.62 KB Visible in Windows API, but not in MFT or directory
index.
C:\Program Files\KeirNet\K9\Emails\Recent\D30689C5.kml 24/07/2005 19:00
3.62 KB Visible in Windows API, but not in MFT or directory
index.
C:\Program Files\KeirNet\K9\Emails\Spam\0E4B7DD0.kml 03/11/2004 20:17
2.85 KB Visible in Windows API, but not in MFT or directory
index.
C:\Program Files\KeirNet\K9\Emails\Spam\72627B94.kml 24/07/2005 19:00
1.62 KB Hidden from Windows API.
C:\Program Files\KeirNet\K9\Emails\Spam\B6D4932A.kml 03/11/2004 20:17
1.84 KB Visible in Windows API, but not in MFT or directory
index.
C:\Program Files\KeirNet\K9\Emails\Spam\D30689C5.kml 24/07/2005 19:00
3.62 KB Hidden from Windows API.
D: 01/01/1601 01:00 0 bytes Error mounting volume



An earlier run which I ran from the command line and sent to a csv file
(fred) and in which I showed the NTFS metadata files looks like this ...


Data mismatch between Windows API and raw hive data.,26/07/2005 18:14,80
bytes,"HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed"
Hidden from Windows API.,05/08/2004 09:27,2.50 KB,"C:\$AttrDef"
Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$BadClus"
Hidden from Windows API.,05/08/2004 09:27,13.68 GB,"C:\$BadClus:$Bad"
Hidden from Windows API.,05/08/2004 09:27,2.17 MB,"C:\$Bitmap"
Hidden from Windows API.,05/08/2004 09:27,8.00 KB,"C:\$Boot"
Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend"
Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend\$ObjId"
Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend\$Quota"
Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend\$Reparse"
Hidden from Windows API.,30/10/2004 17:55,0 bytes,"C:\$Extend\$UsnJrnl"
Hidden from Windows API.,30/10/2004 17:55,32 bytes,"C:\$Extend\$UsnJrnl:
$Max"
Hidden from Windows API.,05/08/2004 09:27,64.00 MB,"C:\$LogFile"
Hidden from Windows API.,05/08/2004 09:27,170.70 MB,"C:\$MFT"
Hidden from Windows API.,05/08/2004 09:27,4.00 KB,"C:\$MFTMirr"
Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Secure"
Hidden from Windows API.,05/08/2004 09:27,128.00 KB,"C:\$UpCase"
Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Volume"
Hidden from Windows API.,26/07/2005 18:17,763 bytes,"C:\Documents and
Settings\Owner\Application Data\Microsoft\Office\Recent\fred.LNK"
Visible in Windows API, but not in MFT or directory index.,24/07/2005
18:20,2.30 KB,"C:\Program Files\KeirNet\K9\Emails\Recent\67B3DF18.kml"
Visible in Windows API, but not in MFT or directory index.,24/07/2005
18:20,36 bytes,"C:\Program Files\KeirNet\K9\Emails\Recent
\67B3DF18.kml:KAVICHS"
Hidden from Windows API.,26/07/2005 18:28,2.30 KB,"C:\Program Files
\KeirNet\K9\Emails\Spam\67B3DF18.kml"
Hidden from Windows API.,26/07/2005 18:28,36 bytes,"C:\Program Files
\KeirNet\K9\Emails\Spam\67B3DF18.kml:KAVICHS"
Visible in Windows API, but not in MFT or directory index.,03/11/2004
19:17,1.46 KB,"C:\Program Files\KeirNet\K9\Emails\Spam\914CE960.kml"
Hidden from Windows API.,03/06/2005 16:41,2.44 KB,"C:\System Volume
Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP332
\A0037360.lnk"
Hidden from Windows API.,25/07/2005 15:13,672 bytes,"C:\System Volume
Information\_restore{2C64A447-4679-4204-A039-16352F4E0E7D}\RP332
\A0037361.LNK"
Visible in Windows API, but not in MFT or directory index.,26/07/2005
18:11,0 bytes,"C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD"
Visible in Windows API, but not in MFT or directory index.,26/07/2005
18:11,0 bytes,"C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL"
Error mounting volume,01/01/1601 01:00,0 bytes,"D:"


--
Sam
July 26, 2005 11:26:31 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Sam said ...
> Just ran Rootkitrevealer twice. The results are below. Most of the
> entries refer to keirnet/K9 which is a Bayesian spam filter I've been
> using for about 2 years on this and my previous PC. Does this reveal
> anything?
>
But I have noticed now that each and every time I reboot the PC, it
takes quite a long time for windows to become completely ready, during
which there is a lot of disk activity and then the properties of the C:
drive show it to have increased by about 0.5GB over what it was before
the reboot!!! It's now up to 33GB. As before, using select all on the
contents of C: and then doing a properties on the selection shows the
disk size steady at around 26GB as before.
--
Sam
July 27, 2005 1:41:41 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

In news:D c5vo5$2br$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com,
Sam <sam.sam@samsam.com> had this to say:


> Data mismatch between Windows API and raw hive data.,26/07/2005
> 18:14,80 bytes,"HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed"
> Hidden from Windows API.,05/08/2004 09:27,2.50 KB,"C:\$AttrDef"
> Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$BadClus"
> Hidden from Windows API.,05/08/2004 09:27,13.68 GB,"C:\$BadClus:$Bad"
> Hidden from Windows API.,05/08/2004 09:27,2.17 MB,"C:\$Bitmap"
> Hidden from Windows API.,05/08/2004 09:27,8.00 KB,"C:\$Boot"
> Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend"
> Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend\$ObjId"
> Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend\$Quota"
> Hidden from Windows API.,05/08/2004 09:27,0
> bytes,"C:\$Extend\$Reparse" Hidden from Windows API.,30/10/2004
> 17:55,0 bytes,"C:\$Extend\$UsnJrnl" Hidden from Windows
> API.,30/10/2004 17:55,32 bytes,"C:\$Extend\$UsnJrnl: $Max"
> Hidden from Windows API.,05/08/2004 09:27,64.00 MB,"C:\$LogFile"
> Hidden from Windows API.,05/08/2004 09:27,170.70 MB,"C:\$MFT"
> Hidden from Windows API.,05/08/2004 09:27,4.00 KB,"C:\$MFTMirr"
> Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Secure"
> Hidden from Windows API.,05/08/2004 09:27,128.00 KB,"C:\$UpCase"
> Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Volume"
> Hidden from Windows API.,26/07/2005 18:17,763 bytes,"C:\Documents and

The folders beginning with $ are "hidden shares" usually. Those may not be
being calculated.

Why do you have hidden shares? Why is a bad cluster (at 13 GB) hidden? Can
you see those folders? Can you delete them (if you should delete them?) Did
you put them there? What is in them? Are they showing up in Sequoia View?

I'm going to see if I can get a few more opinions on this one. ;)  More heads
mean, hopefully, more advice or at least more chances of this being
witnessed. At least now I'm hoping that these are the files taking up the
missing space.

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes
July 27, 2005 6:53:51 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Galen said ...
> In news:D c5vo5$2br$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com,
> Sam <sam.sam@samsam.com> had this to say:
>
>
> > Data mismatch between Windows API and raw hive data.,26/07/2005
> > 18:14,80 bytes,"HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed"
> > Hidden from Windows API.,05/08/2004 09:27,2.50 KB,"C:\$AttrDef"
> > Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$BadClus"
> > Hidden from Windows API.,05/08/2004 09:27,13.68 GB,"C:\$BadClus:$Bad"
> > Hidden from Windows API.,05/08/2004 09:27,2.17 MB,"C:\$Bitmap"
> > Hidden from Windows API.,05/08/2004 09:27,8.00 KB,"C:\$Boot"
> > Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend"
> > Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend\$ObjId"
> > Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend\$Quota"
> > Hidden from Windows API.,05/08/2004 09:27,0
> > bytes,"C:\$Extend\$Reparse" Hidden from Windows API.,30/10/2004
> > 17:55,0 bytes,"C:\$Extend\$UsnJrnl" Hidden from Windows
> > API.,30/10/2004 17:55,32 bytes,"C:\$Extend\$UsnJrnl: $Max"
> > Hidden from Windows API.,05/08/2004 09:27,64.00 MB,"C:\$LogFile"
> > Hidden from Windows API.,05/08/2004 09:27,170.70 MB,"C:\$MFT"
> > Hidden from Windows API.,05/08/2004 09:27,4.00 KB,"C:\$MFTMirr"
> > Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Secure"
> > Hidden from Windows API.,05/08/2004 09:27,128.00 KB,"C:\$UpCase"
> > Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Volume"
> > Hidden from Windows API.,26/07/2005 18:17,763 bytes,"C:\Documents and
>
> The folders beginning with $ are "hidden shares" usually. Those may not be
> being calculated.
>
> Why do you have hidden shares? Why is a bad cluster (at 13 GB) hidden? Can
> you see those folders? Can you delete them (if you should delete them?) Did
> you put them there? What is in them? Are they showing up in Sequoia View?
>
> I'm going to see if I can get a few more opinions on this one. ;)  More heads
> mean, hopefully, more advice or at least more chances of this being
> witnessed. At least now I'm hoping that these are the files taking up the
> missing space.
>
> Galen
>
I can't answer these questions I'm afraid as I don't know. Most of
these are related to NTFS as far as the advice on the web site was
concerned.

Have you seen my point about the disk space diminishing by about 1/2 a
GB every time I reboot, by the way?
--
Sam
July 27, 2005 6:53:52 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

In news:D c875v$84f$1@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com,
Sam <sam.sam@samsam.com> had this to say:

My reply is at the bottom of your sent message:

> Galen said ...
>> In news:D c5vo5$2br$1@nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com,
>> Sam <sam.sam@samsam.com> had this to say:
>>
>>
>>> Data mismatch between Windows API and raw hive data.,26/07/2005
>>> 18:14,80 bytes,"HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed"
>>> Hidden from Windows API.,05/08/2004 09:27,2.50 KB,"C:\$AttrDef"
>>> Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$BadClus"
>>> Hidden from Windows API.,05/08/2004 09:27,13.68
>>> GB,"C:\$BadClus:$Bad" Hidden from Windows API.,05/08/2004
>>> 09:27,2.17 MB,"C:\$Bitmap" Hidden from Windows API.,05/08/2004
>>> 09:27,8.00 KB,"C:\$Boot"
>>> Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Extend"
>>> Hidden from Windows API.,05/08/2004 09:27,0
>>> bytes,"C:\$Extend\$ObjId" Hidden from Windows API.,05/08/2004
>>> 09:27,0 bytes,"C:\$Extend\$Quota" Hidden from Windows
>>> API.,05/08/2004 09:27,0 bytes,"C:\$Extend\$Reparse" Hidden from
>>> Windows API.,30/10/2004 17:55,0 bytes,"C:\$Extend\$UsnJrnl" Hidden
>>> from Windows API.,30/10/2004 17:55,32 bytes,"C:\$Extend\$UsnJrnl:
>>> $Max"
>>> Hidden from Windows API.,05/08/2004 09:27,64.00 MB,"C:\$LogFile"
>>> Hidden from Windows API.,05/08/2004 09:27,170.70 MB,"C:\$MFT"
>>> Hidden from Windows API.,05/08/2004 09:27,4.00 KB,"C:\$MFTMirr"
>>> Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Secure"
>>> Hidden from Windows API.,05/08/2004 09:27,128.00 KB,"C:\$UpCase"
>>> Hidden from Windows API.,05/08/2004 09:27,0 bytes,"C:\$Volume"
>>> Hidden from Windows API.,26/07/2005 18:17,763 bytes,"C:\Documents
>>> and
>>
>> The folders beginning with $ are "hidden shares" usually. Those may
>> not be being calculated.
>>
>> Why do you have hidden shares? Why is a bad cluster (at 13 GB)
>> hidden? Can you see those folders? Can you delete them (if you
>> should delete them?) Did you put them there? What is in them? Are
>> they showing up in Sequoia View?
>>
>> I'm going to see if I can get a few more opinions on this one. ;) 
>> More heads mean, hopefully, more advice or at least more chances of
>> this being witnessed. At least now I'm hoping that these are the
>> files taking up the missing space.
>>
>> Galen
>>
> I can't answer these questions I'm afraid as I don't know. Most of
> these are related to NTFS as far as the advice on the web site was
> concerned.
>
> Have you seen my point about the disk space diminishing by about 1/2 a
> GB every time I reboot, by the way?

Yes, I saw it. Yes it's being looked into. <g> Have you tried any additional
malware scanning? Here's the link again:

Malware Cleaning :
http://kgiii.info/windows/all/general/malwarefix.html

Additional:

I'd also recommend KAV again though this time I'd try it in safe mode
without networking. Install, update, reboot, enter safe mode without
networking, and scan... You may need to kill NIS once more before doing so.

Safe Mode :
http://kgiii.info/windows/all/general/safemode.html

It's not going to be quick nor easy to get to the bottom of this. A couple
of other people have replied off-site in an email list about this post and
we'll see if they can offer any additional insight but for now I'd work on
giving it a good solid scan in safe mode.

Galen
--

"But there are always some lunatics about. It would be a dull world
without them."

Sherlock Holmes
July 30, 2005 1:55:37 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Galen said ...
> Malware Cleaning :
> http://kgiii.info/windows/all/general/malwarefix.html
>
> Additional:
>
> I'd also recommend KAV again though this time I'd try it in safe mode
> without networking. Install, update, reboot, enter safe mode without
> networking, and scan... You may need to kill NIS once more before doing so.
>
> Safe Mode :
> http://kgiii.info/windows/all/general/safemode.html
>
> It's not going to be quick nor easy to get to the bottom of this. A couple
> of other people have replied off-site in an email list about this post and
> we'll see if they can offer any additional insight but for now I'd work on
> giving it a good solid scan in safe mode.
>
Done a lot of this including KAV in safe mode - nothing untoward found.

However: I today spoke to my computer supplier tech. helpdesk (I'm in
warranty)and discovered that another of their customers has had the same
or similar problem in the past week. I turned off system restore and
the problem goes away - disk size back to normal and doesn't change when
I re-boot. Turn system restore back on and the old problem returns
(creeping disk usage at about 0.5-1.0GB per re-boot. My tech support
is going to investigate further (since more than one person has had the
problem) and wil get back to me. Could of course be malware of some
sort but then why doesn't it operate when system restore is turned off.
Perhaps more likely a bug introduced due to a recent windows update?
Anyway, I will report back when I know more. Meanwhile, I have not got
the safety net of system restore but I doi feel happier about the
situation. In the end, I may need to reinitialise my system and
reinstall everything but I'm prepared for that if necessary and have
backed up all my important data.
--
Sam
Anonymous
August 1, 2005 1:03:37 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Don't mean to butt in, but, you do know that system restore can re-expose a
computer system to a previous virus or malware infestation, right. You might
try reinstalling system restore for a fresh start and see if your problem
returns or goes away, or not...
I don't know if a virus that replicates itself could be doing so within
restore points, or if that is even possible? Or is it?

j;-)


"Sam" wrote:

> Galen said ...
> > Malware Cleaning :
> > http://kgiii.info/windows/all/general/malwarefix.html
> >
> > Additional:
> >
> > I'd also recommend KAV again though this time I'd try it in safe mode
> > without networking. Install, update, reboot, enter safe mode without
> > networking, and scan... You may need to kill NIS once more before doing so.
> >
> > Safe Mode :
> > http://kgiii.info/windows/all/general/safemode.html
> >
> > It's not going to be quick nor easy to get to the bottom of this. A couple
> > of other people have replied off-site in an email list about this post and
> > we'll see if they can offer any additional insight but for now I'd work on
> > giving it a good solid scan in safe mode.
> >
> Done a lot of this including KAV in safe mode - nothing untoward found.
>
> However: I today spoke to my computer supplier tech. helpdesk (I'm in
> warranty)and discovered that another of their customers has had the same
> or similar problem in the past week. I turned off system restore and
> the problem goes away - disk size back to normal and doesn't change when
> I re-boot. Turn system restore back on and the old problem returns
> (creeping disk usage at about 0.5-1.0GB per re-boot. My tech support
> is going to investigate further (since more than one person has had the
> problem) and wil get back to me. Could of course be malware of some
> sort but then why doesn't it operate when system restore is turned off.
> Perhaps more likely a bug introduced due to a recent windows update?
> Anyway, I will report back when I know more. Meanwhile, I have not got
> the safety net of system restore but I doi feel happier about the
> situation. In the end, I may need to reinitialise my system and
> reinstall everything but I'm prepared for that if necessary and have
> backed up all my important data.
> --
> Sam
>
August 1, 2005 8:39:49 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Jaymon said ...
> You might
> try reinstalling system restore for a fresh start and see if your problem
> returns or goes away, or not...
>
thanks - how do I do that?
--
Sam
Anonymous
August 1, 2005 8:39:50 PM

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

To reinstall system restore, go to folder options, view, and check show
hidden files & folders, un-check hide extensions of known file types, apply,
ok.. Go to c:\windows\inf and right click the sr.inf file and click install.
This re-installation will wipe out all preexisting restore points and you
will be starting from scratch, so be warned.

j;-)


"Sam" wrote:

> Jaymon said ...
> > You might
> > try reinstalling system restore for a fresh start and see if your problem
> > returns or goes away, or not...
> >
> thanks - how do I do that?
> --
> Sam
>