External Hard-Drive Question

[Sunny]

Hi Jintan,

I haven't needed to log onto this forum since you helped me fix the malware issues with my laptop a couple of months ago (my thread is currently on page 3 of the Malware Removal forum if you wish to familiarise yourself with my laptop's history).

Anyway, my question is:

About two months ago I had 11GB space left on an external Hard-Drive. I then saved 7 movies onto the Hard-Drive which reduced the space left to 0.5GB. However, after I deleted all the movies from the Hard-Drive I was left with only 8.5GB free space. I noticed that after I highlighted all 7 movies and clicked 'delete', only 4 were in the Recycle Bin (which I emptied). None of the movies can be found anywhere on the Hard-Drive.

Any idea what could have happened to the other 2.5GB and if/how I can get it back?

I should note that this was about two months and I have since saved a bunch of work materials, music, pictures, etc since and now only have about 4.20GB space left. I'm still curious about the missing 2.5GB though and would like to have the extra space without having to delete anything.

[Jintan]

I of course knew of this problem from the PM you had sent. But better to post here in the forum, where others have access to the issues and solutions. I sense this all is related to drive size, file size, System Restore and the Recycle Bin.

For those deleted movies and some not showing, for one, deleting something to the Recycle Bin of course still leaves that deleted item's file-size space in use on the disk. For those files not showing, one scenario might be the size setting for the Recycle Bin on the external drive was less than the combined sizes of the files being deleted. So some may have just been deleted from the file system but not show in the at-capacity Recycle Bin. I think the default setting for it is 10% of the drive. If you also had the option to confirm file deletions unchecked this would have resulted in the files not appearing in the Recycle Bin. In some scenarios the files in the system drive's Recyle Bin are also reflected in the other drive's Bin.

That is easy enough to check. Right click the Recycle Bin and your desktop, and select Properties. There you can click the tabs related to other drives, including your external drive.


And then System Restore, which would slowly get larger over time. And as each of these locations start to fill, they no longer function as they should, and can cause odd effects when you check things in Explorer.

Empty all drive's Recycle Bins (if more than the system drive (usually C) and that external drive.

Then reset System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

Then one more reboot, and then check the drive space, and post back an update please.

[Sunny]

Recycle Bin Properties state the following:

Under the 'Global' tab the 'Use one setting for all drives' is checked and the maximum size of Recycle Bin is set at 10%.

Under the C Drive tab:
Size of drive: 42.5GB
Space reserved: 3.99GB

Under the E Drive tab:
Size of drive 149GB
Space reserved: 3.99GB


After reseting System Restore like you said, the External Drive's (Drive E) free space went from 4.19GB to 4.40GB. That means System Restore made about 0.21GB more space but there is still 2.3GB missing.

What do you make of the above info and is there anything else that can be done?

[Jintan]

One problem that does seem to exist is too little overall unused space. Drives, especially the one with the operating system, should have at least 12% available free space. If the space drops below this things start occurring - System Restore eventually shuts down, and, perhaps like what is occurring there now, the file system is effected. Also programs run into problems when there is insufficient temp storage space, though this would occur when the free space went to critically low levels.

Make sure you can View Hidden Files. Then check the drive again and see if there is new info that was not showing previously.

[Sunny]

There's three hidden folders on the external hard-drive, (1) Recycle Bin.BIN, (2) Recycled, and (3) System Volume Information. The icon for both (1) and (2) is that of the normal Recycle Bin on my desktop. Both folders are empty.

What do I do next?

[Jintan]

Those two Recycle bin items are fairly suspect of perhaps malware-created. Let's take a different look at the drive.


Go to Start > Run. Copy and paste the below string, then press Enter:

cmd.exe /c dir /a "e:\*" > c:\find.txt¬epad c:\find.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.

If that creates a really large log, due to many separate files stored on that drive, then instead of posting it zip a copy of it, and send it to [noparse]jintan@malwarecrypt.com[/noparse] as an attachment. Please place "Submitted Files -Sunny/mc/dir" as the email Subject.

[Sunny]

Volume in drive E is FLS-U2-160
 Volume Serial Number is 42B2-BD61

 Directory of e:\

18/08/2005  21:06              System Volume Information
19/08/2005  13:23              Sunny School Work
19/08/2005  13:27              Recycled
04/11/2007  16:44              J FOLDER NEEDS SORTING
28/01/2009  20:10              VIDEOS
19/08/2005  13:27              MUSIC
13/05/2009  16:04              $RECYCLE.BIN
08/10/2009  15:32               144 autorun.inf
19/08/2005  13:23              WORK
19/08/2005  12:11              JG
13/06/2006  05:18              JG PICTS
               1 File(s)            144 bytes
              10 Dir(s)   4,727,635,968 bytes free

[Jintan]

Let's check what some of those pertain to.

Code:

cd /d e:
attrib -s -h -r autorun.inf
type autorun.inf > c:\autlook.txt
attrib -s -h -r $RECYCLE.BIN
dir /s /a $RECYCLE.BIN >>c:\autlook.txt
attrib -s -h -r $RECYCLE.BIN
dir /s /a  Recycled >>c:\autlook.txt&c:\autlook.txt

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text (inside the Code box) into the open text box, then save this to your desktop as "3check.bat"

Be sure to include the "" quotes in the name. Then click on 3check.bat. When the scan completes a textbox will open - copy/paste those contents back here please. The log will also be saved as c:\autlook.txt

[Sunny]

Volume in drive C is HDD
 Volume Serial Number is A08C-A023
 Volume in drive C is HDD
 Volume Serial Number is A08C-A023

[Sunny]

Volume in drive E is FLS-U2-160
 Volume Serial Number is 42B2-BD61

 Directory of E:\$RECYCLE.BIN

13/05/2009  16:04              .
13/05/2009  16:04              ..
13/05/2009  16:04               129 desktop.ini
01/02/2010  00:13               544 $IUOB8MV
29/09/2009  07:48              $RUOB8MV
               2 File(s)            673 bytes

 Directory of E:\$RECYCLE.BIN\$RUOB8MV

01/02/2010  00:07              .
01/02/2010  00:07              ..
29/09/2009  02:21           251,699 G.I. Joe The Rise Of Cobra.jpg
29/09/2009  04:27     1,493,673,146 G.I. Joe The Rise Of Cobra.mp4
               2 File(s)  1,493,924,845 bytes

     Total Files Listed:
               4 File(s)  1,493,925,518 bytes
               5 Dir(s)   4,727,635,968 bytes free
 Volume in drive E is FLS-U2-160
 Volume Serial Number is 42B2-BD61

 Directory of E:\Recycled

19/08/2005  13:27              .
19/08/2005  13:27              ..
17/03/2010  23:01                65 desktop.ini
17/03/2010  23:01                20 INFO2
               2 File(s)             85 bytes

     Total Files Listed:
               2 File(s)             85 bytes
               2 Dir(s)   4,727,635,968 bytes free

[Sunny]

I see that under the Recycle.BIN it says the G.I.Joe movie is still there. I seem to recall a problem with this movie when I initially transfered it onto my laptop. After putting it on my laptop I decided I'd rather watch another movie that would take up less space. When I deleted G.I.Joe and tried to add another movie onto the External Hard-Drive the movie wouldn't transfer as deleting G.I.Joe didn't free any space. So I guess the problem does not stem from the 7 movies I ended up watching and then deleting but the initial problem with G.I.Joe not being deleted.

I have carried out various Malwarebytes' full scans since then but no malware was ever found.

[Jintan]

Looks like I left out a line in my script, though the right results came through. But that did answer the missing free-space question. Before we act on the info is this external drive NTFS or FAT32? To verify that, click My Computer, right click the drive, select Properties, and check next to "File system".

[Jintan]

That autorun.inf file doesn't seem to have allowed checking what it contains. See if you can open it with just Notepad and post back what shows there (right click the file and select "Open With, then select Notepad).

[Sunny]

The External Drive is FAT32.

How do I check the autorun.inf file. I can't see it anywhere?

Also, I just opened the External Drive normally and now see a folder called $RECYCLE.BIN. When I opened it, it had the 1.39GB G.I.Joe movie in it. Can/Shall I delete it straight from here or do we do that another way?

[Jintan]

Yes, it's fine if you delete the file manually. The earlier script run was set to unhide the autorun.inf file. Let's just scan check things.


Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready.  Next, check the following boxes:

Remove found threats
Scan unwanted applications

Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start.  This scan may take a while, so please be patient.  A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.