Jump to content
CCleaner Community Forums
Sign in to follow this  

Recuva finds phantom files in deep scan

Recommended Posts

This is rather peculiar. I like to know more or less what's going off in my pc, but I just can't figure this out.


It is easily reproducible. Although I use FF, it's easier to test with IE (I'm on IE8) as that seems to create one file for each browsed item. I'll try to keep this simple: here goes.


I clear all IE stuff with CC normal delete, and also IE Recovery Active and Last Active. I browse, then clear as before with one overwrite. I can then see a number of ZZZ files using Recuva normal scan with the correct time and date. I then browse a little more, say look at the BBC website, and the ZZZ files are no longer seen under Recuva - the MFT entries have been reused.


Change Recuva to Deep Scan and run until a say 3 or 4 thousand files are listed, then cancel. With zz in the Filename box I can see the 20 or so ZZZ files, all with the correct time and date. So far so average. But:


1) The files have names, to wit some variation of ZZZ. Yet the files contain zeroes. Where does the name come from?


2) Some of the larger files are in multiple extents. How does Recuva know the extents and the number of clusters in the extents?


3) The files have a non-existant temp int files folder name. Where does that come from?


4) And even more puzzling, when an attempt is made to securely overwrite a small file it fails as the file is resident in the MFT. This is not true!


I have rebooted, with the option set to wipe the pagefile. The ZZZ files are still there. I deep scan/cancel several times. The ZZZ files are still there.


I searched the entire drive for any live file - including sys and hidden directories - with a ZZZ content, nothing.


Eventually these ZZZ files go, probably because the next Avast update creates several hundred new files and overwrites whatever's listing the ZZZ's. I'm also sure that this phenomenon applies to other than ZZZ files, it's just that these are easier to identify.


I'm perplexed. In theory, and according to the Piriform Docs, a deep scan should find files with signatures in their headers, and no multiple extents. It can't possibly interpret files full of zeroes. It's as if there's a mini MFT somewhere (they are not in the MFT). These files are being listed from another source. Where's this info coming from?

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Create New...