3.5 million temporary files!

shamrin

Active Member
Reaction score
48
Location
Lexington, Ky
This is a new customer to me who brought in a computer for virus removal. After cleaning it up, I went to do a final scan and saw that Avast had got hung-up on a folder for over an hour. It was just a temp folder located at C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

Well after a bit of messing about and time-wasting, I found out that there were 3.5M files under that folder comprising about 70GB. Do you know how hard it is to delete 3.5M hidden system files? I ended up booting from an Ubuntu Live disc. The deletion routine has been running for about 24 hours now - still going strong. Just watching the files go by, it appears that about 70% of them are .js JavaScript files and the rest are .htm with a few .txt and .css files.

Anyway, my question is, how do you suppose these files got here? Avast was finding a lot of things it didn't like in these folders so I'm figuring them to be likely malignant. Maybe someone set up a virus-delivery system on the machine when it was part of a botnet? But over 3 million files?
 
This is a new customer to me who brought in a computer for virus removal. After cleaning it up, I went to do a final scan and saw that Avast had got hung-up on a folder for over an hour. It was just a temp folder located at C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

Well after a bit of messing about and time-wasting, I found out that there were 3.5M files under that folder comprising about 70GB. Do you know how hard it is to delete 3.5M hidden system files? I ended up booting from an Ubuntu Live disc. The deletion routine has been running for about 24 hours now - still going strong. Just watching the files go by, it appears that about 70% of them are .js JavaScript files and the rest are .htm with a few .txt and .css files.

Anyway, my question is, how do you suppose these files got here? Avast was finding a lot of things it didn't like in these folders so I'm figuring them to be likely malignant. Maybe someone set up a virus-delivery system on the machine when it was part of a botnet? But over 3 million files?

This is from the click fraud bot (probably from the zero access rootkit) browsing sites 24/7 for a very long amount of time.
 
Could be malware with that many files. I think the biggest I've seen has been around 10-15gb but that machine did not have malware. But that is a record from what I have seen so far. And yes, removing them takes a long time.
 
I find the best way to remove stuff like this is to slave the drive to my Linux box, and use rm -R /path/to/directory in terminal then recreate the folder in Windows.

It is actually much faster than in windows. Still takes some time, but it is faster. Just have to mount as rw with guid and user privileges.

Most I have seen was 3 GB though. Never 15 GB, Or 3 million files that is insane.
 
You do have to mount it rw. It's been a while but if I remember correctly I cd'd to the top level dir. Then su, then rm -rf ./* (No perms to worry about).
 
You do have to mount it rw. It's been a while but if I remember correctly I cd'd to the top level dir. Then su, then rm -rf ./* (No perms to worry about).

That will work as well, but ya gotta be careful with su rm -rf especially when you use a wild card. One little typo and bam you just deleted everything. LOL :D
 
This is why I always run a cleanse routine first to get rid of junk, to cut down scanning time.

Also, remember that most of the time, windows deletes to the recycle bin. So it's worth manually deleting using the shift key to bypass this.

Ok, you are using Linux in this case but even so, I would question the hard drive health.
 
Also, remember that most of the time, windows deletes to the recycle bin. So it's worth manually deleting using the shift key to bypass this.

You cant shift delete a folder with that many files explorer can't handle it. I cant remember which command I used I want to say it was del path asterisks but i may be mistaken.
 
You cant shift delete a folder with that many files explorer can't handle it. I cant remember which command I used I want to say it was del path asterisks but i may be mistaken.

Windows was helpless in this case. Explorer spent hours just tring to enumerate the files so I figured maybe doing it from Startup Repair. However, you couldn't see the files, either because they were hidden or system, and of course they were read-only. So, if it even would have worked, it would have taken two runs, one to remove the attributes and another to do the deletion. It ended up taking about 36 hours in Ubuntu.
 
Back
Top