Jump to content

bombed w/ temp files! how to remove

janninparis

By janninparis
in Software

 Share

Recommended Posts

janninparis

janninparis

Posted
Posted

I'd be grateful for help.

 

A week ago my otherwise happy-to-date Thinkpad Windows XP with all updated patches, up-to-date Norton Virus, and a firewall turned up pretty high (but not upgraded to SP 2) announced at startup that I had an Explorer.exe error, unable to locate component: uxtheme.dll was not found. Spybots and Adawares (and XP cleanmgr recently run showed nothing problematic).

 

I restored to a point a week before that. My computer worked normally again.

 

Suspecting a virus, trojan, or worm might have caused the crash, I tried to run a Panda on-line scan in addition to the Norton resident scan. It crashed out the first time, so I opened up my firewall somewhat to let the ActiveX scans run.

 

Something strange happened. I could see the scan hanging at the 244th file scanned. I could see my disk going on actively doing something. Was it scanning but not showing the scan? I didn't stop it, close down the internet connection, but within an hour or so I could see that my disk space available had gone from about 6.5 Gigs of a 40 Gig hard drive to under a gigabyte--700 mg even!

 

I took some music off Itunes and spent the work week getting unhappy disk-full complaints. Otherwise the computer ran fine.

 

Weekend came with time to spare, so last night I ran a disk search including hidden files and located all the files modified since 3 Oct. There were thousands of temp files in c:\windows\system32. I google-searched to see if anyone else had had similar problems and located one case on this forum and another on Geeks to Go that sounded vaguely similar.

 

I downloaded and ran the Cclean program which seems great. But it didn't get rid of any of these temp files. Neither does cleanmgr on Windows. Windows Antispy didn't find anything new. CW Shredder didn't either. New updated runs of Spybot and Ad-aware turned up nothing new. But obviously there were still all the temp files clogging my drive.

 

How to get rid of them? A program called System Cleaner made by Pointstone claims to do so but seems suspicious, and user reviews are awful.

 

I'm fearful of Killbox -- it seems rather draconian to use with *.tmp.

 

It sounded like I could delete the temp files, so I set out to do so manually. I've deleted about 1/3: nearly 10K of the temp files (2 gigs). I've done this in Safe mode. The files seem quite gone after a few boots. HOURS later, I'm fed up with manual deleting.

 

So here are my questions: is there a way to configure CCleaner to get these? (I haven't used the part that alters your Windows Registry because it didn't seem relevant to the tmp file problem--and I couldn't see any restore/backup point).

 

Is there some other way to get these or some reliable utility that will zap them, let me move them to a zip file until I'm sure they really are irrelevant?

 

Is there any way to know what put these there? (I've run all kinds of google searches looking for similar cases but I wind up swimming in accounts of viruses that I don't have and that aren't similar. There's no error message that I can use to delimit the search. "windows/system32" and "tmp files" or "thousands of temp files" doesn't do the trick!).

 

Has anyone ever heard of anything like this--an attack while one's firewall was somewhat lowered while trying to use an on-line scan?

 

Is there anything else I need to clean out besides the temp files?

 

Currently I have no UNHIDDEN temp files on my computer, but there are a couple of old .tmp files in windows/system32 that date from earlier moments, one a file called config.tmp that is from (!) 2001, 3 years before this computer, but maybe it migrated over from the person who configured this computer from the thinkpad that preceded it. There's also a file called oldifi.tmp that seems to date from last January (there was no crash in january, only one previous glitch which was when my sound drivers got unstable back in July).

 

All the temp files, by the way, are things like 24B6.tmp or FFE.tmp or 4402.tmp. They each have an identical 340 KB and all seem to have arrived on my disk in the same 10 minutes on Monday 3 October. They take up currently about 5 gigs of space in over 15,000 files under windows/system32. I've probably manually erased 5000-10,000 already, but that took hours.

 

I have a Hijack this log which I haven't posted because I wasn't sure it was relevant to this specific problem. If I should have done so, my apologies.

 

Hope that this is clear enough that someone can help.

 

I'd be very grateful. I'll be away-from-computer as of an hour from now for a few hours, and back around 18:00 EST.

 

Thanks much. Janninparis

Link to comment
Share on other sites
  • Moderators
Andavari

Andavari

Posted
  • Moderators
Posted

In its current state CCleaner doesn't scan a whole hard disk for *.tmp files, however you could make your own CCleaner winapp2.ini file to deal with the *.tmp files, and you could also make a batch file (.bat) to deal with them. If you wish to make your own winapp2.ini entry look at this thread for examples. Another freeware program does seek out *.tmp files on a whole hard disk, it's called EasyCleaner.

 

For making your own batch file to deal with them open a Command Prompt and use the delete help file for the parameters you'll need, to see the help file type into the command prompt window:

del /?

 

Of course if they're hidden *.tmp files you may have to use attrib to change the attributes by removing the hidden attribute, to see the attrib help file type into the command prompt window:

attrib /?

 

Example batch file (based upon what you've stated):

attrib -h "%windir%\system32\*.tmp"

del "%windir%\system32\*.tmp"

Link to comment
Share on other sites
janninparis

janninparis

Posted
  • Author
Posted
Thanks for the speedy reply about getting rid of the tmp files.

 

I downloaded Easy Cleaner and used it to zap 13,562 tmp files in windows\system32 that totalled 4,602,75 kb !!!

 

It proved somewhat unwieldy at first because the "unnecessary files" option which seeks out temp files also scavenges for lots of other maverick files, some of which in my case were data files.  I ended up telling it to skip dmp, old, bak, bk, help files and wound up with only the temp files, 99.99% of which were the famous explosion of files over 15 minutes last Monday--and that was only about 3/4 of them since I'd hand deleted a lot already.

 

I looked at the info you sent about using winapp2.ini to make my own CCleaner but I decided that might be over my head (my phd is not in apple math!)

 

I'd be grateful for a clarification though on how to use the batch files you suggested.  Without Easy Cleaner that was my other option, and I'd been casting around all day for the proper string and where to use it (in Safe Mode from the dos propt or in Safe Mode simple but via the dos program there?).  What are the %s in the string you gave here?  I assume the "attrib -h" means make the hidden files "less" (minus) hidden.  Does one need to turn them back into hidden files afterward and if so, how is that done?  Why the quotes around the two commands beginning % and ending .tmp?

 

Quoting your string suggestion:

Example batch file (based upon what you've stated):

attrib -h "%windir%\system32\*.tmp"

del "%windir%\system32\*.tmp"

 

Do you have any thoughts on what caused this or what I might do to avoid a replay? Is there anything I should look for in the way of residue of other malware that might allow this to happen again or else bring back the unpleasant temp bomb?

 

The IBM techie I called today said he'd never heard of anything like this and he runs Panda scans all the time. He seemed to think that one should DOWNLOAD panda or else try using House call from Trend Micro downloaded instead as a supplement to Norton.

 

But doesn't Norton conflict with anything one downloads?

 

I ran a Trojan Hunter scan by the way, after I wrote this earlier email, and still haven't turned ANYTHING up as malware on my computer.

 

Any other thoughts on how this happened would be gratefully appreciated.

 

For those working on CCleaner updates -- thanks for a great program even if it didn't do the final step of cleaning out the unnecessary temp bomb.

 

Thanks much, Janninparis

Link to comment
Share on other sites
  • Moderators
Andavari

Andavari

Posted
  • Moderators
Posted

The only explaination I can think of is some program on your system is creating the files, or Windows itself is the culprit. At least they're removable! For some reason out of nowhere WinXP has started creating an 8MB locked/in-use by the System file named TempFile in C:\Windows on my system, I can delete it with Unlocker or HijackThis however it returns on the next startup so I just ignore it.

 

As for what the parameters such as the quotations (") and percentage (%) around the batch file commands it's real simple, as I'll explain:

 

Quotations (") around a path is nothing more than an old DOS trick that allows for a file or files to be resolved without error messages such as "file not found"

 

As for command prompt parameters the percentages (%) are just mapped out locations in Windows since not all people will for example install Windows into C:\Windows, someone may choose C:\WinXP, C:\OS, and so forth. In Windows certain directories can be found using the percentages, eg.;

 

%ProgramFiles% = The path where the Program Files are installed.

%Windir% = The path where Windows is installed.

%Temp% = The path of the system default temp directory.

%UserProfile% = The path of your WinXP profile.

%AppData% = The path of the Application Data folder of your WinXP profile.

 

The reason to use such parameters is because a batch file, or install script can be used to install files into the correct location on most Windows OSes.

Link to comment
Share on other sites
janninparis

janninparis

Posted
  • Author
Posted

Posting Hijackthislog with thanks in advance for asking and being willing to look at this. This is the log post-deletion (eg this early afternoon GMT + 1). I deleted last night, then ran Trend Micro online. Nothing found there either... Thanks for seeing if there's anything else on my machine. All best, Jann

Link to comment
Share on other sites
janninparis

janninparis

Posted
  • Author
Posted

Thanks for the dos command semiotics. I suspected they were relatively simple parameters that I should have been able to find in a Dos-for-Dummies handbook if I still had one around. I have to admit that every time there's something like this that goes wicky-wacky on my computer, I miss Dos just a little bit more. Looking at all those files that "Easy Cleaner" fished out yesterday (things I'd politely named .bk for the final "book" version or "dmp" for what I cut when I transformed something from long article into shorter article), I was reminded that the non-technically inclined like me used to have such nice pleasant control over what we did with our computers--or maybe that's just misplaced luddite nostalgia.

 

Question: If one is going to use Dos batch commands on an XP, does one do so from Safe Boot with Command Prompt or just from Regular Safe Mode-- or even w/o safe mode--going into the "Command Prompt" "program" under Start then Accessories?

 

On the source: I really don't think it's a windows-generated thing. The fact that 20,000+ files appeared within 20 minutes the day of a computer crash sounds toi me like there is either a relation to what caused the crash OR that the slightly large opening I made to run the Panda Virus scan after it crashed during the first attempt let something strange in.

 

The thing I've been worried about, actually, is that all these temp files were actually things on my hard drive that were being transformed into equal-sized temp files, kind of like what might happen when a file allocation table (?) is lost and the computer can no longer find all that data but it's still there, like a bunch of bones in a cemetery swept away by a flood. (the image, culled from an earlier unpleasant crash, does seem a little too close to the home of reality this fall)

 

I'll keep you posted if there are new developments on this.

 

I'm especially grateful for the quick reply and for the invitation to be courageous about hitting delete on all those files. Amazing how much faster my computer runs this morning after its available space went back up to nearly 7 gigs.

 

Plus I've learned about all kinds of helpful utilities (eg both CCleaner and EasyClean, not to mention Hijack this)!

 

All best, Jann

Link to comment
Share on other sites
  • Moderators
Andavari

Andavari

Posted
  • Moderators
Posted
Question: If one is going to use Dos batch commands on an XP, does one do so from Safe Boot with Command Prompt or just from Regular Safe Mode-- or even w/o safe mode--going into the "Command Prompt" "program" under Start then Accessories?

 

 

 

The commands can be ran in either regular Windows mode, or safe mode. It really isn't MS-DOS since in WinXP it's using CMD.exe to run command line utilities. It just looks like an old MS-DOS window, however many of the commands/parameters we grew used to from the Win9x/DOS era still work with XP.

 

I agree with you I do miss MS-DOS a little, and I still use it on my old Win98 system.

 

As for the HijackThis log one of the HijackThis log experts such as rridgely, Tarun, or Capman will analysis it for you.

Link to comment
Share on other sites
janninparis

janninparis

Posted
  • Author
Posted

Thanks for looking at my log. That's good news that it's clean.

 

I did a windows update to service pack 2 and the SP2 patches on Sunday, in fact. Seems to have gone smoothly, but damn it takes a lot of space!

 

About getting rid of running processes that probably slow my machine as you point out, I'm sort of at a loss as to what I HAVE to be running. Some of what you saw were new programs I've added this weekend because of being panicked over trojans and worms having implanted all those files (apparently not: is it imaginable that some kind of MS updating function is what did it--mine is set to ask if I'd like to update and not to download anything unless I say, but who knows what might have happened when I was dithering with a restore point to replace the corrupt uxtheme.dll file).

 

Now frankly I don't know what I can get rid of and what not.

 

I do know how to look at my start-up configuration and how to google the elements to decide which are "important or not" but is there some "pro forma" well-protected way to go?

 

Also can I let CCleaner do the "advanced" user functions without worry--and what will it be cleaning if I do? (is it the same thing as the "clean registry" function in Easy Cleaner--which I haven't used either but saw reviews that gave it high marks along with the "clean unnec files" function that I did use so successfully).

 

Any thoughts would be gratefully appreciated.

 

All the best and thanks again for looking over my HJ log.

 

Jann

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept