Solved

C:\ windows\temporary internet files

Posted on 2006-11-29
9
796 Views
Last Modified: 2013-12-29
In an attempt to solve another problem I deleted all the files in C:\ windows\temporary internet files. About 221 files went to the recycle bin. I shutdown a short time later. I have checked “empty temporary internet files when browser is shutdown”.
I found another in the same folder after I logged in about 4 hours later.
There were about 338 files this time. I can’t believe what I am seeing. I tried to paste the lists into Word so that I could send them along with this question, but couldn’t find a way to do it.
The long file names really have me concerned. Here’s the cache nameof one or the files: FUCWKCCQJLKLBNLJMNWQJGCXIMXQNNTPUHLKMIORYIPRMILEHLQNLJLFKEONXDWMJLEVOCFHGLY/
The only way I could copy it was to open it in a new window and it opened in the address bar of
I.E. Is this a cookie and could this be because I have a bunch of cookies sitting in a cookie bin waiting to be deleted when they arrive? Is it time to find a new cookie monster or isn't that the problem?
Please advise.
0
Comment
Question by:frankoravec
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 10

Expert Comment

by:For-Soft
ID: 18043542
The explorer view of the Temporary Internet Files folder is a bit distorted. The view is changed by a system routine. There is a hidden Desktop.ini file in it. The result is display of the IE cache with the cookies in it, while all cookies are physicaly in the C\WINDOWS\COOKIES folder. The files in the Temporary Internet Files folder are hidden that way, so you should not remove them with windows explorer.

If you want to play a bit with what the Windows Explorer does to the folder view, copy the Desktop.ini file to some other folder. You will see the browser cache in that folder as well, and all files in it will be hidden.

The way to deal with folders like that one is to do file operations from DOS prompt of from some non Windows Explorer file manager (a file manager not paying attention to Desktop.ini files).
0
 
LVL 91

Assisted Solution

by:nobus
nobus earned 50 total points
ID: 18043799
i certainly would run a scan for malware suggest to run ALL these, updated :
     adaware :      http://www.lavasoftusa.com/
     Spybot :        http://www.download.com/3000-8022-10122137.html
http://housecall.trendmicro.com/                                                               online scan for trojans
http://www.spychecker.com/program/hijackthis.html                                   download
http://www.hijackthis.de/index.php?langselect=english                                check the log
0
 
LVL 21

Accepted Solution

by:
jvuz earned 50 total points
ID: 18044257
0
 
LVL 38

Expert Comment

by:BillDL
ID: 18045557
Frank
In general, the text-based files that show as being left in the Temporary Internet Files folder after you use the Control Panel > Internet Options to delete files (then "all offline content") are insignificant in file size.

That cleanup option is intended to remove cached Flash files, Images, JavaScript files (*.js), Cascading Style Sheet files (*.css), and copies of the *.htm and *.html files that are all stored as a web page loads, and which allow the pages to load quickly from the cache when you click the "Back" button.  THOSE are the files that DO take up some significant space if allowed to build up there, and which can cause some problems with opening pages again if not deleted.

The CCleaner utility suggested by jvuz has an option in it to mark specific cookies to be retained while you delete all the temporary internet files and cookies (Options > Cookies > Cookies to Keep), plus a lot more.  If you have ever tried copying out cookies to another folder using Windows Explorer, deleting the ones left, and then copying the cookies back to their now empty folder, you will more than likely have discovered that it doesn't work as intended.  This is best left to a program like CCleaner.

NOTE:  UNTICK the option shown during setup to install the Yahoo Internet Explorer Toolbar - unless you particularly want it.

There are batch files that you can run just as Windows begins to load which allow you to delete temporary internet files and such without the restrictions that Windows then places on those folders which are regarded as special System Folders once Windows loads fully.

Fred Langa has written some batch files for this purpose:
http://www.langa.com/about_fred.htm
http://www.langa.com/cleanup_bat.htm

I don't really advise using these UNLESS you have some very specific problems where you need to delete everything for a clean start, or if you REALLY know what you are doing.  Some of the batch files need to be modified to suit YOUR system, and he has been careful to include his disclaimer.

I don't like the sound of the temporary internet file name you have given, but there's one thing you should be aware of, and it is best served by giving an example.  Here's the "name" of one of the temporary internet files currently in my TIF folder:

http://www.microsoft.com/library/gallery/components/ratingControl/ratings.aspx?rurl=http%3a%2f%2fwww.microsoft.com%2ftechnet%2farchive%2fwin98%2freskit%2fpart7%2fwrkappd.mspx&l=en-us&f=True&d=LTR&t=Appendix+D+-+Msbatch.inf+Parameters+for+Setup+Scripts

If I Right-Click that file and select "Properties", I see that the actual "cache name" is "ratings[1].htm", and that it is a cached "HTML Document".

So clearly the name of the file as it shows in Windows Explorer is NOT the actual file name, and this becomes clear when you copy that file out to some other folder such as your desktop.  In this case, it copies out as the "cache name" (ratings[1].htm).

Copy the file that shows as:
FUCWKCCQJLKLBNLJMNWQJGCXIMXQNNTPUHLKMIORYIPRMILEHLQNLJLFKEONXDWMJLEVOCFHGLY/
out to your desktop or some other folder created temporarily for this purpose, and see what file name it copies out as.
Open it in Notepad (nothing else) and see what type of content it has.

There is something vaguely reminiscent about those first 5 characters, and I believe I heard someone on the street in a rough neighbourhood being called that just the other day ;-)

I thought at first that the name may be somehow have been derived from Microsoft CD-Keys.  Look at the following restructuring I did out of curiosity:
FUCWK-CCQJL-KLBNL-JMNWQ-JGCXI
MXQNN-TPUHL-KMIOR-YIPRM-ILEHL
QNLJL-FKEON-XDWMJ-LEVOC-FHGLY
They don't contain any numbers though, so they aren't the standard format for any MS application CD-Keys that I know of.  I was being typically suspicious and wondering if some trojan had been extracting registration keys from your registry, but I'm a paranoid person.  It's most likely just a random name or some weird indexing used by a website.

I would definitely scan the system for viruses and Spyware though, just to be sure.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:frankoravec
ID: 18055143
I have  few questions after running CCleaner.

1. I still have 4 files in the C:\Windows\Temporary Internet Files Folder: ipC244, ipC245, ip250 and ip252 . I can't delete them because "Access is denied". Also there was a msdownload.tmp folder.
What's the significance of that?

2. By doing a System Tools Disk Cleanup I found 14+MB of "old scandisk files in the root folder? What should I do with that?

0
 
LVL 91

Expert Comment

by:nobus
ID: 18055363
>>    I found 14+MB of "old scandisk files in the root folder   <<  chkdsk files ? delete them
if you want to delete those other files, use killbox : www.bleepingcomputer.com/files/killbox.php
0
 
LVL 38

Expert Comment

by:BillDL
ID: 18058995
Frank
The significance of the "access denied" message when trying to delete any file tends to indicate that it is actively being created, written to, or otherwise used by a program or process.  Usually such files can be deleted from within full DOS, because the application or process that is using the files will not yet have started.

Can you COPY the files out to another folder?

That's about the only way you'll be able to try and open them in Notepad and see if the contents reflect anything about what created the files, or what is being logged in them.  My guess is something like a Firewall or AntiVirus program that is active.

You might be able to identify what program is using the files by disabling all non essential startup programs (with MSCONFIG), deleting the files, and then re-enabling them one at a time (reboot in between each) until they are created and made inaccessible again.
0
 

Author Comment

by:frankoravec
ID: 18064344
I’ve been running lavasoft for some time now and, to my knowledge, it never got rid of any temporary internet files. After I deleted the ones as described in the question, I found 1329 more files in the temporary Internet Files folder this morning.
That all, despite having selected and checked the  “Empty temporary internet files when browser is closed” option. That, after shutting down and re-starting several times.
Any thoughts on that?
0
 
LVL 91

Expert Comment

by:nobus
ID: 18066843
did you run the scans i suggested ?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now