deleting thousands of files across thousands of sub folders in windows server 2008

Posted on 2010-08-27
Last Modified: 2012-05-10

my web hosting server was hacked and a malicious script was run which copied 10 different files to EVERY folder on my server....

luckily it wasn't too disruptive as the homepage of virtually all of the sites i was hosting is index.asp  (and the default document is index.asp) and the script didn't delete any files so in most cases the sites themselves weren't affected ....

i ran a search for all files which were created just after the script was run with a size of 5k (the size of the added files) and found over 300 000 files....

now i'm trying to find a way to mass delete all of these files....

if i select all of the files and hit delete it spends an indefinite amount of time 'calculating' and never actually does anything....

i found that if i drag a few thousand files at a time to the recycle bin this sometimes works, but not always...

has anyone any suggestions for some software or technique i can use to delete all of these files...

Question by:dog_star
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4
LVL 10

Expert Comment

ID: 33541266
If they were created with a script, then using a script to delete them would seem to make sense.

If you know the name of the script that caused the problems, you might find your AV vendor (or another) would have a clean-up script.  Symantec:-

are normally quite good at publishing clean-up tools for messy viruses.

Other than that a recursive batch file would probably do the job, but would need to know more details about how the script worked to replicate the behaviour but resolve the problems.

Expert Comment

ID: 33541460
Ok ill help you with the script, but i need to know a few things first.
These 10 files in all the folders, do they have the same name, or extension or anything in common on the entire system?
LVL 14

Expert Comment

ID: 33541490
What script or virus was this? It may provide the information needed to uno this, like is there a prexisting solution (Spybot, Malware-Bytes, or a script).

This  might provide some direction as well
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 33541506

thanks for the ideas...

my worry about running a script is that the pages which have been created are all default page names... ie index.asp, index.htm, index.php, default.asp etcetc

running a script to delete all files with these names would delete an awful lot of files don't want deleted :)

using windows search at least i can see the time created.... all the 'rogue' files were created just after 5.30pm and so are easy enough to spot in the search... deleting them is proving more difficult...

at the moment i'm trying out windows commander to see if that will do a better job than windows explorer...

would a script be able to taget files this specifically? ie by size and by date?

Expert Comment

ID: 33541663
Use this Command:

forfiles /P <DIRECTORY> /S /M <*.extension> /D "<DATE>" /C "cmd /c del /F @file"


forfiles /P C:\Folder /S /M *.txt /D "25/08/2010" /C "cmd /c del /F @file"
LVL 10

Expert Comment

ID: 33541856
OK - in this situation, I would say do it by hand, or restore from a backup to be on the safe side.

Expert Comment

ID: 33541922
If he uses the command above, its going to be fine,

it looks for files newer than a specific date with a specific file extension and deletes them, better of he can move them to a certain directory and check them manually if he wants to.

To move to a directory just change the last part:
/C "cmd /c del /F @file"

/C "cmd /c move @file <DESTINATION> /Y"
/C "cmd /c move @file D:\Files /Y"


Expert Comment

ID: 33541927
You can use advanced search options in Windows to find files created after a particular date; i tihnk you have been successful in doing that. As for the issue with taking too much time to delete, did you try selecting like a bunch of files (not all) and then deleting them in groups?

LVL 11

Accepted Solution

marek1712 earned 500 total points
ID: 33542737
Alternatively you can use Total Commander's search function to find the files created some time in the past and delete them. It's faster than Windows Search.
LVL 13
ID: 33543050
First Off, don't use Recylce Bin on any files you are certain about Deleting.

Recycle Bin Adds additional time both when sending files to it and when deleting them from it.

Instead HOLD SHIFT and delete normally (right click and select delete, or hit the delete Key)

Second, it sounds like the files are always called "Index.AnyExtention", is this right?  Or is the file "AnyName.AnyExtention"?

We Can do this through many file spec compairisons.

I may be overly cautious for your taste, but I suggest matching files on several atributes "To Insure Proper Service".

Also you should probably MOVE all the files to a different location, in case anything stops functioning.

The best way to acomplish this would be to use Robocopy.

(Sorry from Memory, so please test before running and use RoBoCopy /? To check the command names for age and size)
For 5:28AM To 5:32AM

Robocopy "C:" "\\Server\Share\Save" Index.* /MOV /S /MinAge:20100826 05:29 /MaxAge:20100827 05:32 /MinSize:5119 /MaxSize:5121

However, what would be best is if we can make the selection and then compare the contents of the files, either using FindStr or using FC.

That Would increase the time required, and send us back to using COMMAND Loops, but would allow for a more bulletproof method.


Author Closing Comment

ID: 33545245
thanks everyone for your suggestions...

as i mentioned in my original post windows explorer just can't seem to handle file operations like this with so many files in so many different locations... possibly shift-deleting might have worked better... maybe next time i'll try (though of course hoping there is no next time:))

total commander worked perfectly...

to be on the safe side i actually ran a search defining the rough time all the files were created and , to be on the safe side, i ran a text search looking for all all files which contained certain text which the hacker had put in (specifically the name of the hacker)...

total commander took a couple of hours but it seemed to have found all the files (305,000 altogether).... i then hit delete and after a few seconds thinking it started deleting... its probably going to take a while but at least i can be pretty certain it won't be deleting anything it shouldn't...

again, thanks for all the suggestions

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question