deleting thousands of files across thousands of sub folders in windows server 2008

hi,

my web hosting server was hacked and a malicious script was run which copied 10 different files to EVERY folder on my server....

luckily it wasn't too disruptive as the homepage of virtually all of the sites i was hosting is index.asp  (and the default document is index.asp) and the script didn't delete any files so in most cases the sites themselves weren't affected ....

i ran a search for all files which were created just after the script was run with a size of 5k (the size of the added files) and found over 300 000 files....

now i'm trying to find a way to mass delete all of these files....

if i select all of the files and hit delete it spends an indefinite amount of time 'calculating' and never actually does anything....

i found that if i drag a few thousand files at a time to the recycle bin this sometimes works, but not always...

has anyone any suggestions for some software or technique i can use to delete all of these files...

thanks
dog_starAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

scriven_jCommented:
If they were created with a script, then using a script to delete them would seem to make sense.

If you know the name of the script that caused the problems, you might find your AV vendor (or another) would have a clean-up script.  Symantec:-

http://www.symantec.com/norton/security_response/index.jsp

are normally quite good at publishing clean-up tools for messy viruses.

Other than that a recursive batch file would probably do the job, but would need to know more details about how the script worked to replicate the behaviour but resolve the problems.
Geek_NabilCommented:
Ok ill help you with the script, but i need to know a few things first.
These 10 files in all the folders, do they have the same name, or extension or anything in common on the entire system?
athomsfereCommented:
What script or virus was this? It may provide the information needed to uno this, like is there a prexisting solution (Spybot, Malware-Bytes, or a script).

This  might provide some direction as well
http://www.computing.net/answers/programming/batch-file-search-and-delete-file/16386.html
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

dog_starAuthor Commented:
hi,

thanks for the ideas...

my worry about running a script is that the pages which have been created are all default page names... ie index.asp, index.htm, index.php, default.asp etcetc

running a script to delete all files with these names would delete an awful lot of files don't want deleted :)

using windows search at least i can see the time created.... all the 'rogue' files were created just after 5.30pm and so are easy enough to spot in the search... deleting them is proving more difficult...

at the moment i'm trying out windows commander to see if that will do a better job than windows explorer...

would a script be able to taget files this specifically? ie by size and by date?
Geek_NabilCommented:
Use this Command:

forfiles /P <DIRECTORY> /S /M <*.extension> /D "<DATE>" /C "cmd /c del /F @file"

example:

forfiles /P C:\Folder /S /M *.txt /D "25/08/2010" /C "cmd /c del /F @file"
scriven_jCommented:
OK - in this situation, I would say do it by hand, or restore from a backup to be on the safe side.
Geek_NabilCommented:
If he uses the command above, its going to be fine,

it looks for files newer than a specific date with a specific file extension and deletes them, better of he can move them to a certain directory and check them manually if he wants to.

To move to a directory just change the last part:
/C "cmd /c del /F @file"

To:
/C "cmd /c move @file <DESTINATION> /Y"
Example
/C "cmd /c move @file D:\Files /Y"

AbuAnazaCommented:
You can use advanced search options in Windows to find files created after a particular date; i tihnk you have been successful in doing that. As for the issue with taking too much time to delete, did you try selecting like a bunch of files (not all) and then deleting them in groups?

regards,
m
marek1712Commented:
Alternatively you can use Total Commander's search function to find the files created some time in the past and delete them. It's faster than Windows Search.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ben Personick (Previously QCubed)Lead Network EngineerCommented:
First Off, don't use Recylce Bin on any files you are certain about Deleting.

Recycle Bin Adds additional time both when sending files to it and when deleting them from it.

Instead HOLD SHIFT and delete normally (right click and select delete, or hit the delete Key)

Second, it sounds like the files are always called "Index.AnyExtention", is this right?  Or is the file "AnyName.AnyExtention"?

We Can do this through many file spec compairisons.

I may be overly cautious for your taste, but I suggest matching files on several atributes "To Insure Proper Service".

Also you should probably MOVE all the files to a different location, in case anything stops functioning.

The best way to acomplish this would be to use Robocopy.

(Sorry from Memory, so please test before running and use RoBoCopy /? To check the command names for age and size)
For 5:28AM To 5:32AM

Robocopy "C:" "\\Server\Share\Save" Index.* /MOV /S /MinAge:20100826 05:29 /MaxAge:20100827 05:32 /MinSize:5119 /MaxSize:5121

However, what would be best is if we can make the selection and then compare the contents of the files, either using FindStr or using FC.

That Would increase the time required, and send us back to using COMMAND Loops, but would allow for a more bulletproof method.

-Q
dog_starAuthor Commented:
thanks everyone for your suggestions...

as i mentioned in my original post windows explorer just can't seem to handle file operations like this with so many files in so many different locations... possibly shift-deleting might have worked better... maybe next time i'll try (though of course hoping there is no next time:))

total commander worked perfectly...

to be on the safe side i actually ran a search defining the rough time all the files were created and , to be on the safe side, i ran a text search looking for all all files which contained certain text which the hacker had put in (specifically the name of the hacker)...

total commander took a couple of hours but it seemed to have found all the files (305,000 altogether).... i then hit delete and after a few seconds thinking it started deleting... its probably going to take a while but at least i can be pretty certain it won't be deleting anything it shouldn't...

again, thanks for all the suggestions
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2008

From novice to tech pro — start learning today.