Is one folder causing antimalware scanners to hang / fail?
Posted on 2014-02-13
On a Windows 7 PC infected with a fake security virus, I was able to get into safe mode. But (1) rkill (which I had renamed) kept freezing / stopping at the same point (checking the firewall), (2) combofix's windows would just disappear without running the scan, and (3) TFC by Oldtimer would get to a certain point and seem to get stuck forever (at "windows temp files"). Based on what I read online, I didn't bother letting TFC run more than 30 mins.
I ran a bunch of other stuff (Kaspersky Rescue Disk, HitmanPro, Adwcleaner, Roguekiller, MBAR, etc), and then I returned to Normal Mode, there was no further virus activity. HOWEVER, those three programs (rkill, combofix & TFC) froze / failed to finish.
I scheduled a scandisk ("chkdsk /r") & rebooted, but it seemed to complete way too fast (it took 1 second to say, "volume clean"), so I ran it ScanDisk from a boot disk (Hiren's miniXP). Then I was able to run Scandisk normally (it ran all 5 stages). But the 3 above hanging issues persisted.
And as a weird side-note, I noticed that if I ran combofix, and let it's windows disappear, and then I ran HitmanPro, the combofix Autoscan window would appear and run alongside Hitmanpro. Combofix completed and fixed some stuff. But the 3 problems persisted.
Then I noticed that HitmanPro was spending a lot of time scanning this folder:
"c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files...."
This folder had about 9gb in it. When I tried to delete this folder, it was still executing 30 minutes later. So I let the "deleting folder" window run over night. In the mornng, the folder was gone, and ALL THREE of the above problems were gone (rkill, TFC & combofix all ran normally now)
So I'm guessing there were two problems - (1) a virus, and (2) a folder with a very long path inside it (or something funky).
My questions are:
(1) Is it likely that that folder or something inside it was causing the 3 problems?
(2) How would that work?
(3) In case this happens again in the future, is there a way I can recognize that I need to delete a particular folder to move forward?