UnTroll Posted September 18, 2012 Share Posted September 18, 2012 Some virus are using the user "LocalService" or "NetworkService" to download from Internet. This can cause a lot of temporary Internet files in those users. Theses folders are concerned (on XP) : C:\Documents and Settings\LocalService\Cookies C:\Documents and Settings\LocalService\Local Settings\History C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files C:\Documents and Settings\LocalService\Local Settings\temp C:\Documents and Settings\NetworkService\Cookies C:\Documents and Settings\NetworkService\Local Settings\History C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files C:\Documents and Settings\NetworkService\Local Settings\temp Thank you Link to comment Share on other sites More sharing options...
Winapp2.ini Posted September 18, 2012 Share Posted September 18, 2012 [LocalService Cookies*] LangSecRef=3025 DetectFile1=%SystemDrive%\Documents and Settings\LocalService DetectFile2=%WinDir%\ServiceProfiles\LocalService Default=False FileKey1=%SystemDrive%\Documents and Settings\LocalService\Cookies|*.*|REMOVESELF FileKey2=%WinDir%\ServiceProfiles%\LocalService\AppData\Local\Temp\Cookies|*.*|REMOVESELF FileKey3=%WinDir%\ServiceProfiles%\LocalService\AppData\Roaming\Microsoft\Windows\Cookies|*.*|REMOVESELF [LocalService History*] LangSecRef=3025 DetectFile1=%SystemDrive%\Documents and Settings\LocalService DetectFile2=%WinDir%\ServiceProfiles\LocalService Default=False FileKey1=%SystemDrive%\Documents and Settings\LocalService\History|*.*|RECURSE FileKey2=%WinDir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History|*.*|RECURSE [LocalService Temporary Files*] LangSecRef=3025 DetectFile1=%SystemDrive%\Documents and Settings\LocalService DetectFile2=%WinDir%\ServiceProfiles\LocalService Default=False FileKey1=%SystemDrive%\Documents and Settings\LocalService\ FileKey2=%WinDir%\ServiceProfiles\LocalService\AppData\Local\Temp|*.*|RECURSE [LocalService Temporary Internet Files*] LangSecRef=3025 DetectFile1=%SystemDrive%\Documents and Settings\LocalService DetectFile2=%WinDir%\ServiceProfiles\LocalService Default=False FileKey1=%SystemDrive%\Documents and Settings\LocalService\Temporary Internet Files|*.*|RECURSE FileKey2=%WinDir%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files|*.*|RECURSE [NetworkService Cookies*] LangSecRef=3025 DetectFile1=%SystemDrive%\Documents and Settings\NetworkService DetectFile2=%WinDir%\ServiceProfiles\NetworkService Default=False FileKey1=%SystemDrive%\Documents and Settings\NetworkService\Cookies|*.*|REMOVESELF FileKey2=%WinDir%\ServiceProfiles%\NetworkService\AppData\Local\Temp\Cookies|*.*|REMOVESELF FileKey3=%WinDir%\ServiceProfiles%\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies|*.*|REMOVESELF [NetworkService History*] LangSecRef=3025 DetectFile1=%SystemDrive%\Documents and Settings\NetworkService DetectFile2=%WinDir%\ServiceProfiles\NetworkService Default=False FileKey1=%SystemDrive%\Documents and Settings\NetworkService\History|*.*|RECURSE FileKey2=%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History|*.*|RECURSE [NetworkService Temporary Internet Files*] LangSecRef=3025 DetectFile1=%SystemDrive%\Documents and Settings\NetworkService DetectFile2=%WinDir%\ServiceProfiles\NetworkService Default=False FileKey1=%SystemDrive%\Documents and Settings\NetworkService\Temporary Internet Files|*.*|RECURSE FileKey2=%SystemDrive%\Documents and Settings\NetworkService\Content.IE5|*.*|RECURSE FileKey3=%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files|*.*|RECURSE FileKey4=%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Content.IE5|*.*|RECURSE [NetworkService Temps*] LangSecRef=3025 DetectFile1=%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Temp DetectFile2=%SystemDrive%\Documents and Settings\NetworkService\Temp Default=False FileKey1=%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Temp|*.*|RECURSE FileKey2=%SystemDrive%\Documents and Settings\NetworkService\Temp|*.*|RECURSE winapp2.ini additions thread winapp2.ini github Link to comment Share on other sites More sharing options...
Super Fast Posted September 18, 2012 Share Posted September 18, 2012 + 10,000 I wanted this forever. It makes cleanup a LOT faster than having to manually do it. Otherwise, any scans/defrags/fixes will take forever, because viruses that do this typically have 10,000+ tiny files in that "user account" which causes high fragmentation, & verrrrrrryyyyyyy slow scan times! _____ WinApp, thanks for the key. Can you post it as a downloadable .ini file? I'd love to use it (temporarily) till they get around to adding it in! Link to comment Share on other sites More sharing options...
Winapp2.ini Posted September 19, 2012 Share Posted September 19, 2012 + 10,000 I wanted this forever. It makes cleanup a LOT faster than having to manually do it. Otherwise, any scans/defrags/fixes will take forever, because viruses that do this typically have 10,000+ tiny files in that "user account" which causes high fragmentation, & verrrrrrryyyyyyy slow scan times! _____ WinApp, thanks for the key. Can you post it as a downloadable .ini file? I'd love to use it (temporarily) till they get around to adding it in! It'll be in the next winapp2 winapp2.ini additions thread winapp2.ini github Link to comment Share on other sites More sharing options...
Alan_B Posted September 19, 2012 Share Posted September 19, 2012 Question :- Do we need 8 separate checkboxes for purging 8 sets of malware ? Would it not be faster execution and a cleaner GUI to have only one checkbox with only a single Detectfile1 plus a single Detectfile2 to trash all 8 nests of malware ? Link to comment Share on other sites More sharing options...
Moderators Andavari Posted September 19, 2012 Moderators Share Posted September 19, 2012 [LocalService Temporary Files*] LangSecRef=3025 DetectFile1=%SystemDrive%\Documents and Settings\LocalService DetectFile2=%WinDir%\ServiceProfiles\LocalService Default=False FileKey1=%SystemDrive%\Documents and Settings\LocalService\ FileKey2=%WinDir%\ServiceProfiles\LocalService\AppData\Local\Temp|*.*|RECURSE Is FileKey1 correct? Link to comment Share on other sites More sharing options...
Winapp2.ini Posted September 19, 2012 Share Posted September 19, 2012 nope, that should be FileKey1=%SystemDrive%\Documents and Settings\LocalService\Temp|*.*|RECURSE winapp2.ini additions thread winapp2.ini github Link to comment Share on other sites More sharing options...
Moderators Andavari Posted September 19, 2012 Moderators Share Posted September 19, 2012 (edited) Ok, these are just for Windows XP only. I've made a few changes to what Winapp2.ini originally posted for the Windows XP locations because some locations are instead hidden inside of a \Local Settings\ directory. I've tested them on my system and they work, they even get rid of index.dat files which aren't locked/in-use. [XP LocalService Cookies*] LangSecRef=3025 DetectOS=|5.1 Detect=HKCU\Software\Microsoft\Windows Default=False FileKey1=%SystemDrive%\Documents and Settings\LocalService\Cookies|*.*|RECURSE [XP LocalService History*] LangSecRef=3025 DetectOS=|5.1 Detect=HKCU\Software\Microsoft\Windows Default=False FileKey1=%SystemDrive%\Documents and Settings\LocalService\Local Settings\History|*.*|RECURSE [XP LocalService IETldCache*] LangSecRef=3025 DetectOS=|5.1 Detect=HKCU\Software\Microsoft\Windows Default=False FileKey1=%SystemDrive%\Documents and Settings\LocalService\IETldCache|*.*|RECURSE [XP LocalService Temp*] LangSecRef=3025 DetectOS=|5.1 Detect=HKCU\Software\Microsoft\Windows Default=False FileKey1=%SystemDrive%\Documents and Settings\LocalService\Local Settings\Temp|*.*|RECURSE [XP LocalService Temporary Internet Files*] LangSecRef=3025 DetectOS=|5.1 Detect=HKCU\Software\Microsoft\Windows Default=False FileKey1=%SystemDrive%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files|*.*|RECURSE [XP NetworkService Cookies*] LangSecRef=3025 DetectOS=|5.1 Detect=HKCU\Software\Microsoft\Windows Default=False FileKey1=%SystemDrive%\Documents and Settings\NetworkService\Cookies|*.*|RECURSE [XP NetworkService History*] LangSecRef=3025 DetectOS=|5.1 Detect=HKCU\Software\Microsoft\Windows Default=False FileKey1=%SystemDrive%\Documents and Settings\NetworkService\Local Settings\History|*.*|RECURSE [XP NetworkService IETldCache*] LangSecRef=3025 DetectOS=|5.1 Detect=HKCU\Software\Microsoft\Windows Default=False FileKey1=%SystemDrive%\Documents and Settings\NetworkService\IETldCache|*.*|RECURSE [XP NetworkService Temporary Internet Files*] LangSecRef=3025 DetectOS=|5.1 Detect=HKCU\Software\Microsoft\Windows Default=False FileKey1=%SystemDrive%\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files|*.*|RECURSE [XP NetworkService Temp*] LangSecRef=3025 DetectOS=|5.1 Detect=HKCU\Software\Microsoft\Windows Default=False FileKey1=%SystemDrive%\Documents and Settings\NetworkService\Local Settings\Temp|*.*|RECURSE Edited September 19, 2012 by Andavari Changed all the Default=True to Default=False Link to comment Share on other sites More sharing options...
Winapp2.ini Posted September 19, 2012 Share Posted September 19, 2012 I've revised mine accordingly winapp2.ini additions thread winapp2.ini github Link to comment Share on other sites More sharing options...
spacewalker0720 Posted October 11, 2012 Share Posted October 11, 2012 A server of ours (Windows 2003) has also had bad trojan related files show up in this directory: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\ How can I view what files are in there? Even if I type my way through Windows Exploer to that directory it looks empty, but I know there must be CONTENT folders in there as that's what our AntiVirus software reports when it finds stuff there. I want to see what other files may exist that our AV software is missing. Any good help appreciated. Thanks! Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted October 11, 2012 Moderators Share Posted October 11, 2012 You really need as a matter of urgency to seek help with the malware you have. Please see this post here http://forum.piriform.com/index.php?showtopic=34786&pid=208046&st=0&&do=findComment&comment=208046 We don't give malware related help on forum anymore Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Alan_B Posted October 11, 2012 Share Posted October 11, 2012 (edited) Try TreeSize http://www.jam-softw.../treesize_free/ TreeSize can show files which are "super hidden" from Windows Explorer. Because I have refrained from bypassing default protection I cannot navigate Windows Explorer to look inside the folder C:\System Volume Information\ But using TreeSize to scan C:\ and a few seconds later it shows me all I got. and two clicks later it launches Windows Explorer over the "barrier" and I have access to C:\System Volume Information\SPP\ Then using Windows Explorer I can examine file properties and copy to more accessible paths files such as :- C:\System Volume Information\SPP\OnlineMetadataCache\{31c7a734-4c32-4e53-9e50-ebb3e86137e3}_OnDiskSnapshotProp Hazel Ninja's me. I answered you technical question but Hazel's advice is more relevant to your needs. Edited October 11, 2012 by Alan_B Link to comment Share on other sites More sharing options...
Super Fast Posted October 11, 2012 Share Posted October 11, 2012 C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\ How can I view what files are in there? Open My Computer, & select Folder & Search options from the drop down menu. Unhide both System & Hidden files, then OK. You will be able to see the files. If you still cannot see it, try copying the temp internet files folder to a different location, such as your desktop & they will be visible. Then, reverse the process to hide them back when your finished. Edit: You can also do like Alan suggested. 3rd party explorers that show hidden files by default. Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted October 12, 2012 Moderators Share Posted October 12, 2012 The user has been advised to seek Malware Removal assistance. Please do not add anymore recommendations for spacewalker0720 or I will remove them and close this thread. Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now