Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very large file in Windows\Temp folder


  • Please log in to reply
7 replies to this topic

#1 Michael Carter

Michael Carter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:04:03 AM

Posted 23 September 2015 - 04:29 AM

I have just received a running out of system disk memory notice on my Windows XP desktop computer. I was a bit surprised because I don't store much on the system disk, and as part of an exercise discussed on another thread here I had recently cleaned it up. I ran a scan with AVG free which came up with nothing and also Spybot S&D which cleaned out as many temp files as it could. After this I noticed one very large "hidden" folder remaining in the temp folder. It was called ~eu0000. In it was a single file called .eunf.

 

I have a dual boot so I could probably quite easily delete the folder and file, but before doing so I am curious as to whether it might have been caused by malware.

 

cdrive150923_zpsqnybpjz7.jpg

The composite image above shows the location of files on my very full system drive, as well as the results of the AVG scan.

 

tempfiles150923_zpsma0p1cos.jpg

 

This image shows the Windows temp folder (after the S&D cleanup) containing the offending large folder.

 

I should appreciate any thoughts anyone has on this.



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:03 PM

Posted 23 September 2015 - 07:31 PM

In it was a single file called .eunf

 

Is it eunf or just unf?


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:04:03 AM

Posted 24 September 2015 - 02:42 AM

I'm pretty sure I copied it as it was. I thought the four digit extension was unusual.



#4 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:04:03 AM

Posted 28 September 2015 - 08:55 AM

It's back, it's growing, and it's definitely called .eunf.

 

tempfile150928_zps5lefgcc0.jpg

 

The day after my original post, I deleted the file and the container it was in, and the computer ran much better. Every so often I checked to see if the file had returned, and it had not.

 

But this evening, the computer was suddenly sluggish again. I checked and the mysterious folder and file were back.

 

I thought it might be interesting to see what is in the file. I have a text editor called jedit, designed for editing java, but also quite a powerful tool for opening funny files, but the file could not be accessed because it was "being used by another process".

 

tempfilejedit_zpszpstru0j.jpg

 

The question is what process? I'm out of my depth now. I don't know how to track what process is using what file, so once again I'd appreciate any tips.



#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:03 PM

Posted 28 September 2015 - 07:15 PM

Try safe mode.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#6 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:04:03 AM

Posted 28 September 2015 - 10:21 PM

Thanks for that thought.

 

I have a dual boot to Win7, so I booted into Win7.  However, the file was too large to open with the apps I tried - notepad and jedit.

 

I've deleted it again for now. I thought of saving it somewhere, but I thought it was probably too big to email to you guys, so I just wiped it.



#7 Michael Carter

Michael Carter
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quairading, Western Australia
  • Local time:04:03 AM

Posted 08 October 2015 - 08:43 PM

The mystery file has reappeared - just 2.9 GB atm, so I guess I could conceivably upload it somewhere if anyone is interested.

 

I have also run rkill this time.

 

I know logs are not supposed to be posted here, but as it's quite short I'm breaking the rule and appending it to the end of this message. Bottom line, nothing seems wrong except some funny entries in the hosts file. Mind you I ran rkill after doing a reboot, because the machine was suddenly running like treacle again.

 

Anyway I've renamed the dodgy hosts file and reverted to what looks like a backup created during the original system install.

 

Here is the rkill log:

 

Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/09/2015 09:19:28 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.

 * HOSTS file entries found:

  127.0.0.1       localhost
  127.0.0.1    www.007guard.com
  127.0.0.1    007guard.com
  127.0.0.1    008i.com
  127.0.0.1    www.008k.com
  127.0.0.1    008k.com
  127.0.0.1    www.00hq.com
  127.0.0.1    00hq.com
  127.0.0.1    010402.com
  127.0.0.1    www.032439.com
  127.0.0.1    032439.com
  127.0.0.1    www.0scan.com
  127.0.0.1    0scan.com
  127.0.0.1    1000gratisproben.com
  127.0.0.1    www.1000gratisproben.com
  127.0.0.1    1001namen.com
  127.0.0.1    www.1001namen.com
  127.0.0.1    100888290cs.com
  127.0.0.1    www.100888290cs.com
  127.0.0.1    www.100sexlinks.com

  20 out of 15092 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 10/09/2015 09:19:49 AM
Execution time: 0 hours(s), 0 minute(s), and 21 seconds(s)
 

 

 



#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:03 PM

Posted 08 October 2015 - 08:54 PM

The above "hosts" file is legit. Probably created by Spybot.

Links you see are actually blocked.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users