Documents and Settings Folder Questions

07-09-2005, 11:51 PM
Hello All,

Recently I have begun noticing several types of files in the following
path's that cannot be deleted, renamed or removed from the system without
going into safe mode.
The paths are \Documents and settings\username\Local Settings\temp, the
other is the \temporary internet Files in the same location one folder down.
In the temp folder location, I am seeing files with .tmp extensions that
cannot be deleted or renamed as they are in use - as well as the usual
remnants of spyware programs acting in a similar manner. I know that if a
user is using the internet, some of these temp files may be locked by the
system and therefor you cannot delete or rename them. In the Temp Internet
Files folder, the ones which are bugging me have usually long names and I am
finding them after a users system has been infected with spyware of some
type. It does not matter whether they are using Win 2k or XP, nor if they
have all current MS patches installed as well, they get on the system and who
knows what they are trying to do. Scanning the processes running, you can't
usually find what it is by name. But say you wanted to delete the entire
contents of a temp internet folder and do a Ctrl+A to select all files within
that folder, the system will not even select the files unless you exclude the
one's with the long string names before you do the Ctrl+A. I am re-typing
some of these as I cannot even copy and paste them - I suspect the way they
are crafted keeps you from doing so. Nor can you open it with another
application such as textpad.

no extension given at all on these types

Another example is:

These files can have either a .gif or .htm extension on them. On these
types it appears that some application is making re-occuring attempts to
transmit some type of information out to a server somewhere because you will
usally find multiple entires with pid and cid changing values. Does anyone
have any ideas specifically what these are? to me it looks as if some of
these are trying to use an older exploit to get around some of IE's earlier

Documents and Settings Folder Questions