TechSpot

System32 holding 50GB?

By moontan
Jul 26, 2005
  1. I have a 80 Gig hard drive and am trying to get some memory back as it's under 1 Gig at present. Upon searching I found about 40+ Gig in System32 ???
    How can I free it up as it seems to be hidden. I have run System Mechanic but it doesn't touch the stuff.
    Thanks in advance for any help!
     
  2. just_a_nobody

    just_a_nobody TS Rookie Posts: 182

    You can go to My Computer/Tools/Folder Options/View Tab, and then click on the tick mark for show hidden files and folders.

    Is this a backup folder of your system? Do you know what the name of the files is?
     
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    In my recent (2 months) XP Pro installation, that folder (incl. subdirs) only contains 632MB.
    Definitely something 'phishy'/'fishy' going on there!
     
  4. Abraxas

    Abraxas TS Rookie Posts: 157

    Did you install XP yourself on that machine? How can you not know if 40+GB of stuff is in that folder and how it got there? Do you leave the PC on its own for a very long time? How fast is your connection? ;D
    Could it be an XP bug? Sounds really strange...
     
  5. moontan

    moontan TS Rookie Topic Starter

    Thanks for the tip on opening the hidden files! man it takes forever to load them all! thousands of files, lots of .dll files -app extensions etc

    Ok I clicked on the properties of system32 and check this out!!! after running for a 1/2 hour......
    Location: C:\WINDOWS
    Size: 55.6GB (59,769,994,336 bytes)
    Size on disc: 56.6GB (60,846,026,411 bytes)
    Contains: 586,588 files 934 folders

    ???AHHH!!!! how do I get rid of all this crap!!
    I've had XP running on here since 2002 and have a digital cable connection that stays on all the time..
     
  6. MrGaribaldi

    MrGaribaldi TechSpot Ambassador Posts: 2,512

    If you do a search in the System32 folder (search for '*') what are the size of the largest files? In mine, the single largest is 13mb, a few a 6-8 and the rest are 4 and less...

    And what extensions are there? Are there any .rar/.zip/.tar/.lzh/.ace? If so, you might very well have been hosting a ****** site without knowing....
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  8. moontan

    moontan TS Rookie Topic Starter

    No files found when '*' is searched for. ?
    Funny how my Windows folder is not accessable from C drive? You have to type it in the browser window to display and look for the sys32 folder. Does that smell of a highjack?
    I will do the other suggestion and post results.
    Thanks for the help guys!
     
  9. moontan

    moontan TS Rookie Topic Starter

    Heres the HJT log (attached) after I ran Spybot Search and Destroy
     

    Attached Files:

  10. SNGX1275

    SNGX1275 TS Forces Special Posts: 10,714   +397

    Not unless you have "Show hidden files and folders" selected under View in Folder Options.
     
  11. Abraxas

    Abraxas TS Rookie Posts: 157

    Oh. Hehe. That explains a lot. Good luck with getting rid of that. :)
     
  12. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Bad news. At first sight, you have about 20 different viruses, worms, trojans etc.
    There's a keylogger running, nicely following when you type in your passwords, creditcard details etc.

    Disconnect your PC from the internet.
    Make a backup of your personal files, burn them on CD/DVD if the amount is not too big, or copy it onto another harddisk.
    Then install from scratch.
    It's hardly worth trying to save such a bad system.

    Next, you should invest some money and buy a router with built-in firewall, such as the SMC Barricade. Install that between the digital cable and your PC.

    PS: when you reinstall, do NOT put that Norton crap on it again!
    AVG/Sygate have a great free combination antivirus/firewall.
    http://free.grisoft.com
    http://soho.sygate.com
     
  13. moontan

    moontan TS Rookie Topic Starter

    Got 46 Gig back! there was a file called modscn running in system32. Although I deleted all the files and got my Gig's back, it's still running and storing up files again? all the files are .gps? what are they? Is it Norton that's doing it?
    (PS. the keylogger is my install for personal reasons)
     
  14. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Check against your installed programs, which one creates .GPS files
    http://filext.com/detaillist.php?extdetail=GPS

    Did you ever have a GPS attached to your system?
    If so, then there may have been an "autosave" feature
    turned on that tracked you wherever you went. The
    extension of "gps" suggests this.

    Download Ewido Security Suite (trial) from http://www.ewido.net/en/download/
    When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    Start Ewido. When you run it the first time, you get a warning "Database could not be found!". Click OK.
    On the main screen, click on Update in the left menu, then click the Start Update button.
    After the Update finishes, the status bar at the bottom will display "Update successful".
    -- If you have problems updating see here: http://www.ewido.net/en/download/updates/
    Once the updates are installed do the following:
    Click on Scanner
    Make sure the following boxes are checked before scanning:
    - Binder
    - Crypter
    - Archives
    Click on Start Scan and let Ewido scan the PC.
    While the scan is in progress, you will be prompted to 'Clean files', click OK
    When the scan is done, you'll find a Save report button at the bottom of the screen.
    Click 'Save report' and save it to your desktop.
    Reboot your PC and post back the Ewido Scanlog as a .txt attachment
     
  15. Sierrasport

    Sierrasport TS Rookie

    moontan, did you ever find out what is generating those files? I have the same issue. I just cleaned out 20G of files from my Windows\System32\(computer name)\modscn\(date and time named folder)\img####.gps

    There are over 200 files generated each day. The files are "hidden" except that they are still not visible with hidden files and folders shown. The folders are only visible if the path is typed into the address bar. The names of files are only visible when I run a scan with a virus scanner or adware scanner. The files themselves are not visible.

    Nothing picks it up as virus or adware generated. Even though I deleted the modscn folder, the folder regenerated and filled up with 20M of files the next day. I have no GPS apps running.

    I've been web searching this for months, but I came up with nothing. Anyone???
     
  16. Samstoned

    Samstoned TechSpot Paladin Posts: 1,018

    this may be fall over from virus and trojuns
    do what REalblackstuff says wipe disc using a 0 wipe app or get the manuf utility to wipe it a standard format will not remove all the virus's
    then do a reinstall do not have machine online until you get a good firewall in place
    and I don't mean xp firewall use outpost or and older version of sygate or
    PC Secure Personal Firewall
    I don't like Zone alarm
     
  17. altheman

    altheman TS Rookie Posts: 425

    if a keylogger is running, then the .gps files might be screenshots of your screen at various times, with a different file extension to throw people of track. (scary thought)
    try opening the files with image viewer.
     
  18. Sierrasport

    Sierrasport TS Rookie

    Thanks for your suggestions.

    I can't even see the files or the date/time-named folders. I only see the names of them when they are scanned with something like ewido. If I do a search for *.gps or even *.* in the modscn folder (which I can only see if I type in the path) or subs, it returns nothing. I have nothing to look at, open, or view properties.... but I know it's there. Now it's back up to 59M in 2 days.

    I'll evenutally re-image it, but that's not an option right now. Nothing seems to be compromised. Everything runs well. There are no strange process threads running, no detectable keyloggers or trojans. I've always used a software firewall, BlackICE then Lavasoft, and this machine has additional port and IP filtering through a VPN router.

    My community of techsters is befuddled. Until I blast it and rebuild it, I'll keep looking for an answer... if nothing else, to satisfy my curiosity.
     
  19. N3051M

    N3051M TS Evangelist Posts: 2,115

    so i guessed you've tried and gone in the explorer window and enabled viewing hidden stuff? [tools>folder options>view tab>show hidden files and folders]

    try going through your add/remove list and see if you have any programs that are unknown to you and google them, likewise with your task bar.. and download process explorer, see what you have running...

    one way to find out what program is writing it for sure is to go [start>run>msconfig] and boot using diagnostic startup, see if its writing anything, enable a tab in msconfig and reboot, check, enable etc... untill you find what tab is making it log the info, then disable the entries on that tab one by one untill you get the process name.......

    just a thought...
     
  20. Sierrasport

    Sierrasport TS Rookie

    WOO HOO!!! I finally solved it!!! After months of digging and battling this quandry, I resolved to get to the bottom of this and not let the machine win...

    The hidden hidden folders were located at:
    C:\Windows\System32\(computer-name)\modscn\(date-time)\img####.gps
    If I typed in the path up to "modscn" I could see that folder and delete it. I couldn't delete the (computer-name) folder, because it was "being used by another process."

    I tried a Diagnostic Startup with msconfig, and I could delete the folder, but it reappeared when I did a did a normal startup, or a selective startup after I disabled everything I knew to be non-essential.

    I downloaded a 30-day trial of Security Task Manager (neuber.com) It scanned processes and indicated svcuser.exe located in System32 had a 100% dangerous rating!

    I researched this process and found that it belongs to Desktop Scout, a surveillance program/keylogger I had installed and later "uninstalled" almost a year ago. Well, the "uninstall" happens to leave behind part of the app, and it had been storing "invisible" screenshot files for all these months, which took up over 20G of my valuable disk real estate.

    I killed the "svcuser" process and deleted the reg entry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The pest is now officially DEAD.

    I concluded that the .gps extension must have designated Global Patrol Scout. Global Patrol is the company that distributes Desktop Scout.

    Beware! If you have ever used Desktop Scout, it does not completely uninstall. Hopefully, the next guy who is grinding his teeth trying to figure this out will find this thread with a web search, like I did, and solve the problem without adding all the gray hairs that I did.

    Thank you Techspot dudes for inspiring the solution to this problem!
     
  21. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    yet another adware and dishonest program.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...