System32 holding 50GB?

Status
Not open for further replies.
M

moontan

I have a 80 Gig hard drive and am trying to get some memory back as it's under 1 Gig at present. Upon searching I found about 40+ Gig in System32 ???
How can I free it up as it seems to be hidden. I have run System Mechanic but it doesn't touch the stuff.
Thanks in advance for any help!
 
You can go to My Computer/Tools/Folder Options/View Tab, and then click on the tick mark for show hidden files and folders.

Is this a backup folder of your system? Do you know what the name of the files is?
 
In my recent (2 months) XP Pro installation, that folder (incl. subdirs) only contains 632MB.
Definitely something 'phishy'/'fishy' going on there!
 
Did you install XP yourself on that machine? How can you not know if 40+GB of stuff is in that folder and how it got there? Do you leave the PC on its own for a very long time? How fast is your connection? ;D
Could it be an XP bug? Sounds really strange...
 
Thanks for the tip on opening the hidden files! man it takes forever to load them all! thousands of files, lots of .dll files -app extensions etc

Ok I clicked on the properties of system32 and check this out!!! after running for a 1/2 hour......
Location: C:\WINDOWS
Size: 55.6GB (59,769,994,336 bytes)
Size on disc: 56.6GB (60,846,026,411 bytes)
Contains: 586,588 files 934 folders

???AHHH!!!! how do I get rid of all this crap!!
I've had XP running on here since 2002 and have a digital cable connection that stays on all the time..
 
If you do a search in the System32 folder (search for '*') what are the size of the largest files? In mine, the single largest is 13mb, a few a 6-8 and the rest are 4 and less...

And what extensions are there? Are there any .rar/.zip/.tar/.lzh/.ace? If so, you might very well have been hosting a ****** site without knowing....
 
No files found when '*' is searched for. ?
Funny how my Windows folder is not accessable from C drive? You have to type it in the browser window to display and look for the sys32 folder. Does that smell of a highjack?
I will do the other suggestion and post results.
Thanks for the help guys!
 
moontan said:
Funny how my Windows folder is not accessable from C drive? You have to type it in the browser window to display and look for the sys32 folder. Does that smell of a highjack?
Click to expand...
Not unless you have "Show hidden files and folders" selected under View in Folder Options.
 
moontan said:
I've had XP running on here since 2002 and have a digital cable connection that stays on all the time..
Click to expand...
Oh. Hehe. That explains a lot. Good luck with getting rid of that. :)
 
Bad news. At first sight, you have about 20 different viruses, worms, trojans etc.
There's a keylogger running, nicely following when you type in your passwords, creditcard details etc.

Disconnect your PC from the internet.
Make a backup of your personal files, burn them on CD/DVD if the amount is not too big, or copy it onto another harddisk.
Then install from scratch.
It's hardly worth trying to save such a bad system.

Next, you should invest some money and buy a router with built-in firewall, such as the SMC Barricade. Install that between the digital cable and your PC.

PS: when you reinstall, do NOT put that Norton crap on it again!
AVG/Sygate have a great free combination antivirus/firewall.
http://free.grisoft.com
http://soho.sygate.com
 
Got 46 Gig back! there was a file called modscn running in system32. Although I deleted all the files and got my Gig's back, it's still running and storing up files again? all the files are .gps? what are they? Is it Norton that's doing it?
(PS. the keylogger is my install for personal reasons)
 
Check against your installed programs, which one creates .GPS files
http://filext.com/detaillist.php?extdetail=GPS

Did you ever have a GPS attached to your system?
If so, then there may have been an "autosave" feature
turned on that tracked you wherever you went. The
extension of "gps" suggests this.

Download Ewido Security Suite (trial) from http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Start Ewido. When you run it the first time, you get a warning "Database could not be found!". Click OK.
On the main screen, click on Update in the left menu, then click the Start Update button.
After the Update finishes, the status bar at the bottom will display "Update successful".
-- If you have problems updating see here: http://www.ewido.net/en/download/updates/
Once the updates are installed do the following:
Click on Scanner
Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
Click on Start Scan and let Ewido scan the PC.
While the scan is in progress, you will be prompted to 'Clean files', click OK
When the scan is done, you'll find a Save report button at the bottom of the screen.
Click 'Save report' and save it to your desktop.
Reboot your PC and post back the Ewido Scanlog as a .txt attachment
 
moontan, did you ever find out what is generating those files? I have the same issue. I just cleaned out 20G of files from my Windows\System32\(computer name)\modscn\(date and time named folder)\img####.gps

There are over 200 files generated each day. The files are "hidden" except that they are still not visible with hidden files and folders shown. The folders are only visible if the path is typed into the address bar. The names of files are only visible when I run a scan with a virus scanner or adware scanner. The files themselves are not visible.

Nothing picks it up as virus or adware generated. Even though I deleted the modscn folder, the folder regenerated and filled up with 20M of files the next day. I have no GPS apps running.

I've been web searching this for months, but I came up with nothing. Anyone???
 
this may be fall over from virus and trojuns
do what REalblackstuff says wipe disc using a 0 wipe app or get the manuf utility to wipe it a standard format will not remove all the virus's
then do a reinstall do not have machine online until you get a good firewall in place
and I don't mean xp firewall use outpost or and older version of sygate or
PC Secure Personal Firewall
I don't like Zone alarm
 
if a keylogger is running, then the .gps files might be screenshots of your screen at various times, with a different file extension to throw people of track. (scary thought)
try opening the files with image viewer.
 
Thanks for your suggestions.

I can't even see the files or the date/time-named folders. I only see the names of them when they are scanned with something like ewido. If I do a search for *.gps or even *.* in the modscn folder (which I can only see if I type in the path) or subs, it returns nothing. I have nothing to look at, open, or view properties.... but I know it's there. Now it's back up to 59M in 2 days.

I'll evenutally re-image it, but that's not an option right now. Nothing seems to be compromised. Everything runs well. There are no strange process threads running, no detectable keyloggers or trojans. I've always used a software firewall, BlackICE then Lavasoft, and this machine has additional port and IP filtering through a VPN router.

My community of techsters is befuddled. Until I blast it and rebuild it, I'll keep looking for an answer... if nothing else, to satisfy my curiosity.
 
so i guessed you've tried and gone in the explorer window and enabled viewing hidden stuff? [tools>folder options>view tab>show hidden files and folders]

try going through your add/remove list and see if you have any programs that are unknown to you and google them, likewise with your task bar.. and download process explorer, see what you have running...

one way to find out what program is writing it for sure is to go [start>run>msconfig] and boot using diagnostic startup, see if its writing anything, enable a tab in msconfig and reboot, check, enable etc... untill you find what tab is making it log the info, then disable the entries on that tab one by one untill you get the process name.......

just a thought...
 
WOO HOO!!! I finally solved it!!! After months of digging and battling this quandry, I resolved to get to the bottom of this and not let the machine win...

The hidden hidden folders were located at:
C:\Windows\System32\(computer-name)\modscn\(date-time)\img####.gps
If I typed in the path up to "modscn" I could see that folder and delete it. I couldn't delete the (computer-name) folder, because it was "being used by another process."

I tried a Diagnostic Startup with msconfig, and I could delete the folder, but it reappeared when I did a did a normal startup, or a selective startup after I disabled everything I knew to be non-essential.

I downloaded a 30-day trial of Security Task Manager (neuber.com) It scanned processes and indicated svcuser.exe located in System32 had a 100% dangerous rating!

I researched this process and found that it belongs to Desktop Scout, a surveillance program/keylogger I had installed and later "uninstalled" almost a year ago. Well, the "uninstall" happens to leave behind part of the app, and it had been storing "invisible" screenshot files for all these months, which took up over 20G of my valuable disk real estate.

I killed the "svcuser" process and deleted the reg entry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The pest is now officially DEAD.

I concluded that the .gps extension must have designated Global Patrol Scout. Global Patrol is the company that distributes Desktop Scout.

Beware! If you have ever used Desktop Scout, it does not completely uninstall. Hopefully, the next guy who is grinding his teeth trying to figure this out will find this thread with a web search, like I did, and solve the problem without adding all the gray hairs that I did.

Thank you Techspot dudes for inspiring the solution to this problem!
 
Status
Not open for further replies.

Similar threads

Dood123
Help login in Instagram account, says use 2FA code but have not set up 2FA for insta
Replies
0
Views
717
Dood123
Dood123
A
Baldur's Gate 3 dramatic memory optimizations on Xbox could benefit PC and other platforms
Replies
6
Views
397
Burty117
Burty117
Daniel Sims
80% of influencers don't properly disclose products they are paid to advertise
Replies
6
Views
217
toooooot
T

Latest posts

Back