Delete C Windows Assembly Temp Folder
I am posting this to help others like me who run into the following problem and cannot find help anywhere on the web. A family member brought me a laptop that was infected with a virus. Following a successful install, update, scan, and removal, and reboot using MBAM, I installed Microsoft Security Essentials, updated definitions, and ran a scan on drive C. MSE found several 'threats', most of which were in the c: windows assembly temp folder. I opted to remove the threats and restart Windows. When Windows tried to boot, however, it never made it past the loading screen. It was at this point that Windows entered a boot loop.
I first tried to perform a Startup Repair, but no luck. Next, I tried to perform a System Restore to a point from before the installation of MSE. The system still refused to boot to Windows.
So, I popped in my Ubuntu 10 live CD and decided to inspect MSE's logs (located in c: programdata microsoft microsoft antimalware support). The following entries are located in the MPLog file at this location which I have attached to this post. (From the file: MPLog-12239.log) Resource Path:C: Windows assembly temp kwrd.dll Result Count:1 Threat Name:Program:Win32/CoinMiner Resource Path:C: Windows assembly temp U 80000032.@ Result Count:1 Threat Name:Trojan:Win32/Alureon.TK Resource Schema:file Resource Path:C: Windows assembly temp U 80000032.@ Extended Info:4203 2011-12-28T03:42:11.379Z DETECTIONEVENT Trojan:Win32/Alureon.TK file:C: Windows assembly temp U 80000032.@ 2011-12-28T03:42:11.395Z DETECTIONADD Trojan:Win32/Alureon.TK file:C: Windows assembly temp U 80000032.@ 2011-12-28T03:43:48.442Z Process scan completed.
C Windows Temp Folder
2011-12-28T03:46:17.735Z DETECTIONEVENT TrojanDownloader:Win32/Unruy.H file:C: Windows SysWOW64 7t4G2.com 2011-12-28T03:46:17.735Z DETECTIONADD TrojanDownloader:Win32/Unruy.H file:C: Windows SysWOW64 7t4G2.com 2011-12-28T03:47:13.973Z Process scan started. I had reason to believe that whatever caused Windows to enter this boot loop started with the removal of these entries from the c: windows assembly folder. I did not possess a Windows 7 Home Premium 64bit installation CD, but I did have a working laptop with that exact version of the OS. My proposed solution: Copy the assembly folder from my laptop to the borked laptop using the Ubuntu live-cd and see if it works. Outcome: The borked laptop booted successfully on the first try. Additional information Just before Christmas, I received another computer with a similar infection, followed the same steps as above, removed an infection from the Assembly folder, and the computer entered an identical bootloop that I could recover from. Things I tried:.
Startup repair. Last known good config. System restore to several different points.
Restore registry from working copy. chkdsk /f /r.
sfc /scannow None of these things worked, so I backed up files and reimaged the system. However, if I had simply copied the assembly folder like I did just now, I believe the laptop would have booted successfully just like this one did.
Conclusion and request: I am hoping some of you with more experience and knowledge than I possess could make more sense of this situation by viewing the attached log files. Hopefully these findings will help sometime else out there. I have included the following:.
MBAM Scan log, created on the first and only MBAM scan of the system. MSE Scan log, created right before the system entered the boot loop. EventViewer log, showing the events of that night from 4:00pm to 11:00pm CST. Most work done around 6-8pm CST.
I've written a Blog post on the SuperUser Blog detailing some of the things you can do to scrape back some hard drive space. Read it at To summarise, there are many things you can do, depending on whether there is functionality that you need:.
Don't use hibernation? Then you can disable it and claim back a quantity of hard drive space equal to the amount of RAM you have, you just need to log on as an administrator, open a command prompt and type the following two lines: powercfg –h off del C: hiberfil.sys. Old Windows Update files can be deleted as the folder they are stored in used to get quite big. They are stored in C: Windows SoftwareDistribution but you'll need to go through the method I detailed in the blog to properly clean the directory out. System Restore is another hog and deleting old restore points can clean out space, you can even control how much space is available for use with System Restore As an administrator, simply click the Windows Start menu icon, enter “SystemPropertiesProtection.exe”. The WinSxS folder is a red herring and contains no data that is not already duplicated elsewhere and deleting it will save you nothing.
This special folder contains what is known as a to files which are scattered across your system and are kept in that folder to simplify matters slightly. The hard links take nearly no extra space in the filesystem as they are simply another pointer to already existing file data.
An alternative to the excellent CCleaner that Akira linked is a more commercially supported alternative from IOBits,. There is a free version available which will likely do just as much to clean out your system as CCleaner, but has a few added extras. I've been playing with the WinSXS folder in a few test installs and I have figured out a way to save some space. In a 3 month old Windows 7 Pro install on my laptop, the SxS folder grew to 14GB.
I can safely delete 7.4GB of that without any issues. I was a bit surprised to read that most 'technical' write ups say you can't delete anything in the SxS folder without issues. This is just not true and I wonder if anyone has tried different scenarios or if that opinion is just grown off of Microsoft's warnings. There is one thing that you can't do after 'cleaning' the SxS folder, but it's rare that you'd need to so I won't even waste the keystrokes. I've had this running smoothly for a LONG time, and on the laptop I use for work as an IT Director, so I put it through it's paces - that's for sure. It's well worth the disk space in some cases. For example - I love my laptop which is an older Dell and I've got an SSD drive in it.
Windows Temp Folder Cleanup
The SSD is only 60 gig, so space is at a premium. As is, I use a 32GB SDCard in the onboard reader to give me extra space, but knocking a chunk of useless crap off is a nice option when you don't need 75% of the files in that folder. I'll do a write up on it and post it here in the next couple of days.