Question Temp folder full of Temp1_zipName.zip folders?!

[Achint2000]

It's been 2 months now and I've been noticing that at random, the Appdata > Local > Temp folder randomly starts getting gigantic, with explorer.exe extracting EVERY DAMN ZIP FILE ON MY SYSTEM.

It extracts every single zip file, named Temp1_zipName.zip with the file's contents inside, and it keeps going on, and starts again with Temp2_zipName, and so on. I've even found temp4_ so far... It was 48 GB of zip file contents. INSANE.

On searching about this, all I found were bleepingcomputer forums from many years ago and they just ask to run 3rd party software to fix it with insanely long logs just copy-pasted there. No, I want to know exactly what's causing this.

Task manager and resource monitor indicate explorer.exe is doing this, and I couldn't find any malware. Did many security scans, even windows defender offline scan. Restarting explorer.exe stops this.

This is extremely annoying since I'm working on assignments in class and randomly run out of disk space. Also not good for the SSD's health.

I tried Nortorn Power Eraser, found nothing.

Any ideas on what to do?

 

[Achint2000]

For now - deleted all temp files/folders and waited for this crap to start all over again.
I killed explorer.exe when it finished with Temp1_ ... files and started cmd using taskmgr
In cmd, I did:

cd %localappdata%\Temp
del * /s /q /f
cacls * /e /p everyone:n

First line selects temp folder
Second line deletes all files in all subfolders (so size is zero)
Third line denies all permissions to everything currently there in temp folder.
I can't deny access to Temp folder so I denied access to everything inside it.

cacls fileName.file /e /p everyone:f

To grant access to some files which were in use (like adb.log)

Now, the Temp1_ folders can't be accessed at all. Hopefully this will stop whatever's writing to these folders. Worst case it just ignores 1 and starts with Temp2_ ...

 

[Colif]

Try running this as a 2nd opinion - https://www.bitdefender.com.au/solutions/free.html

someone else asked same question in 2019 as well on Bleeping computer, no real answer.

this program might help figure out whats creating the files - https://superuser.com/questions/348...h-program-creates-a-file-folder-in-my-c-drive

 

[Achint2000]

It just happened again. I even know how often this happens, since I had a game trainer downloaded which gets false detected as a virus, in downloads, since years now. Everytime this Temp_ extraction starts, it also extracts that trainer and Windows Defender has a long history of blocking that file again and again.

The file creating all this is explorer.exe seen from resource monitor. Denying permissions didn't help, it just went onto Temp2_ and Temp3_ folders. Windows 10 v1903 - how garbage is Microsoft's security?

Will try running that antivirus now.

 

[Colif]

well, its defender making the files - link - but still not sure why. Probably as part of the virus scan it runs when detecting that program. You should make the program an exception and then it won't try to block it.

Denying permissions didn't help, it just went onto Temp2_ and Temp3_ folders. Windows 10 v1903 - how garbage is Microsoft's security?

maybe cause its security creating the folders, it gives itself permission.

Bitdefender can replace defender and that would resolve the issue since the action that creates the temp files would be disabled.

 

[Achint2000]

I carefully monitored everything and it's happening again - even with BitDefender working. The process explorer.exe was started by this code:

C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding

And again, creating temp3_ and temp4_ files in the temp directory now.

The exact same thing happens whenever I restart my system. Sometimes it's in a separate explorer.exe process, other times it's in a separately launched process.

Everytime I detect this is going on, I run the same two commands. It's on temp5_ now, no sight of stopping.

Bitdefender just blocked the launch of explorer.exe with the same commandline stating it's malware. I changed default program to open zip files, to 7zip instead of explorer too.

EDIT: I know what creates these files - explorer.exe
explorer.exe is started in a separate process by settings in file explorer options.

Something loads into explorer.exe from time to time causing it to do all this.

 

[Achint2000]

I got exhausted with this garbage. Since most of the zip files were from downloads folder, I used ReNamer to rename every single zip file to change it's extension to rar in downloads folder.

7Zip opens as rar but is still able to read the file so it makes no practical difference anyways.

I'll check to see if it does this for zip files in C:\ too, accessing zip files from program files and other locations... Although that seems unlikely.

Another idea would be to password protect zip files with a simple password like 123 or something.

 

[Colif]

it isn't normal in that it doesn't happen to everyone.

have you tried making a local user and seeing if behaviour happens on it?
https://support.microsoft.com/en-au...-create-a-local-user-or-administrator-account
if you copy contents of current users folder in C:/users/currentusername over the contents of C:/users/newusername it will give it same access meaning you don't need to reinstall anything.
If it fixes it, it means problem was your old user profile was randomly corrupted.

You might want to consider a fresh install and see if that stops it.