Using Windows Safe Mode to Get Rid of Gunk-Ware

The next thing I do is delete everything in the C:\temp directory if it exists. On some systems it does, and doesn’t on others.

In addition to the common machine temp directory, every user profile on your machine has its own temp file directory, as well as directories that hold the user’s Internet cache, history, and cookies. Believe it or not, a lot of malware can reside in those areas, and they can just plain take up a lot of space over time. Additionally, they may contain files that have personally identifiable information, such as name, address, email address, and even credit card numbers stored in them. A Disk Cleanup that is performed in normal mode doesn’t always clean everything out of these directories. Therefore, it’s a good idea to manually clean up these areas as described below. Note that this can be a bit time consuming, so you may want to try to script this out a bit if you have good scripting skills. Otherwise, it’s simply a matter of changing directories a lot manually.

In the next few steps, we’ll delete the temp files, cookies, Internet Explorer cache, and IE history files. Note that this is not a recommended method to “hide your surfing tracks”, because simply deleting files doesn’t make them go way, and people who have the right knowledge and tools, such as computer forensics investigators, can usually bring them back. However, for our cleaning and de-gunking purposes, it’ll do just fine.

First, we’ll delete the cookies and index.dat files. We can globally delete these without having to change into a user profile directory by executing these commands at the prompt:

C:\> del *@*.txt /s /f

And

C:\> del index.dat /s /f

The first command deletes all of the cookies that are in the standard format across all subdirectories, and the second deletes all of the index.dat files. The index.dat file, for those who may not know, is the key Internet Explorer file that actually stores the Internet surfing logs. It’s not normally human readable, although there are several freeware utilities that can read it. When a user “clears” their Internet surfing histories, these files are NOT deleted. They can usually only be deleted in Safe Mode, and only if you are not logged in as that user.

After these files are deleted, the next part is a little bit cumbersome to do in the command prompt-only version of Safe Mode, so it’s better to switch to regular graphical Safe Mode. Again, login as a user with administrative privileges if you can. Once logged in, navigate to the Documents and Settings folder and you’ll see each user’s profile folder there. For each user, go into their profile folder and navigate to the Local Settings folder, which is normally a hidden folder (you’ll have to unhide it if it is), and systematically delete all of the contents of the temp, History, and Temporary Internet Files folders.

When all of these files are deleted, before you leave Safe Mode, it’s also a good idea to run the msconfig command and get a look at all of the different programs and processes that startup when the computer boots up. A lot of malware tends to start itself on system boot up, and from this utility (available only on Windows XP by default, but it can be downloaded and installed on Windows 2000 also), you can selectively turn off the suspicious ones and determine if they are causing performance problems with your machine. If you accidentally turn one off that you need (such as your printer monitor or antivirus software, you can also run this utility from normal mode and turn the programs back on. It’s probably a good idea to research the program name before turning them off.

When you are done, reboot the computer back into normal mode and continue your daily use, or go ahead and use your favorite anti-spyware and anti virus tools to finish the housekeeping job. In either case, your computer should run a bit better, and you should have eliminated a lot of the space-taking files that can clutter up your system.