Jump to content

Strange files in C:\Windows\Temp


Recommended Posts

Win 7 x64, SP1

IE11

Emsisoft Anti-malware paid

Eset Smart Security

 

Recently, I have been seeing  .tmp and .vbs files with the same prefix appearing in C:\Windows\Temp after a browser session. The .tmp file is usually empty. Files appear not every time when browsing but a kind of hit and miss thing. The .vbs script appears to be some kind of redirect perhaps? I have seen none of that type activity while browsing that I am aware of. Although since last Sunday, I have had IE11 hang on me a couple times when trying to access my home page. Clearing out my webcache and rebooting clears that up. 

 

Have run full scans with Emsisoft anti-malware paid and Eset Smart Security and nothing found. 

 

Attaching the two files mentioned above in a zipped folder for review.

FRST.txt

Addition.txt

scan_150925-164353.txt

Link to post
Share on other sites

These files are harmless and there's no need to worry about them. The VBS file simply refers to a temporary url file saved on your computer. In order to know what that is, when you see these files created again, right click on the .vbs file and open it with Notepad (Open With.... >> select Notepad in the list of programs). On the second line you'll see the name of the file, which likely will have the format tmp<some numbers>.url. You can upload that file to http://www.virustotal.comor post it here for review.

 

Your logs look clean, do you have any problem that would point to a possible infection (slowness, redirects, pop ups...)?

Link to post
Share on other sites

What about the ADS entry in Program Data shown in the FRST64 Addition log?

 

Also Taskhost hung system on shutdown last night. It also has done that a couple of times. I believe this is also due to issues with those webcache files. Wonder if I should just run a repair for IE11 which I just installed a couple of weeks ago? That is when most of my issues started.

 

I have also seen Eset's hook being set in explorer.exe, etc. lately. That hook is only set when Eset's kernel detects a process it can't identify.

 

I have examined everything running in detail w/Process Explorer and have not found anything. 

Link to post
Share on other sites

Those ADS's are commonly seen and not malicious. A hanging process can be annoying, but is pretty common and often not malicious. You could use process explorer to see what exactly caused taskhost to hang, but really I wouldn't worry about it.

 

Webcache files have more to do with the sites you visit than with your browser, but just to test you could roll back to IE10, its still supported by Microsoft.

 

 
 

I have also seen Eset's hook being set in explorer.exe, etc. lately. That hook is only set when Eset's kernel detects a process it can't identify.

 

 

 

Without knowing how ESET works, something like that is hardly uncommon either and does not mean explorer.exe itself is affected, just that something is injected into explorer's process that ESET flags as unknown. If you got no further alerts it likely means that ESET deemed it was not malicious anyway (unknown is not the same as malicious).

Link to post
Share on other sites

OK. Think I got this resolved.

 

Something corrupted my WebCacheV01.dat file. I just deleted it and let IE11 recreate it. Also I have noticed that SmartScreen Filter that wasn't working right previously now is.

 

Thanks for you help!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...