random files on temp folder
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: random files on temp folder

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    161

    random files on temp folder

    Hi all,

    I noticed that there are a lot of .dat files with random names that appeared on:
    C:\Documents and Settings\%Username%\Local Settings\Temp

    Some file name examples are: bpjh.dat, kcic.dat, mooo.dat, kgld.dat, pnjm.dat, etc...

    I ran Trend Micro's Housecall and found nothing, spybot, adaware and no malware was found. I tried to google some of those file names and found nothing. One can conclude that this is propably nothing... But I had to go into safe mode to delete those files.

    Has anybody seen anything like this? What's going on?

    Running winxp pro, kerio PF, avast AV.

    Any help will be highly appreciated.

    Cheers,

    J

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    More info is needed.

    File create date, modified date, accessed date.

    What is in these .dat files? You can open them with notepad. (.dat is not an executable)(or, if you don't feel comfortable opening them, you can run a program like strings against it to pull out any strings and ignore all the garbage.)

    Do they appear after running any certain application?

    Temp files are just that... temporary files that are used by some application when it is running. Sometimes the programs they clean up after themselves, sometimes they don't. Sometimes program files will put their cache there (like browsers do) to speed up the next time you run the same task.

    If you try to delete them, do they go away? Or, do you get an access denied like they are in use?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    161
    Phish:

    There is only a creation date for each file, no access or modification date, and they were all created on different dates (same date for groups of 2 or 3 files.). Different sizes 88, 92 and 96 KB only.

    I cannot link them to any specific app because I do not remember.

    When I opened them with notepad I got unreadable garbage.

    First time I found them I tried to delete them and got "in use" message, rebooted in safe mode and was able to delete them. Turns out I forgot to delete a few, rebooted in normal mode, and was able to delete them this time.

    Any thoughts?

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    .dat files can be associated with a lot of things. lol start opening programs and see what stops working. but chances are if they were in a temp file they will be recreated by what ever is using them. Id scan you computer for all malware (adware/spyware/viuses/etc) and scan in safe mode.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Well,

    Some applications will create a temporary file when you open it. If you try to clear a temporary folder all in one go you will get the "in use" message. You should be able to delete ones prior to the current day's date.

    Quite a few of these files are related to software installation and updating. They just don't get cleared down afterwards.

    If you scan for malware in safe mode and don't get any hits I think that you are safe.

    As mentioned you should be able to delete everything not current from a temporary file folder. If it is needed the relevant application will recreate it when you run the application.


  6. #6
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Most probably you cannot delete the file, because another program is using it
    (which might be not the case in safe mode). This has been mentioned already

    There is an excellent tool by sysinternals, which shows you all handles[1].
    Download it and filter the output for one of these file-names. You then
    know which program is using that file - and maybe why.

    In case there is an alternate stream attached, use streams.exe[2], also by
    sysinternals.

    If you cannot find anything, the activity is hidden - nice programs are
    not doing this. Even more - if that external tool cannot find anything,
    you might have a lower-ring problem!

    Cheers


    [1] http://www.sysinternals.com/utilities/handle.html
    [2] http://www.sysinternals.com/Utilities/Streams.html
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  7. #7
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,252
    I seem to remember most AV software create .dat files when updating pattern files, outlook and word also create dat files. Like Phish said. Just look at the strings.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    161
    I am worried.

    I started running IE for online banking (my bank currently only works with this browser, as I usually use Firefox).

    While I was browsing my account, Kerio PF displayed the next message: "iome.dat is trying to access Windows Explorer" I chose to deny that action.

    I checked C:\Documents and Settings\%username%\Local Settings\Temp and there was the file iome.dat

    I have scanned with Housecall and then AdAware in safe mode and normal mode. What could be going on? or are these .dat files harmless.


    Cheers

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Well, if you are happy with the security, .zip the file and PM it to me, and I will have a look at what it does..........personally, I do not use online banking, as I do not trust it

    Good luck

    And in case you are worried, there are enough people here who know my home name and address and have even telephoned me at home

  10. #10
    Senior Member
    Join Date
    Mar 2002
    Posts
    442
    it's a conspiracy, they are watching you
    want to see something really interesting?
    execute this command from the start->run prompt

    edit "%HOMEPATH%\Local Settings\Temporary Internet Files\desktop.ini"

    you will see a two line desktop.ini file, with a uiclsid value on the second line
    add a negative sign "-" infront of UICLSID on the second line so that the second line starts like this

    -UICLSID={....

    alt->file->save, then exit

    to view most of IE's temporary files
    then start->run->
    "%HOMEPATH%\Local Settings\Temporary Internet Files\"

    After doing this Internet Explorer will still work exactly as before, but now it will actually show you all of it's temporary files, grouped in Content.IE5, Content.MSO, etc.

    Sad part is that IE tracks even more of your web surfing statistics and web sites visited, to access the rest of the files, you need to boot from seperate media as windows will hide them from you and not allow you to access them. That process is quite long however.

    Try making a new folder anywhere labeled CON

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •