Could someone tell me, please, if Defender generates a temp file from time
to time, in C:\Windows\Temp - with a name that takes this kind of form? -
TMP00000024E8962F1A6A88E610 ?

The reason I ask is because the new version of Superantispyware flagged up
just such a file this morning (as Adware.Spyware Labs). I quarantined it
(being a temp file, it seemed sensible to do that), but I noticed that on
next computer restart a file with a similar (but different) name appeared -
just for a short time - in the same place - but Superantispyware found this
new one to be no threat. After a few restarts, I noticed that the appearance
of the file seems to happen at about the time that Defender puts up its
regular notification of registry change. Then the temp file disappears after
a bit.

So I'm starting to wonder if the original alert was a false positive by SAS,
particularly since none of these subsequent files have generated an alert.
But I need to know if Defender really is producing these 'temporary' temp
files in order to decide whether I need to investigate further - can someone
tell me, please?

I should say that scans by AVG, a-squared, and Superantispyware (subsequent
to that first scan) are all coming up clean.
Thanks,
Alan D

I'm not sure what creates those files--I had not connected them to Defender,
but I do see them on a good many machines, and I believe they are a normal
part of Windows, and if there was a malicious string in them, it was
probably an accident of some sort--false positive sounds right to me.


"Alan D" <noone @nowhere.com> wrote in message
news:(E-Mail Removed)...
> Could someone tell me, please, if Defender generates a temp file from time
> to time, in C:\Windows\Temp - with a name that takes this kind of form? -
> TMP00000024E8962F1A6A88E610 ?
>
> The reason I ask is because the new version of Superantispyware flagged up
> just such a file this morning (as Adware.Spyware Labs). I quarantined it
> (being a temp file, it seemed sensible to do that), but I noticed that on
> next computer restart a file with a similar (but different) name
> appeared - just for a short time - in the same place - but
> Superantispyware found this new one to be no threat. After a few restarts,
> I noticed that the appearance of the file seems to happen at about the
> time that Defender puts up its regular notification of registry change.
> Then the temp file disappears after a bit.
>
> So I'm starting to wonder if the original alert was a false positive by
> SAS, particularly since none of these subsequent files have generated an
> alert. But I need to know if Defender really is producing these
> 'temporary' temp files in order to decide whether I need to investigate
> further - can someone tell me, please?
>
> I should say that scans by AVG, a-squared, and Superantispyware
> (subsequent to that first scan) are all coming up clean.
> Thanks,
> Alan D
>

Further to Bill`s post. I see lots of those in Ccleaner when I have a system
clean up every now and then but have no idea what they mean or have I had a
problem with them. I only take an interest in anything that may reference a
specific file location and (as Bill has already said in previous post), has a
dubious file name/extension. Do you/have you used Ccleaner to clean out your
Temp Folder and rerun the scan? Don`t be surprised if it is not empty after a
run in normal mode because those temp files currently in use by an
application will not be accessed and therefore deleted.

Stu

"Alan D" wrote:

> Could someone tell me, please, if Defender generates a temp file from time
> to time, in C:\Windows\Temp - with a name that takes this kind of form? -
> TMP00000024E8962F1A6A88E610 ?
>
> The reason I ask is because the new version of Superantispyware flagged up
> just such a file this morning (as Adware.Spyware Labs). I quarantined it
> (being a temp file, it seemed sensible to do that), but I noticed that on
> next computer restart a file with a similar (but different) name appeared -
> just for a short time - in the same place - but Superantispyware found this
> new one to be no threat. After a few restarts, I noticed that the appearance
> of the file seems to happen at about the time that Defender puts up its
> regular notification of registry change. Then the temp file disappears after
> a bit.
>
> So I'm starting to wonder if the original alert was a false positive by SAS,
> particularly since none of these subsequent files have generated an alert.
> But I need to know if Defender really is producing these 'temporary' temp
> files in order to decide whether I need to investigate further - can someone
> tell me, please?
>
> I should say that scans by AVG, a-squared, and Superantispyware (subsequent
> to that first scan) are all coming up clean.
> Thanks,
> Alan D
>
>
>

Thanks for this, Bill - that's really helpful to know. I'd never noticed the
frequent appearance and disappearance of these files before, myself, so it's
good to know their existence is 'normal', so to speak. I'll keep an eye on
things, but I'm increasingly inclined to believe that there's nothing
malicious there.

(For the sake of anyone else reading this later, with a similar query, I
should add that these temp files are always 512K, and that whatever actually
does produce them - whether it's Defender, or not - always seems to tidy up
very neatly after itself by removing them after use. Also, while they're
there, they resist being deleted because they're flagged up as being 'in use
by another program'.)

Cheers,
Alan D


"Bill Sanderson" <(E-Mail Removed)> wrote in message
news:ujJ$(E-Mail Removed)...
> I'm not sure what creates those files--I had not connected them to
> Defender, but I do see them on a good many machines, and I believe they
> are a normal part of Windows, and if there was a malicious string in them,
> it was probably an accident of some sort--false positive sounds right to
> me.
>
>
> "Alan D" <noone @nowhere.com> wrote in message
> news:(E-Mail Removed)...
>> Could someone tell me, please, if Defender generates a temp file from
>> time to time, in C:\Windows\Temp - with a name that takes this kind of
>> form? - TMP00000024E8962F1A6A88E610 ?
>>
>> The reason I ask is because the new version of Superantispyware flagged
>> up just such a file this morning (as Adware.Spyware Labs). I quarantined
>> it (being a temp file, it seemed sensible to do that), but I noticed that
>> on next computer restart a file with a similar (but different) name
>> appeared - just for a short time - in the same place - but
>> Superantispyware found this new one to be no threat. After a few
>> restarts, I noticed that the appearance of the file seems to happen at
>> about the time that Defender puts up its regular notification of registry
>> change. Then the temp file disappears after a bit.
>>
>> So I'm starting to wonder if the original alert was a false positive by
>> SAS, particularly since none of these subsequent files have generated an
>> alert. But I need to know if Defender really is producing these
>> 'temporary' temp files in order to decide whether I need to investigate
>> further - can someone tell me, please?
>>
>> I should say that scans by AVG, a-squared, and Superantispyware
>> (subsequent to that first scan) are all coming up clean.
>> Thanks,
>> Alan D
>>
>

Thanks for this, Stu.

I do use Ccleaner quite often to clear out temporary files, and indeed as
you point out, at the moment these 512K files don't queue up for deletion
because they're 'in use'. It seems they just get tidied away by whatever app
is using them, later.

There's really nothing to test by rerunning scans after a Ccleaner
clear-out, because all my scans are coming up clear now, anyway. In
particular, SAS is now completely uninterested in those temp files. I'm
actually wondering if this had something to do with the new installation of
the new version of SAS not having quite 'bedded itself in' after just one
reboot - though that may be complete nonsense of course!
Cheers,
Alan D

"Stu" <(E-Mail Removed)> wrote in message
news:A15AFEAF-47C9-461D-9FB4-(E-Mail Removed)...
> Further to Bill`s post. I see lots of those in Ccleaner when I have a
> system
> clean up every now and then but have no idea what they mean or have I had
> a
> problem with them. I only take an interest in anything that may reference
> a
> specific file location and (as Bill has already said in previous post),
> has a
> dubious file name/extension. Do you/have you used Ccleaner to clean out
> your
> Temp Folder and rerun the scan? Don`t be surprised if it is not empty
> after a
> run in normal mode because those temp files currently in use by an
> application will not be accessed and therefore deleted.
>
> Stu
>
> "Alan D" wrote:
>
>> Could someone tell me, please, if Defender generates a temp file from
>> time
>> to time, in C:\Windows\Temp - with a name that takes this kind of form? -
>> TMP00000024E8962F1A6A88E610 ?
>>
>> The reason I ask is because the new version of Superantispyware flagged
>> up
>> just such a file this morning (as Adware.Spyware Labs). I quarantined it
>> (being a temp file, it seemed sensible to do that), but I noticed that on
>> next computer restart a file with a similar (but different) name
>> appeared -
>> just for a short time - in the same place - but Superantispyware found
>> this
>> new one to be no threat. After a few restarts, I noticed that the
>> appearance
>> of the file seems to happen at about the time that Defender puts up its
>> regular notification of registry change. Then the temp file disappears
>> after
>> a bit.
>>
>> So I'm starting to wonder if the original alert was a false positive by
>> SAS,
>> particularly since none of these subsequent files have generated an
>> alert.
>> But I need to know if Defender really is producing these 'temporary' temp
>> files in order to decide whether I need to investigate further - can
>> someone
>> tell me, please?
>>
>> I should say that scans by AVG, a-squared, and Superantispyware
>> (subsequent
>> to that first scan) are all coming up clean.
>> Thanks,
>> Alan D
>>
>>
>>

Not necessarily so - rubbish that is. I think a little (I want to say
`paranoia`) doesn`t do anyone any harm - provided it doesn`t start to consume
your life. Having said that, the Wikipedia definition doesn`t look too
encouraging for me. Shall we just settle for CAUTION?

Stu

"Alan D" wrote:

> Thanks for this, Stu.
>
> I do use Ccleaner quite often to clear out temporary files, and indeed as
> you point out, at the moment these 512K files don't queue up for deletion
> because they're 'in use'. It seems they just get tidied away by whatever app
> is using them, later.
>
> There's really nothing to test by rerunning scans after a Ccleaner
> clear-out, because all my scans are coming up clear now, anyway. In
> particular, SAS is now completely uninterested in those temp files. I'm
> actually wondering if this had something to do with the new installation of
> the new version of SAS not having quite 'bedded itself in' after just one
> reboot - though that may be complete nonsense of course!
> Cheers,
> Alan D
>
> "Stu" <(E-Mail Removed)> wrote in message
> news:A15AFEAF-47C9-461D-9FB4-(E-Mail Removed)...
> > Further to Bill`s post. I see lots of those in Ccleaner when I have a
> > system
> > clean up every now and then but have no idea what they mean or have I had
> > a
> > problem with them. I only take an interest in anything that may reference
> > a
> > specific file location and (as Bill has already said in previous post),
> > has a
> > dubious file name/extension. Do you/have you used Ccleaner to clean out
> > your
> > Temp Folder and rerun the scan? Don`t be surprised if it is not empty
> > after a
> > run in normal mode because those temp files currently in use by an
> > application will not be accessed and therefore deleted.
> >
> > Stu
> >
> > "Alan D" wrote:
> >
> >> Could someone tell me, please, if Defender generates a temp file from
> >> time
> >> to time, in C:\Windows\Temp - with a name that takes this kind of form? -
> >> TMP00000024E8962F1A6A88E610 ?
> >>
> >> The reason I ask is because the new version of Superantispyware flagged
> >> up
> >> just such a file this morning (as Adware.Spyware Labs). I quarantined it
> >> (being a temp file, it seemed sensible to do that), but I noticed that on
> >> next computer restart a file with a similar (but different) name
> >> appeared -
> >> just for a short time - in the same place - but Superantispyware found
> >> this
> >> new one to be no threat. After a few restarts, I noticed that the
> >> appearance
> >> of the file seems to happen at about the time that Defender puts up its
> >> regular notification of registry change. Then the temp file disappears
> >> after
> >> a bit.
> >>
> >> So I'm starting to wonder if the original alert was a false positive by
> >> SAS,
> >> particularly since none of these subsequent files have generated an
> >> alert.
> >> But I need to know if Defender really is producing these 'temporary' temp
> >> files in order to decide whether I need to investigate further - can
> >> someone
> >> tell me, please?
> >>
> >> I should say that scans by AVG, a-squared, and Superantispyware
> >> (subsequent
> >> to that first scan) are all coming up clean.
> >> Thanks,
> >> Alan D
> >>
> >>
> >>
>
>
>

Good choice Stu: 'Caution' sounds right to me. After all, an alert from SAS
about a file that mysteriously appears and then disappears in the 'Temp'
folder, which won't let itself be deleted, and whose existence you haven't
actually had cause to notice before, does warrant more than a shrug of the
shoulders, I think - even for the non-paranoid.
Cheers,
Alan D


"Stu" <(E-Mail Removed)> wrote in message
news:0948729A-F99A-4521-AEE4-(E-Mail Removed)...
> Not necessarily so - rubbish that is. I think a little (I want to say
> `paranoia`) doesn`t do anyone any harm - provided it doesn`t start to
> consume
> your life. Having said that, the Wikipedia definition doesn`t look too
> encouraging for me. Shall we just settle for CAUTION?
>
> Stu
>
> "Alan D" wrote:
>
>> Thanks for this, Stu.
>>
>> I do use Ccleaner quite often to clear out temporary files, and indeed as
>> you point out, at the moment these 512K files don't queue up for deletion
>> because they're 'in use'. It seems they just get tidied away by whatever
>> app
>> is using them, later.
>>
>> There's really nothing to test by rerunning scans after a Ccleaner
>> clear-out, because all my scans are coming up clear now, anyway. In
>> particular, SAS is now completely uninterested in those temp files. I'm
>> actually wondering if this had something to do with the new installation
>> of
>> the new version of SAS not having quite 'bedded itself in' after just one
>> reboot - though that may be complete nonsense of course!
>> Cheers,
>> Alan D
>>
>> "Stu" <(E-Mail Removed)> wrote in message
>> news:A15AFEAF-47C9-461D-9FB4-(E-Mail Removed)...
>> > Further to Bill`s post. I see lots of those in Ccleaner when I have a
>> > system
>> > clean up every now and then but have no idea what they mean or have I
>> > had
>> > a
>> > problem with them. I only take an interest in anything that may
>> > reference
>> > a
>> > specific file location and (as Bill has already said in previous post),
>> > has a
>> > dubious file name/extension. Do you/have you used Ccleaner to clean out
>> > your
>> > Temp Folder and rerun the scan? Don`t be surprised if it is not empty
>> > after a
>> > run in normal mode because those temp files currently in use by an
>> > application will not be accessed and therefore deleted.
>> >
>> > Stu
>> >
>> > "Alan D" wrote:
>> >
>> >> Could someone tell me, please, if Defender generates a temp file from
>> >> time
>> >> to time, in C:\Windows\Temp - with a name that takes this kind of
>> >> form? -
>> >> TMP00000024E8962F1A6A88E610 ?
>> >>
>> >> The reason I ask is because the new version of Superantispyware
>> >> flagged
>> >> up
>> >> just such a file this morning (as Adware.Spyware Labs). I quarantined
>> >> it
>> >> (being a temp file, it seemed sensible to do that), but I noticed that
>> >> on
>> >> next computer restart a file with a similar (but different) name
>> >> appeared -
>> >> just for a short time - in the same place - but Superantispyware found
>> >> this
>> >> new one to be no threat. After a few restarts, I noticed that the
>> >> appearance
>> >> of the file seems to happen at about the time that Defender puts up
>> >> its
>> >> regular notification of registry change. Then the temp file disappears
>> >> after
>> >> a bit.
>> >>
>> >> So I'm starting to wonder if the original alert was a false positive
>> >> by
>> >> SAS,
>> >> particularly since none of these subsequent files have generated an
>> >> alert.
>> >> But I need to know if Defender really is producing these 'temporary'
>> >> temp
>> >> files in order to decide whether I need to investigate further - can
>> >> someone
>> >> tell me, please?
>> >>
>> >> I should say that scans by AVG, a-squared, and Superantispyware
>> >> (subsequent
>> >> to that first scan) are all coming up clean.
>> >> Thanks,
>> >> Alan D
>> >>
>> >>
>> >>
>>
>>
>>

My impression is that they should go away (and be replaced by others!) on
reboots. Sometimes they get left lying around, presumably because of a
crash, and then they can be deleted.

If the date on the file predates the last boot, I think they can be
deleted--at least that's what I recall going by as I clean systems up
occasionally.

"Alan D" <noone @nowhere.com> wrote in message
news:(E-Mail Removed)...
> Thanks for this, Bill - that's really helpful to know. I'd never noticed
> the frequent appearance and disappearance of these files before, myself,
> so it's good to know their existence is 'normal', so to speak. I'll keep
> an eye on things, but I'm increasingly inclined to believe that there's
> nothing malicious there.
>
> (For the sake of anyone else reading this later, with a similar query, I
> should add that these temp files are always 512K, and that whatever
> actually does produce them - whether it's Defender, or not - always seems
> to tidy up very neatly after itself by removing them after use. Also,
> while they're there, they resist being deleted because they're flagged up
> as being 'in use by another program'.)
>
> Cheers,
> Alan D
>
>
> "Bill Sanderson" <(E-Mail Removed)> wrote in message
> news:ujJ$(E-Mail Removed)...
>> I'm not sure what creates those files--I had not connected them to
>> Defender, but I do see them on a good many machines, and I believe they
>> are a normal part of Windows, and if there was a malicious string in
>> them, it was probably an accident of some sort--false positive sounds
>> right to me.
>>
>>
>> "Alan D" <noone @nowhere.com> wrote in message
>> news:(E-Mail Removed)...
>>> Could someone tell me, please, if Defender generates a temp file from
>>> time to time, in C:\Windows\Temp - with a name that takes this kind of
>>> form? - TMP00000024E8962F1A6A88E610 ?
>>>
>>> The reason I ask is because the new version of Superantispyware flagged
>>> up just such a file this morning (as Adware.Spyware Labs). I quarantined
>>> it (being a temp file, it seemed sensible to do that), but I noticed
>>> that on next computer restart a file with a similar (but different) name
>>> appeared - just for a short time - in the same place - but
>>> Superantispyware found this new one to be no threat. After a few
>>> restarts, I noticed that the appearance of the file seems to happen at
>>> about the time that Defender puts up its regular notification of
>>> registry change. Then the temp file disappears after a bit.
>>>
>>> So I'm starting to wonder if the original alert was a false positive by
>>> SAS, particularly since none of these subsequent files have generated an
>>> alert. But I need to know if Defender really is producing these
>>> 'temporary' temp files in order to decide whether I need to investigate
>>> further - can someone tell me, please?
>>>
>>> I should say that scans by AVG, a-squared, and Superantispyware
>>> (subsequent to that first scan) are all coming up clean.
>>> Thanks,
>>> Alan D
>>>
>>
>
>