EXTRA BOGUS Temporary Internet Files, Cookies, & History folders

[Grant Robertson]

First, let me be clear. I am not asking how to empty out the standard TIF
(Temporary Internet Files), History, and Cookies folders. I know how to
do that using Internet Properties.

The problem I have here is an EXTRA set of BOGUS folders with the same
names that get created in my Temp folder every time I boot up in normal
mode. They cannot be deleted in normal mode either. If I boot to Safe
Mode I can delete them and if I then reboot to Safe Mode again they do
not get created.

I have done some experiments and if I use MSConfig to disable all of my
Startup items the folders still get recreated when I boot to Normal Mode.
However, if I choose Diagnostic Startup in MSConfig then the files do not
get recreated when I boot to Normal Mode. This tells me that the issue is
most likely caused by some service but I can't figure out which. I am
certainly not in the mood to reboot my computer dozens more times today
just to figure out which service is causing this problem. I am guessing
it has something to do with the system for replacing protected files.

I have done some research in the newsgroups and the exact same issue has
been reported several times over the last few years. Usually there is no
response at all. In one thread some people suggested booting to the DOS
prompt and using the DELTREE command to remove the offending files and
they wouldn't come back after that. Unfortunately, I have tried booting
to Safe Mode with Command Prompt as well as booting off of a floppy to
delete the files. They just come right back when I boot to Normal Mode.

Along with the a fore mentioned folders a series of .tmp files get
created with file names such as "~DF8F55.tmp" and "~DFA943.tmp". These
two were created within a minute of booting up. Over time I often get
dozens more. None of these files can be deleted in Normal Mode. I get a
dialog saying the file is being used by another program.

This problem has been ongoing for months. I have no idea how long it had
been happening before I even noticed it.

I am now concerned that I may have some virus or spyware that is causing
this. Here's the deal. I am a professional computer consultant. Most of
what I do these days is clean up spyware off of PC's for people. I have
scanned the hell out of my machine and never find anything other than a
few tracking cookies. This has me completely stumped.

Does anyone have any idea what could be causing this issue?

 

[Guest]

First, let me be clear. I am not asking how to empty out the standard TIF
(Temporary Internet Files), History, and Cookies folders. I know how to
do that using Internet Properties.

The problem I have here is an EXTRA set of BOGUS folders with the same
names that get created in my Temp folder every time I boot up in normal
mode. They cannot be deleted in normal mode either. If I boot to Safe
Mode I can delete them and if I then reboot to Safe Mode again they do
not get created.

I have done some experiments and if I use MSConfig to disable all of my
Startup items the folders still get recreated when I boot to Normal Mode.
However, if I choose Diagnostic Startup in MSConfig then the files do not
get recreated when I boot to Normal Mode. This tells me that the issue is
most likely caused by some service but I can't figure out which. I am
certainly not in the mood to reboot my computer dozens more times today
just to figure out which service is causing this problem. I am guessing
it has something to do with the system for replacing protected files.

I have done some research in the newsgroups and the exact same issue has
been reported several times over the last few years. Usually there is no
response at all. In one thread some people suggested booting to the DOS
prompt and using the DELTREE command to remove the offending files and
they wouldn't come back after that. Unfortunately, I have tried booting
to Safe Mode with Command Prompt as well as booting off of a floppy to
delete the files. They just come right back when I boot to Normal Mode.

Along with the a fore mentioned folders a series of .tmp files get
created with file names such as "~DF8F55.tmp" and "~DFA943.tmp". These
two were created within a minute of booting up. Over time I often get
dozens more. None of these files can be deleted in Normal Mode. I get a
dialog saying the file is being used by another program.

This problem has been ongoing for months. I have no idea how long it had
been happening before I even noticed it.

I am now concerned that I may have some virus or spyware that is causing
this. Here's the deal. I am a professional computer consultant. Most of
what I do these days is clean up spyware off of PC's for people. I have
scanned the hell out of my machine and never find anything other than a
few tracking cookies. This has me completely stumped.

Does anyone have any idea what could be causing this issue?

Grant ,
I had a Trojan worm that i spent 3 day tracking, but you wont have to spend
that long. my Virus was the W32.Beagle.gen, I finally went to my registry and
used find. when i found it. i deleted it. the hard drive is much quieter
now too. because evidently the virus was scanning my hard drive. writing the
same files as you discribe, and most likely emailing everybody it could out
of my machine without my knowledge. I had registry mechanic, norton anti
virus (installed a little too late) and adware stopper, ect.
From my observation, (and i could be wrong) it seems that most virus/adware
protection will not mess with your registry. This is sacred ground that most
respectable companies will not tread. if you have a list of trojan virus.
go to your registry and do a find of them, then delete them, this should fix
it and then you can delete the temp files also, (if you cant, because they
are in use by another program, you sill have another virus in your registry).
The registry is the place that most (Trojan)virus hide.
Terry
P.S. Also I had problem getting live updates online because my system
config had a Startup Application that tried to shut down and disable my anti
virus.
open msconfig and eye scan for anything that is hidering your antivirus.
here is a good place to search for list of bad and good programs in the
startup.
(not total perfect, but very excellent)
http://www.sysinfo.org/startuplist.php
Good luck

 

[Grant Robertson]

I had a Trojan worm that i spent 3 day tracking, but you wont have to spend
that long. my Virus was the W32.Beagle.gen, I finally went to my registry and
used find. when i found it. i deleted it.

So you had the exact same problem? How did you find the virus entry in
your registry? Surely it isn't entered under the name given to it by
antivirus software?

Searching my registry for a long list of trojans and viruses is something
I expect my antivirus software to do.

 

[Grant Robertson]

On a hunch I went into MSConfig and disabled anything having to do with
Norton Internet Security. Deleted the files in Safe Mode and rebooted.
The bogus folders were not recreated. But after a few seconds a DF*.tmp
file was created. I could not delete it. So I opened Task Manager and
started killing processes. My second guess was Microsoft AntiSpyware's
gcasServ.exe process. I was able to delete the file. I left the process
dead for a while and no new files were created. As soon as I started up
Microsoft AntiSpyware it created two new files.

So it seems the cause of my problem is the software I use to protect
myself. Norton Internet Security creates the bogus IE cache folders and
Microsoft AntiSpyware creates the DF*.tmp files.

I don't mind them creating the files but I don't like them being
undeletable while the programs are running. This means I have to figure
out some way to empty out the Temp folder before these processes are
started so it doesn't eventually fill up and take over my whole hard
drive.

 

[Guest]

So you had the exact same problem? How did you find the virus entry in
your registry? Surely it isn't entered under the name given to it by
antivirus software?

Searching my registry for a long list of trojans and viruses is something
I expect my antivirus software to do.

Grant,,
I was surprised too. all the antivirus program did not remove it. I was at a
loss.
but after 3 days of internet searches and trial & error, I was able to
figure it out.
The most inportant thing is to identify the virus that is affecting the
computer.
I found a reference in Norton info pages that some virus had to be manully
removed. They hid very successfully in the Registry. Yes the virus is under
the same name that the antivirus give. Here is the norton website that i used
to find the proper name.
http://securityresponse.symantec.com/avcenter/vinfodb.html
but first thing is to run the msconfig to make sure that the start up
application are not being hampered by a bad program loaded in the start up
configuraton
follow this task in this website.
http://netsquirrel.com/msconfig/
if this does not load the msconfig as about then you must download the
applet below from Mike lin. "MIKE LIN ROCKS!!!"
http://www.mlin.net/StartupCPL.shtml
in the config startup applications use this site to identify any bad
applications
http://www.sysinfo.org/startuplist.php
after the system config is clear then go to the registry and do the 'FIND'
Go to START>RUN> enter "regedit" >click OK.
in the Registry editor go menu > edit>Find enter the proper virus name.
when it is found delete it and everything should be fine.
CIAO
Terry
P.S. my red harddrive light is very dim now. and the computer is very
silent. I think the virus was giving my system a work out. The computer is
twice as quiet, now. Before the red light on the harddrive was almost alway
bright. now it is hardly on. A lot less stress on the system. the computer is
a lot faster and smoother also.
Good luck!!!

 

[D.Currie]

On a hunch I went into MSConfig and disabled anything having to do with
Norton Internet Security. Deleted the files in Safe Mode and rebooted.
The bogus folders were not recreated. But after a few seconds a DF*.tmp
file was created. I could not delete it. So I opened Task Manager and
started killing processes. My second guess was Microsoft AntiSpyware's
gcasServ.exe process. I was able to delete the file. I left the process
dead for a while and no new files were created. As soon as I started up
Microsoft AntiSpyware it created two new files.

So it seems the cause of my problem is the software I use to protect
myself. Norton Internet Security creates the bogus IE cache folders and
Microsoft AntiSpyware creates the DF*.tmp files.

I don't mind them creating the files but I don't like them being
undeletable while the programs are running. This means I have to figure
out some way to empty out the Temp folder before these processes are
started so it doesn't eventually fill up and take over my whole hard
drive.

If the file is in use, it's in use...you can't delete it. It would be like
deleting a program while it's running. Doesn't matter that it's in the temp
folder, if the program need it to run. You'd find the same thing if you
tried to delete MS Word files while Word was working on them. Or just about
any program that works that way.

Or is it creating *more* files each time? If it's the same ones (or if it
deletes old one and creates new) it shouldn't be anything to worry about,
but if they're growing in number/size, are you saying you can't delete any
of them, or just the new ones?

Instead of trying to delete them at startup, you might be better served by
deleting them at shutdown, after the program that created them has closed.
Create a batch file to delete them. But really, if the program needs them
and creates them at every startup, deleting them seems to be sort of futile.