T.I.F. always deleted on startup/shutdown

[Guest]

My Temporary Internet Files folder is emptied every time I restart the
computer. I am not running any spyware or paranoia software that would delete
it. I have checked the startup programs, the Internet Options for deleting
when the browser closes, The old NT TweakIE Paranoia settings tab, checked
for any virus or worm on my system. Any ideas where else to check? Is there a
registry setting somewhere that could be deleting the files? They are saved
and operate fine during multiple browser sessions. It just gets emptied when
I reboot. I have even tried deleteing the index.dat file from another admin
account.

 

[PA Bear]

What third-party applications are running in the background, especially
anti-malware ones which might include a "tracks eraser" (e.g., Spybot,
SpySweeper, MWAS)?

 

[Guest]

I am not running any spyware. I only have Command Antivirus and Parental
Controls Helper by Linksys/Netopia running in the background. In addition
there is iTunesHelper, Acrobat and various Windows services.

I previously had Microsoft (Giant) Antispyware but found it was not helpful.

 

[PA Bear]

Then you should at least rule /out/ hijackware as a cause of this behavior.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/archive/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**

 

[Guest]

I have gone through the quickfix process described on the HiJackThis site.
Ad-Aware found nothing on my system. I posted my log file on the site (see
http://aumha.net/viewtopic.php?t=16275&sid=75e3dd23474fc854d37edf7b7e46632e),
but I have not received any reply. I do not see any suspicious listings in
the log file.

Any other ideas? The index.dat file shows it is last written at the time of
startup.

 

[Guest]

I have even tried reinstallling IE from the SP2 CD, but I think this just
refreshes the icons. Any way to reinstall all the files and registry entries?

 

[PA Bear]

Patience: It's not unusual to wait a week or more before an expert can
respond to such posts in any forum, Mike. There just aren't enough savvy
volunteers to go around.

 

[PA Bear]

Reinstall Windows.

 

[Guest]

Thanks for the gentle reminder of forum respect. Appreciate the help very much.

 

[Robert Aldwinckle]

I have gone through the quickfix process described on the HiJackThis site.
Ad-Aware found nothing on my system. I posted my log file on the site (see
http://aumha.net/viewtopic.php?t=16275&sid=75e3dd23474fc854d37edf7b7e46632e),
but I have not received any reply. I do not see any suspicious listings in
the log file.

<quote date="10/22/05">
Reinstalled SP2 with no solution to the problem.
</quote>


Wow! Reinstalled how? It must have copied some registry settings
from the previous install. Presumably a subsequent HijackThis! log
looks a lot thinner?

Have you tried moving the TIF out of the user profile to its own directory?
(Alt-T,O,Alt-S,M...) E.g. in case whatever is targetting the TIF is doing it
using the conventional name. BTW I hope it is already not moved to be
used in a RAM drive? <w> (Some people have done that just to ensure
that it gets recreated on every boot.)

Otherwise I think you are going to have to start doing some diagnosis
for this symptom. If there are any clues from the registry you might be
able to discover them by using RegMon's Log Boot option.
Unfortunately there is no analogous option in FileMon but you could
put FileMon into your Startup to try to capture whatever might happen
to the TIF after it starts. Also, you could try using XP's auditing feature
to see what clues it gives you. I'm not sure how much detail the latter
option gives. If it doesn't at least give the program being used it won't
be of much use except probably to give you a timestamp.

On a different tack you could try changing the permissions on the folder
before shutdown to see if that would cause whatever is causing the
problem symptom to be exposed when it tried doing it (e.g. via an error
message or entry in the event log). You would have to change the
permissions back again after Startup of course to allow the TIF to function
normally. Perhaps that could be managed by a cmd file in Startup.

Any other ideas? The index.dat file shows it is last written at the time of
startup.

Assuming the subdirectories are being deleted at the same time
of more significance would be the timestamp of the parent directory
(e.g. as seen by dir/ad/s at the TIF level in a cmd window)


HTH

Robert Aldwinckle
---