SOLVED %UserName%\AppData\Local\Temp.at 100MB odd size, what causes?

[sexytool]

Evening all.

I have a rather confounding issue.

Several times a day i hear my hard disk activity peaking. My AV reports there are virii in C:\Users\%UserName%\AppData\Local\Temp.

The folders that contain the virii are named after rar and/or zip archives on the "infected" PC, such as;

Temp1_aports.rar\aports.exe
Temp1_ProduKey.rar\Key.exe

Now, i know this is not a virus causing this. Processmonitor from systeminternals shows that System.exe is doing this. My guess is Symantec Endpoint Protection 12 is triggering it.

Does anyone know which setting i can change to stop it doing this? I'm new to SEP; i used Symantec Anti-Virus Corporate in XP and vista. I onyl upgraded to SEP 12 because i HAD to, with windows 7.

 

[Nibiru2012]

I had a "system.exe" file sneek into my Window folder. It was causing all sorts of problems.

I would boot into Safe Mode and delete those two files you listed plus do a search for the system.exe file and delete it too.

You may very well have a virus if your hard drive is peaking a lot. That's a sign something is scanning your files and perhaps uploading them to.

I would do an online AV scan also to be sure you have eliminated all the viruses on your system.

Then get rid of Symantec and install AVIRA instead. You can get a free three month key for it from AVIRA's website.

 

[sexytool]

Yea, just in case i used bitdefenders' QuickScan online and it scans online processes.
Since System.exe is running all the time and actually is an officail part of Windows 7, it was able to verify wether it was the original unmodified microsoft version or a virus infected version of the file.

The scan resulted in 0 infections found, i'll do another couple soon.

 

[sexytool]

I think i found the culprit;

Control Panel > Folder Options > Search Tab > "When Searching Non Indexed Locations"
I had the "Include Compressed Files (Zip, CAB...)" checkbox ticked.

So far as i can tell (After 12 years of I.T Troubleshooting & support) it's not virus caused.

Thanks for your input all, i'll only post in here again if the files continue to be created.

 

[davehc]

As you will realise, to untick the box has not solved the problem only put it to one side. I would imagine that Productkey.rar would be listed as a virus, for obvious reasons. I don't know what aports is.

But, Fwiw, you can delete all the files in C:\Users\%UserName%\AppData\Local\Temp, as ofetn as you wish,wihtout harm. There are automated scripts available to do it on shutdown, but the spinoff from that is , when you open the computer again, you will have to logon and supply a password to all your bookmarks, as the deletion has also got rid of all the cookies.

 

[sexytool]

Neither were detected as a virus. Ever. Sorry that i made that unclear to begin with.
Produkey is a simple tool to view a PC's installed Windows (And other) product keys. It's faster than regedit, so i use it. By some AV's it is detected as a "Hack Tool".

Aports is also detected as such, yet oddly here's the description from the readme;

Description
~~~~~~~~~~~

Active Ports - easy to use tool that enables you to monitor all open TCP/IP
and UDP ports on the local computer. Active Ports maps ports to the owning
application so you can watch which process has opened which port. It also
displays a local and remote IP address for each connection and allows you
to terminate the owning process. Active Ports can help you to detect trojans
and other malicious programs.

So as you can tell, Symantec are exceedingly pedantic about some things. There's no reason to warn me about either of these two or delete them. Yet it does. Honestly both of them need removing from Symantecs' threat database & Virii definitions accross the board.

I've also used both of these on almost every computer i've worked on. None have viral infections.

The info about the temp folder, i already knew. In W7 cookies and etc are not stored in C:\Users\%UserName%\AppData\Local\Temp so i can create a simple batch file in my startup folder to delete everything in there.

However, that really isn't the issue/problem. The problem was the transfer rate of the hard drive being highly used at ODD and seemingly RANDOM times, plus at innappropriate times like when i am gaming.

The second issue was that SEP 12 was picking up threats in the folder when realistically they're not threats, SEP is just being pedantic.

 

[catilley1092]

There is another free scanner that you can use. It's from Microsoft, the program is Windows Live Safety Scanner. There's two versions, one for XP & below, the other is for Vista / Windows 7. It does a good job of letting you know about safety issues. But it might red flag that tool that you use. You know that's there, just run the scanner to check things out. And you can use your computer while the scan is taking place.

 

[Veedaz]

Hi sexytool

Give ESET a run just for good measure > http://www.eset.com/onlinescan/