I run a program that monitors the creation of new applications that weren’t there before as well as the creation of hidden files that weren’t there before on my XP boxes.
Twice, now, it has popped up a warning that the hidden file C:\WINDOWS\SAB837560.tmp had suddenly been found where it had not been a minute ago. Both times, the only thing I was doing was reading and posting at the SDMB.
I tell the monitoring program to delete the file it warned about, but next time I’ll keep it and look at its contents.
Well, it happened again, but this time I was NOT using the SDMB (in fact, I was not doing anything – no applications were running other than background ones). So it isn’t anything to do with the Straight Dope. All I had done is boot; I hadn’t started any applications. However, I was connected to the Internet.
I kept the file this time. At first the file size was zero, but a little while later it showed as having 42 bytes. I cleared its hidden attribute and tried to open the file in UltraEdit, but UEdit hung. It turned out the file was locked. When I tried to unlock it, I learned that it was locked by the “System” process. But I still couldn’t look at the file’s contents, so I rebooted into Safe Mode and tried again.
You could download Process Monitor, a free Microsoft utility. Let it run for a while and then filter by the filename. This will tell you which process is creating it.
Thanks for your suggestion. I’ve been using Process Explorer for a long time, but I can’t figure out how to have it monitor the creation of a file, or “filter by the filename” as the previous poster suggested.
Do you know if Process Explorer will do this too? Or should I turn to Process Monitor as Number suggested?
If Process Monitor doesn’t help you, try Hijack This. You can either look at the results yourself, post your log here or post it at Tech Guy Forums in their forum for Hijack-This Logs (you can probably get an answer within 20 minutes).