XP Question: Where is this mysterious file coming from while doping?

Factual Questions
1

I run a program that monitors the creation of new applications that weren’t there before as well as the creation of hidden files that weren’t there before on my XP boxes.

Twice, now, it has popped up a warning that the hidden file C:\WINDOWS\SAB837560.tmp had suddenly been found where it had not been a minute ago. Both times, the only thing I was doing was reading and posting at the SDMB.

I tell the monitoring program to delete the file it warned about, but next time I’ll keep it and look at its contents.

Any idea what might be going on?

2

Well, it happened again, but this time I was NOT using the SDMB (in fact, I was not doing anything – no applications were running other than background ones). So it isn’t anything to do with the Straight Dope. All I had done is boot; I hadn’t started any applications. However, I was connected to the Internet.

I kept the file this time. At first the file size was zero, but a little while later it showed as having 42 bytes. I cleared its hidden attribute and tried to open the file in UltraEdit, but UEdit hung. It turned out the file was locked. When I tried to unlock it, I learned that it was locked by the “System” process. But I still couldn’t look at the file’s contents, so I rebooted into Safe Mode and tried again.

Here’s what was inside (in hex):

DB EC 1E 6C 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 CA E0 D7 4A 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

I have no idea what this was. When attempting to delete it, I got the message:

I deleted it, emptied it from the recycle bin, and rebooted into Windows normally.

With luck, this additional info will allow someone to help me out.

3

Have you done a scan for viruses? Does your TEMP environment variable point to the Desktop?

4

Thanks for your reply.

I’ve scanned with three anti-virus/anti-malware tools, none of which reported any errors.

My %TEMP% points to: “C:\DOCUME~1\xxx\LOCALS~1\Temp”

5

You could download Process Monitor, a free Microsoft utility. Let it run for a while and then filter by the filename. This will tell you which process is creating it.

6

Process Explorer, also free and available on Microsoft Technet, does an even better job.

7

Thanks for your suggestion. I’ve been using Process Explorer for a long time, but I can’t figure out how to have it monitor the creation of a file, or “filter by the filename” as the previous poster suggested.

Do you know if Process Explorer will do this too? Or should I turn to Process Monitor as Number suggested?

8

It looks like Process Explorer will not do what you describe, so I am now running – at your kind suggestion – Process Monitor instead. Thank you.

Tell me if this is what you had in mind:

(1) Run Process Monitor until the other program I spoke of in my OP warns me that the file in question has been created.

(2) Go into Process Monitor -> Filter -> Filter… -> Display entries matching these:

“Path” “is” “C:\Windows” Then “Include” (?)

And what else, please?
-or- Should I wait to enable the Filter until after the file is found?

TIA

9

If Process Monitor doesn’t help you, try Hijack This. You can either look at the results yourself, post your log here or post it at Tech Guy Forums in their forum for Hijack-This Logs (you can probably get an answer within 20 minutes).

10

Prolly just part of the scripting in the google ads.