Anonymous_User Absent Member.
Absent Member.
1677 views

Weird temp file

We've been getting some weird possible virus notifications from a
couple machines.

The file is c:\windows\temp\WAX****.tmp where the **** is some random
string. Happens on win7, 8, and 10, but very sporadic.

Looking at a machine that generates this notification, that file does
not exist, it's not in the anti-virus quarantine, and according to the
a/v logs, no file of that name was detected on the machine ever.

Been searching for some answers, just thought I'd drop a line here to
see if anyone has run into something like this and has any ideas.

--
Stevo
Labels (1)
0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Weird temp file

Fire up procmon and have it watch things that happen in c:/windows/temp
for a long time until something shows up, and then it should show the
process doing that. Obviously you need to have this run until something
shows up, since it is a real-time monitor.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Weird temp file

ab sounds like they 'said':

> Fire up procmon and have it watch things that happen in
> c:/windows/temp for a long time until something shows up, and then it
> should show the process doing that. Obviously you need to have this
> run until something shows up, since it is a real-time monitor.


So my response to ab's comment is...

Really weird thing is, the last few this has happened on, no one had
been logged into the machine, the one today had not been logged into
for almost two weeks.

--
Stevo
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Weird temp file

You're running windows; if nothing else the hackers are logged in the
entire time. Even if this box were not hacked, you'd still have things
running 24x7; it's a computer after all.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.