Weird temp file

We’ve been getting some weird possible virus notifications from a
couple machines.

The file is c:\windows\temp\WAX****.tmp where the **** is some random
string. Happens on win7, 8, and 10, but very sporadic.

Looking at a machine that generates this notification, that file does
not exist, it’s not in the anti-virus quarantine, and according to the
a/v logs, no file of that name was detected on the machine ever.

Been searching for some answers, just thought I’d drop a line here to
see if anyone has run into something like this and has any ideas.


Stevo

Fire up procmon and have it watch things that happen in c:/windows/temp
for a long time until something shows up, and then it should show the
process doing that. Obviously you need to have this run until something
shows up, since it is a real-time monitor.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

ab sounds like they ‘said’:
[color=blue]

Fire up procmon and have it watch things that happen in
c:/windows/temp for a long time until something shows up, and then it
should show the process doing that. Obviously you need to have this
run until something shows up, since it is a real-time monitor.[/color]

So my response to ab’s comment is…

Really weird thing is, the last few this has happened on, no one had
been logged into the machine, the one today had not been logged into
for almost two weeks.


Stevo

You’re running windows; if nothing else the hackers are logged in the
entire time. Even if this box were not hacked, you’d still have things
running 24x7; it’s a computer after all.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…