Jump to content

Unknown *.tmp files found in C:/ drive

LondonHack

By LondonHack
in Resolved Malware Removal Logs

 Share

Recommended Posts

LondonHack

LondonHack

Posted
Posted

So I was cleaning out the temporary files left from Visual C++  on my C:/ drive, when I found 4 files all ending with .tmp that were there as well. Their names are as follows:

 

EC8.tmp

E831.tmp

BF30.tmp

4C4B.tmp

 

Looking the names of these online said they were something to do with malware, so I'm paranoid now. Are these files dropped by a piece of malware or are they system files that can be infected? Can I delete them?

 

 

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

You can't do a search on Google on TMP files names.  One must always remember that Google will return misinformation as much as information and one has to discriminate the misinformation results.  By definition they are TeMPorary files and are randomly named.  Their mere existence is not an indicator of malware.  While malware and malicious processes will use the TEMPorary folder, pointed to by the Operating System ( OS ) Environmental Variables %TMP% and %TEMP%, legitimate software also use the Logged-In User Account TEMPorary folder for installation of software and for files created by legitimate running processes.  Because you cited files using 4 digit file names ending with .TMP, it is highly likely that the randomized names have been used before and possibly with a malicious process.  However that is not a strong indicator that the files you have are malicious.

The first thing to do is loom at their SIZE and DATE. The DATE is self explanatory.  However the SIZE can be significant.  For example if the size is less than 4KB or 0 Bytes then they are nothing.  If the size is significant like equal to or greater than 10's of Kilobytes then you can send the files to Virus Total and see if the many vendors used by this service detect anything.  If the file can't be uploaded an/or the size of the uploaded file is 0KB then the file handle is held open by the OS and a Process is using it.

If a Process is using a TMP file, you may determine what process that is by using the Microsoft Sysinternals utility Process Explorer.  This is done by running Process Explorer and using the Pull-Down menu item "Find" ---> "Find Handle or DLL" and entering in the full name of the TMP file [ Ex. BF30.tmp  ]

What I have done is give you the information and tools to help you make the decisions on TMP files by yourself.

Link to post
Share on other sites
LondonHack

LondonHack

Posted
  • Author
Posted

Thanks for the reply!

The files were replaced by a file just called END. It's 1 KB (the other files were 1KB too) and opening it with Notepad++ just showed nothing but 2 brackets. My guess is that the (probably harmless) process that dumped those temporary files had finished and just left it. I'm probably going to leave it, too.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.