Solved Windows TEMP folder files being added every second

March 4, 2013 at 10:00:15
Specs: Windows 7
I have Windows 7 on my desktop computer. The TEMP folder under the WINDOWS folder is being added with temporary files every second. All the files have a .tmp extension, but appears to have 0 storage space taken up in the files. I had deleted all the contents in the folder, containing over 60K files, rebooted the computer, and files started to be added upon system bootup being completed. I have Symantec anti-virus loaded, and constantly monitoring my computer, with no viruses being identified.
What is causing this issue to occur? How can I correct this issue, if it should not be occurring?

See More: Windows TEMP folder files being added every second

Report •

March 4, 2013 at 10:16:14
✔ Best Answer
To start with, Install and Run MalwareBytes freebie from here:

This often finds what AV's miss and it might tell us if something has gotten through.

Always pop back and let us know the outcome - thanks

Report •

March 4, 2013 at 12:09:53
It's techy, but Process Monitor should tell you what is making those files.
$20 on Symantec

How To Ask Questions The Smart Way

Report •

March 4, 2013 at 15:39:34
After doing the above.

Run ESET Online Scanner, Copy & Paste the contents of the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
You may have to download ESET from a good computer, put it on a thumb drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
Configure ESET this way & disable your AV.
How to Temporarily Disable your Anti-virus
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.
If no threats are found, you will simply see an information window that no threats were found.

Report •

Related Solutions

March 5, 2013 at 07:13:44
Thank you Derek.....I ran the malware program you recommended, and it found 8 defects. It automatically checked off 2 of them to be deleted, and I did that. The 2 were identified as the following:
C:\Windows\Temp\2F88.tmp (Exploit.Drop.GS) -> Quarantined and deleted successfully.
C:\Windows\Temp\696A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

I then checked the TEMP folder, and the tmp files were still being added. I ran the scan again, and it identified 8 defects again. The file I think was causing the harm was:
C:\Windows\Temp\2F88.tmp (Exploit.Drop.GS)
With 7 other files have consistent description as " (PUP.BundleInstaller.IB)".

I deleted all 8 files using the malware program, reboot the computer, and no more files in the temp folder is now being created as before. That is great, and I do thank you.

I then tried to delete all the files in the TEMP folder, and a couple files would not delete. I determined that a program called Sendori was keeping the files from being deleted. For some unknown reason, that software had been installed on 2/11/13. I do not remember me doing that and thus suspect that is the origin of this problem. Regardless, I uninstalled it successfully, deleted all remaining files in the TEMP folder and emptied the wastebasket. I then did a final reboot and responded with this message back to you. It basically took me all morning, but it seems to have worked!

Now...I have a questions to you and/or JohnW. How should I go forward regarding JohnW's recommendation? Should I perform his recommendation although the Malware program seems to have solved the problem?

I do thank all of you for your generous help.

Report •

March 5, 2013 at 07:18:15
Yes, best run with Johnw at #3 because MWB might not have found everything.
As I said, it is a good start point and can make it easier to move towards further examination.

Always pop back and let us know the outcome - thanks

Report •

March 5, 2013 at 07:32:38
OK...I will prepare the s/w and run it tonight and plan to report results tomorrow. I do appreciate it.

Report •

March 6, 2013 at 06:04:31
The ESET Smart Security 6 application was installed, activated, and scan performed under 2 hours. It scanned approx. 1.12 million files on both the desktop drive and the backup drive, with no issues (virus or infection) identified. Reviewing the scan log did show some of the files could not be scanned, particularly the Symantec antivirus files and many files under the Microsoft/Crypto folder. I had disabled the Symantec and the Malware Bytes applications before I activated the ESET scan.
I think my computer is free of any virus and trojan now. It seems to be running much better now.
What should I do next? I have assumed that the Symantec Endpoint Protection version 11.0.6300.803 program was all that I needed to address infections on my computer. Evidently that is not necessary so. What do you suggest? I do appreciate everyone's help in solving my problem.

Report •

March 6, 2013 at 11:36:59
"What should I do next? I have assumed that the Symantec Endpoint Protection version 11.0.6300.803 program was all that I needed to address infections on my computer."

Malware Prevention
"There is no magic involved. The majority of malware is installed by the user themselves"

Report •

March 6, 2013 at 11:43:00
"I think my computer is free of any virus and trojan now. It seems to be running much better now"
Maybe, very rare one program captures everything.

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.

If any program won't run ( due to the infection ) let me know.

Post the contents of the log/logs after running each program.

1: Download & run Unhide
A introduction as to what this program does.
For those of you who no longer have the %Temp%\Smtmp folder, you will not be able to use Unhide to restore your Start Menu items. With this in mind, I have created some scripts to restore the default Start Menu for specific versions of Windows that I have access to. You can view the available versions below. I will be adding more as time goes on.
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: Run ComboFix & post the contents of the log please.
A guide and tutorial on using ComboFix
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Report •

Ask Question