t$m files
 

I am seeing .t$m files showing up on my PC.

The all start with a string of random characters (like: $6AAC58CD.T$M), they are created once a day in c:/temp and are all about 222M in size. They seem to contain a tab separated text file database of folk's web searches (but not my searches!)!

The 1st line of each file is:
AnonID Query QueryTime ItemRank ClickURL

Each line (record?) then has:
an anon user ID tag
the search phrase
site visited
the time

I did scan for virus and spyware infections but nothing...
Any ideas?

Thx
R

Even though AVG denies their being associated with their software, they [I]could[/I] be AVG log files. If you use AVG's scanner this [I]could[/I] be the source. See this thread here...

[URL]http://forum.grisoft.cz/freeforum/read.php?8,86192,86360[/URL]

You might try the software mentioned in the last posting on page 1 of that thread and see what's locking the files.

The final post in the thread continues to deny AVG association and gives a plausible reason for the results in the posting before it. If you don't use AVG then that would seem to justify their claim even though the text is found in their DLL files according to one poster in the thread.

This is the only thing I've been able to find although my original thought was that it [I]might[/I] be some sort of Torrent log file since you indicate it contains sites and searches you did not make. I continue to harbor that suspicion; do you use a Torrent client and have it running in the background all the time?

I _do_ use AVG and have been for a long time so I doubt it is that...
You may be on the right track with the Torrent idea... I did have ABC running lately, but the data in these files really does look like search engine results (see below) and not something I'd expect from a torrent client.

I've shut ABC down and now and we'll see if, in a couple of days no more of these daily files start showing up, we can blame that.

I was definitely thinking (and am not counting it out yet) that I have some infection... The data in these files looks like this:

"AnonID Query QueryTime ItemRank ClickURL"
"256 eddie bauer women's shorts 2006-03-02 21:57:12 "
"256 mapquest 2006-03-03 23:11:11 1 http://www.mapquest.com"
"256 map of new york 2006-03-04 18:26:48 1 http://www.nysegov.com"
"256 adirondacks 2006-03-04 18:28:49 "
http://www.adirondacks.com"
"256 lulac 2006-03-04 23:35:34 1 http://www.lulac.org"
"256 southwest airlines 2006-03-04 23:37:19 1 http://www.southwest.com"
"256 cheap airline tickets 2006-03-05 12:28:15 "
"256 southwest airlines 2006-03-05 12:42:06 1 http://www.southwest.com"
"256 new york hotels 2006-03-05 12:52:25 "
"256 hotels in new york new york 2006-03-05 12:54:21 "
"256 lulac 2006-03-06 21:22:17 1 http://www.lulac.org"
"256 mapof new york new york 2006-03-07 06:45:07 "

... and on and on for 1/4 of a gig!

Malware usually doesn't announce itself that way. It likes to try to remain unseen for obvious reasons. :)

And, it's curious that if the files are current that the dates in the files are from early last year.

Stranger and stranger. Maybe something will come up with your exploring. Please keep it up so I can add this entry to the database as the prior thread indicates you are not alone out there looking for the answer.

Well, these files are NOT being created by the torrent client.

I have not run that program since I last wrote, and these files are STILL being created (every day at 9:10am!). Each is about the same size (222M) and has the same kind of content as described here already.

Maybe this will help... http://mudshark.com/t$m_files.png

What's running on this PC?
ZoneAlarm
APC PowerChute
AVG
DynDNSUpdater
VIA RAID tool

Interesting.

Two things to try come to mind:

1) About 9:05 tomorrow morning press the keychord Control-Alt-Del once to bring up the Task Manager. Open the Processes tab. Fix the size so you can see everything if at all possible. Use View, Update Speed set to High. Then, watch carefully as the time approaches 9:10. Also, alongside that windows open a Windows Explorer window to the directory where the files are being written. If you are lucky, you should see the file being written to that directory and at the same time you should see one of the processes spike briefly while that writing is taking place. If you see this then trace that process back to its owner and you'll have your culprit.

To trace back, open the Configuration utility (Start | Run | type [B]msconfig[/B] and hit Enter). Look in the startup processes to find the name of the one you saw spike and the owner should be visible or hinted at in the path to it.

2) If that doesn't work, then you'll have to do some detective work day by day. Open the Configuration utility (see just above) and disable half the startup items and then wait until the next day or maybe set your system clock ahead to the next day and restart. If the files are not written then you know the culprit is in that half; if not it's likely in the other half. Then, half again, advance the time, restart and so forth until you narrow it down to a single item. Again, you then have your culprit.

This sort of thing is a PITA I understand (having done it myself) but it usually gives the result eventually.

me too
 

hey you fellas

just wondering if you ever got this sorted out?

the same thing is happening to me except i get about 30 t$m files of 0kb and one that just keeps getting bigger until it uses up all the drive space...

cheers in advance

Funny that I should get this mssg today! Only this AM I did finally stand at this PC at the appointed hour and, waiting for the event, watch the Task Mgr, TEMP dir, and event viewer. Of course, we already know that this happens every day at about 9:10 or so. OK, we THOUGHT WE KNEW THAT... It seems that on rare days it does not happen... Like when you watch it... Anyway see [url]http://www.mudshark.com/exhibit-1.jpg[/url] for a copy of the event viewer which I hadn't looked at before. It shows a reboot every time immediately after the file is written. Only more questions! SO... I'll have to do this again next time I'm up that early. (Usually I work late so I do not normally get up til about 10, but I will make an effort to again try to catch the bugger in the act! PS The DMP file is a jumble of incomprehensible characters, followed by a LOT of "F"s.

Found something
 

I've done some research on this subject and found the following:

1. Everyone will find different content in these files. (It appears the files contain data from another file on your PC.)

2. The temp files have a date and time that coincides EXACTLY with when a scheduled AVG test COMPLETES. See the picture at the URL below for an example of three sets of temp files and three AVG tests:

[URL="http://img69.imageshack.us/my.php?image=avgresultsve2.png"]http://img69.imageshack.us/my.php?image=avgresultsve2.png[/URL]

I hope Grisoft will now take this issue seriously.

My theory is that AVG has problems with locked files. Here's why I say this: When I've looked at the one large temp file that has any data in it, the file appears to be a copy of another file which I KNOW is locked.

So, it appears that AVG is having problems with files which are locked by other processes.

I noticed this problem starting about a week ago. I noticed it because one of the temp files that is left over fills up the disk where I have the TEMP directory, so it affects my other programs.

I'm going to post this same message to the Grisoft forums, hoping they will look into this (now there there is some pretty concrete evidence.)

Mark

This is indeed good data and starts to tie in with what others have posted. Thank you very much for posting that here.