t$m files

[mudsharky]

I am seeing .t$m files showing up on my PC.

The all start with a string of random characters (like: $6AAC58CD.T$M), they are created once a day in c:/temp and are all about 222M in size. They seem to contain a tab separated text file database of folk's web searches (but not my searches!)!

The 1st line of each file is:
AnonID Query QueryTime ItemRank ClickURL

Each line (record?) then has:
an anon user ID tag
the search phrase
site visited
the time

I did scan for virus and spyware infections but nothing...
Any ideas?

Thx
R

[Staff]

Even though AVG denies their being associated with their software, they could be AVG log files. If you use AVG's scanner this could be the source. See this thread here...

http://forum.grisoft.cz/freeforum/re...?8,86192,86360

You might try the software mentioned in the last posting on page 1 of that thread and see what's locking the files.

The final post in the thread continues to deny AVG association and gives a plausible reason for the results in the posting before it. If you don't use AVG then that would seem to justify their claim even though the text is found in their DLL files according to one poster in the thread.

This is the only thing I've been able to find although my original thought was that it might be some sort of Torrent log file since you indicate it contains sites and searches you did not make. I continue to harbor that suspicion; do you use a Torrent client and have it running in the background all the time?

[mudsharky]

I _do_ use AVG and have been for a long time so I doubt it is that...
You may be on the right track with the Torrent idea... I did have ABC running lately, but the data in these files really does look like search engine results (see below) and not something I'd expect from a torrent client.

I've shut ABC down and now and we'll see if, in a couple of days no more of these daily files start showing up, we can blame that.

I was definitely thinking (and am not counting it out yet) that I have some infection... The data in these files looks like this:

"AnonID Query QueryTime ItemRank ClickURL"
"256 eddie bauer women's shorts 2006-03-02 21:57:12 "
"256 mapquest 2006-03-03 23:11:11 1 http://www.mapquest.com"
"256 map of new york 2006-03-04 18:26:48 1 http://www.nysegov.com"
"256 adirondacks 2006-03-04 18:28:49 "
http://www.adirondacks.com"
"256 lulac 2006-03-04 23:35:34 1 http://www.lulac.org"
"256 southwest airlines 2006-03-04 23:37:19 1 http://www.southwest.com"
"256 cheap airline tickets 2006-03-05 12:28:15 "
"256 southwest airlines 2006-03-05 12:42:06 1 http://www.southwest.com"
"256 new york hotels 2006-03-05 12:52:25 "
"256 hotels in new york new york 2006-03-05 12:54:21 "
"256 lulac 2006-03-06 21:22:17 1 http://www.lulac.org"
"256 mapof new york new york 2006-03-07 06:45:07 "

... and on and on for 1/4 of a gig!

[Staff]

Malware usually doesn't announce itself that way. It likes to try to remain unseen for obvious reasons.

And, it's curious that if the files are current that the dates in the files are from early last year.

Stranger and stranger. Maybe something will come up with your exploring. Please keep it up so I can add this entry to the database as the prior thread indicates you are not alone out there looking for the answer.

[mudsharky]

Well, these files are NOT being created by the torrent client.

I have not run that program since I last wrote, and these files are STILL being created (every day at 9:10am!). Each is about the same size (222M) and has the same kind of content as described here already.

Maybe this will help... http://mudshark.com/t$m_files.png

What's running on this PC?
ZoneAlarm
APC PowerChute
AVG
DynDNSUpdater
VIA RAID tool

[Staff]

Interesting.

Two things to try come to mind:

1) About 9:05 tomorrow morning press the keychord Control-Alt-Del once to bring up the Task Manager. Open the Processes tab. Fix the size so you can see everything if at all possible. Use View, Update Speed set to High. Then, watch carefully as the time approaches 9:10. Also, alongside that windows open a Windows Explorer window to the directory where the files are being written. If you are lucky, you should see the file being written to that directory and at the same time you should see one of the processes spike briefly while that writing is taking place. If you see this then trace that process back to its owner and you'll have your culprit.

To trace back, open the Configuration utility (Start | Run | type msconfig and hit Enter). Look in the startup processes to find the name of the one you saw spike and the owner should be visible or hinted at in the path to it.

2) If that doesn't work, then you'll have to do some detective work day by day. Open the Configuration utility (see just above) and disable half the startup items and then wait until the next day or maybe set your system clock ahead to the next day and restart. If the files are not written then you know the culprit is in that half; if not it's likely in the other half. Then, half again, advance the time, restart and so forth until you narrow it down to a single item. Again, you then have your culprit.

This sort of thing is a PITA I understand (having done it myself) but it usually gives the result eventually.