I was recently clearing out temp files on the computers here at work and came across two users who have strange files in their %Temp% folder. One is on XP and the path is C:\Documents and Settings\<userprofile>\Local Settings\Temp. The other is on Vista and the path is C:\Users\<userprofile>\AppData\Local\Temp. Most of our users run with limited rights but these two users run programs that require them to have local admin rights. The suspicious looking files are as follows:
I cannot delete these files as they come up as accessed denied. But I copied one of the files to the desktop of the afflicted computer and changed the extension to a .txt. When I opened the file it was a copy of an email message that had come into Outook that day. Every one of these files that I open is copy of email received into Outlook. None of the other computers exhibit this same behaviour Outlook receives messages. Every day the filenames will change to some other 3-5 random letter and number combination but the extensions are always .a, .b, .c, .d, .e, .f, etc and .1, .2, .3, .4, .5 etc and are always copies of email messages. Does anyone have an explanation as to what this could be? I'm assuming it is virus related but Symantec scans and MalwaryBytes scans are clean.
Any help or insight would be greatly appreciated.
Update 5-27-2010: I ran Sophos Anti-Rootkit on the Vista machine and it came back clean.
Edited by mercadmin, 27 May 2010 - 07:34 AM.
Move to AII as no logs posted. ~ OB