Hi,
I've located what appears to be cached webpages in \documents and settings\username\local settings\temp\01808300\. The cached webpages have a numerical file name and a .tmp extension. I'm trying to figure out what software created these files. I'm guessing a browser of some sort. AOL Connectivity Services is installed…would this have anything to do with it? The os is XP SP2.
Thanks
Have you scanned the system for malware/spyware?
Is there any index.dat file associated with these files?
How were you able to determine that these .tmp files were web pages?
I've seen this naming convention used by IE in the creation of its cached files. Could have come from there. Not sure about the location though.
Check files accessed in moments before the relevant file's accessed/creation times. That should help narrow things down.
I'm pretty sure i've seen similar which have been malware.
Kind Regards,
Minesh
Thanks for the suggestions. I haven't performed a malware scan yet but judging by what I've seen so far I'm sure there will be many hits.
The files are filled with HTML and EnCase reports them having Yahoo Webmail signatures. The weird things is that each .tmp file appears to contain numerous cached webpages crammed inside them. I located several webmail messages which would normally be separate ShowLetter[n].htm's in the .tmp files.
Files accessed moments before the .tmp files are index.dat files, so I'm guessing the .tmp files are related to IE? I think IE can be configured to store temp internet files elsewhere but that still doesn't explain the cramming of several cached pages into individual files…