New
#1
What are these CAB_nnnn_2,3,4,5,6 files in C:\Windows\Temp?
I have observed the every-few-hours creation of files in the C:\Windows\Temp folder of both my sister and brother-in-law's Win7 Pro x64 machines (Lenovo M93p both), which are on the same LAN in their house. They eventually consume all available free space on C, and other programs needing space then fail.
I have to delete the contents of C:\Windows\Temp to get things back to normal, but the process simply restarts and a day or two later the C partition is once again fully consumed with these file. And weirdly this is happening on both machines (which of course are essentially set up identically, both with MSE and MBAM installed).
We're talking about file names starting with CAB, created as shown in the following screenshot (sorted into reverse chronological sequence, newest first):
I have a hunch these are somehow related to either Microsoft Security Essentials (and perhaps downloading of virus definition files? or log files??) or Malwarebytes Anti-Malware.
There are also two LOG files stored in the same C:\Windows\Temp folder, and I believe these are very relevant to explaining the mystery. I will post these two log files as "code".
(a) MpCmdRun.log
(b) MpSigStub.logCode:------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivileges Start Time: Wed Nov 09 2016 22:51:56 Run as Network Service MpCmdRun: End Time: Wed Nov 09 2016 22:51:56 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate Start Time: Wed Nov 09 2016 22:51:56 Start: Signatures Update Service Update Started Search Started (MU/WU update) (Path: http://www.microsoft.com)... Search Completed Download Started... Time Info - Wed Nov 09 2016 22:52:12 Download Progress- Update Index:0 of 1 - 0% Download Progress- Update Index:0 of 1 - 100% Download Progress- Update Index:0 of 1 - 100% Download Completed Download Completed Installation Started... Time Info - Wed Nov 09 2016 22:52:43 Installation Progress- Percent Complete:100, Current Update Index:0 (of 1) Installation Progress- Percent Complete:100, Current Update Index:0 (of 1) Installation Completed Update completed succesfully End: Signatures Update Service MpCmdRun: End Time: Wed Nov 09 2016 22:52:43 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivileges Start Time: Thu Nov 10 2016 00:51:55 Run as Network Service MpCmdRun: End Time: Thu Nov 10 2016 00:51:55 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate Start Time: Thu Nov 10 2016 00:51:55 Start: Signatures Update Service Update Started Search Started (MU/WU update) (Path: http://www.microsoft.com)... Search Completed Download Started... Time Info - Thu Nov 10 2016 00:52:10 Download Progress- Update Index:0 of 1 - 0% Download Progress- Update Index:0 of 1 - 100% Download Progress- Update Index:0 of 1 - 100% Download Completed Download Completed Installation Started... Time Info - Thu Nov 10 2016 00:52:41 Installation Progress- Percent Complete:100, Current Update Index:0 (of 1) Installation Progress- Percent Complete:100, Current Update Index:0 (of 1) Installation Completed Update completed succesfully End: Signatures Update Service MpCmdRun: End Time: Thu Nov 10 2016 00:52:41 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivileges Start Time: Thu Nov 10 2016 02:51:55 Run as Network Service MpCmdRun: End Time: Thu Nov 10 2016 02:51:55 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate Start Time: Thu Nov 10 2016 02:51:55 Start: Signatures Update Service Update Started Search Started (MU/WU update) (Path: http://www.microsoft.com)... Search Completed Update completed succesfully. no updates needed End: Signatures Update Service MpCmdRun: End Time: Thu Nov 10 2016 02:51:57 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivileges Start Time: Thu Nov 10 2016 04:51:55 Run as Network Service MpCmdRun: End Time: Thu Nov 10 2016 04:51:55 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate Start Time: Thu Nov 10 2016 04:51:55 Start: Signatures Update Service Update Started Search Started (MU/WU update) (Path: http://www.microsoft.com)... Search Completed Download Started... Time Info - Thu Nov 10 2016 04:52:12 Download Progress- Update Index:0 of 1 - 0% Download Progress- Update Index:0 of 1 - 100% Download Progress- Update Index:0 of 1 - 100% Download Completed Download Completed Installation Started... Time Info - Thu Nov 10 2016 04:52:53 Installation Progress- Percent Complete:100, Current Update Index:0 (of 1) Installation Progress- Percent Complete:100, Current Update Index:0 (of 1) Installation Completed Update completed succesfully End: Signatures Update Service MpCmdRun: End Time: Thu Nov 10 2016 04:52:53 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivileges Start Time: Thu Nov 10 2016 06:51:55 Run as Network Service MpCmdRun: End Time: Thu Nov 10 2016 06:51:55 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate Start Time: Thu Nov 10 2016 06:51:55 Start: Signatures Update Service Update Started Search Started (MU/WU update) (Path: http://www.microsoft.com)... Search Completed Update completed succesfully. no updates needed End: Signatures Update Service MpCmdRun: End Time: Thu Nov 10 2016 06:51:58 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivileges Start Time: Thu Nov 10 2016 08:51:55 Run as Network Service MpCmdRun: End Time: Thu Nov 10 2016 08:51:55 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate Start Time: Thu Nov 10 2016 08:51:55 Start: Signatures Update Service Update Started Search Started (MU/WU update) (Path: http://www.microsoft.com)... Search Completed Download Started... Time Info - Thu Nov 10 2016 08:52:11 Download Progress- Update Index:0 of 1 - 0% Download Progress- Update Index:0 of 1 - 100% Download Progress- Update Index:0 of 1 - 100% Download Completed Download Completed Installation Started... Time Info - Thu Nov 10 2016 08:52:41 Installation Progress- Percent Complete:100, Current Update Index:0 (of 1) Installation Progress- Percent Complete:100, Current Update Index:0 (of 1) Installation Completed Update completed succesfully End: Signatures Update Service MpCmdRun: End Time: Thu Nov 10 2016 08:52:41 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignatureUpdate -ScheduleJob -ISU -RestrictPrivileges Start Time: Thu Nov 10 2016 10:51:55 Run as Network Service MpCmdRun: End Time: Thu Nov 10 2016 10:51:55 ------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------- MpCmdRun: Command Line: "C:\Program Files\Microsoft Security Client\\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate Start Time: Thu Nov 10 2016 10:51:55 Start: Signatures Update Service Update Started Search Started (MU/WU update) (Path: http://www.microsoft.com)... Search Completed Update completed succesfully. no updates needed End: Signatures Update Service MpCmdRun: End Time: Thu Nov 10 2016 10:52:02 -------------------------------------------------------------------------------------
The real questions are:Code:---------------------------------------------------------------------------------- Command: MpSigStub.exe /program ANTIMALWARE /q Running as administrator: yes Start time: 11/9/2016 10:52 PM (version 1.1.13251.0) =================================== ProductSearch ================================== Microsoft Security Essentials: Status: Active Product: 4.10.205.0 Engine: 1.1.13202.0 Signatures: 1.231.1595.0 NIS Engine: 2.1.12706.0 NIS Signatures: 116.65.0.0 ================================ PackageDiscovery ================================ Package files discovered: C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1595.0_TO_1.231.1613.0_MPASDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1595.0_TO_1.231.1613.0_MPAVDLTA.VDM._P (?.?.?.?) AM BDD: Engine: Not included AS base VDM: Not included AV base VDM: Not included AS delta VDM: 1.231.1613.0 AV delta VDM: 1.231.1613.0 ================================ PatchApplication ================================ Patched mpasdlta.vdm to 1.231.1613.0 Patched mpavdlta.vdm to 1.231.1613.0 ================================= MpUpdateEngine ================================= Package files for the engine update: C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1595.0_TO_1.231.1613.0_MPASDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1595.0_TO_1.231.1613.0_MPAVDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\mpasdlta.vdm (1.231.1613.0) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\mpavdlta.vdm (1.231.1613.0) Updated from C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs (0x0) ================================= ValidateUpdate ================================= MpSigStub successfully updated Microsoft Security Essentials using the AM BDD package. Original: Updated to: AS delta VDM: 1.231.1595.0 1.231.1613.0 AV delta VDM: 1.231.1595.0 1.231.1613.0 Deleted C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1595.0_TO_1.231.1613.0_MPASDLTA.VDM._P Deleted C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1595.0_TO_1.231.1613.0_MPAVDLTA.VDM._P End time: 11/9/2016 10:52 PM ---------------------------------------------------------------------------------- ---------------------------------------------------------------------------------- Command: MpSigStub.exe /program ANTIMALWARE /q Running as administrator: yes Start time: 11/10/2016 12:52 AM (version 1.1.13251.0) =================================== ProductSearch ================================== Microsoft Security Essentials: Status: Active Product: 4.10.205.0 Engine: 1.1.13202.0 Signatures: 1.231.1613.0 NIS Engine: 2.1.12706.0 NIS Signatures: 116.65.0.0 ================================ PackageDiscovery ================================ Package files discovered: C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1613.0_TO_1.231.1619.0_MPASDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1613.0_TO_1.231.1619.0_MPAVDLTA.VDM._P (?.?.?.?) AM BDD: Engine: Not included AS base VDM: Not included AV base VDM: Not included AS delta VDM: 1.231.1619.0 AV delta VDM: 1.231.1619.0 ================================ PatchApplication ================================ Patched mpasdlta.vdm to 1.231.1619.0 Patched mpavdlta.vdm to 1.231.1619.0 ================================= MpUpdateEngine ================================= Package files for the engine update: C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1613.0_TO_1.231.1619.0_MPASDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1613.0_TO_1.231.1619.0_MPAVDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\mpasdlta.vdm (1.231.1619.0) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\mpavdlta.vdm (1.231.1619.0) Updated from C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs (0x0) ================================= ValidateUpdate ================================= MpSigStub successfully updated Microsoft Security Essentials using the AM BDD package. Original: Updated to: AS delta VDM: 1.231.1613.0 1.231.1619.0 AV delta VDM: 1.231.1613.0 1.231.1619.0 Deleted C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1613.0_TO_1.231.1619.0_MPASDLTA.VDM._P Deleted C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1613.0_TO_1.231.1619.0_MPAVDLTA.VDM._P End time: 11/10/2016 12:52 AM ---------------------------------------------------------------------------------- ---------------------------------------------------------------------------------- Command: MpSigStub.exe /program ANTIMALWARE /q Running as administrator: yes Start time: 11/10/2016 4:52 AM (version 1.1.13251.0) =================================== ProductSearch ================================== Microsoft Security Essentials: Status: Active Product: 4.10.205.0 Engine: 1.1.13202.0 Signatures: 1.231.1619.0 NIS Engine: 2.1.12706.0 NIS Signatures: 116.65.0.0 ================================ PackageDiscovery ================================ Package files discovered: C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1619.0_TO_1.231.1629.0_MPASDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1619.0_TO_1.231.1629.0_MPAVDLTA.VDM._P (?.?.?.?) AM BDD: Engine: Not included AS base VDM: Not included AV base VDM: Not included AS delta VDM: 1.231.1629.0 AV delta VDM: 1.231.1629.0 ================================ PatchApplication ================================ Patched mpasdlta.vdm to 1.231.1629.0 Patched mpavdlta.vdm to 1.231.1629.0 ================================= MpUpdateEngine ================================= Package files for the engine update: C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1619.0_TO_1.231.1629.0_MPASDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1619.0_TO_1.231.1629.0_MPAVDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\mpasdlta.vdm (1.231.1629.0) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\mpavdlta.vdm (1.231.1629.0) Updated from C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs (0x0) ================================= ValidateUpdate ================================= MpSigStub successfully updated Microsoft Security Essentials using the AM BDD package. Original: Updated to: AS delta VDM: 1.231.1619.0 1.231.1629.0 AV delta VDM: 1.231.1619.0 1.231.1629.0 Deleted C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1619.0_TO_1.231.1629.0_MPASDLTA.VDM._P Deleted C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1619.0_TO_1.231.1629.0_MPAVDLTA.VDM._P End time: 11/10/2016 4:52 AM ---------------------------------------------------------------------------------- ---------------------------------------------------------------------------------- Command: MpSigStub.exe /program ANTIMALWARE /q Running as administrator: yes Start time: 11/10/2016 8:52 AM (version 1.1.13251.0) =================================== ProductSearch ================================== Microsoft Security Essentials: Status: Active Product: 4.10.205.0 Engine: 1.1.13202.0 Signatures: 1.231.1629.0 NIS Engine: 2.1.12706.0 NIS Signatures: 116.65.0.0 ================================ PackageDiscovery ================================ Package files discovered: C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1629.0_TO_1.231.1641.0_MPASDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1629.0_TO_1.231.1641.0_MPAVDLTA.VDM._P (?.?.?.?) AM BDD: Engine: Not included AS base VDM: Not included AV base VDM: Not included AS delta VDM: 1.231.1641.0 AV delta VDM: 1.231.1641.0 ================================ PatchApplication ================================ Patched mpasdlta.vdm to 1.231.1641.0 Patched mpavdlta.vdm to 1.231.1641.0 ================================= MpUpdateEngine ================================= Package files for the engine update: C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1629.0_TO_1.231.1641.0_MPASDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1629.0_TO_1.231.1641.0_MPAVDLTA.VDM._P (?.?.?.?) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\mpasdlta.vdm (1.231.1641.0) C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\mpavdlta.vdm (1.231.1641.0) Updated from C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs (0x0) ================================= ValidateUpdate ================================= MpSigStub successfully updated Microsoft Security Essentials using the AM BDD package. Original: Updated to: AS delta VDM: 1.231.1629.0 1.231.1641.0 AV delta VDM: 1.231.1629.0 1.231.1641.0 Deleted C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1629.0_TO_1.231.1641.0_MPASDLTA.VDM._P Deleted C:\Windows\Temp\DBC2B160BA060F34BB15029FC66C52FB-Sigs\1.231.1629.0_TO_1.231.1641.0_MPAVDLTA.VDM._P End time: 11/10/2016 8:52 AM ----------------------------------------------------------------------------------
(a) where are they coming from and why?
(b) why aren't they being deleted once used?
I have run FULL scans using both MSE and MBAM, and both machines get a clean bill of health. I suspect it is the MSE and MBAM products themselves which are generating these CAB files.
Any ideas?