strange files in the windows 7 temp folder ,help

[drugo]

hi
I have noticed some strange files inside c:\Windows\Temp\

called

c:\Windows\Temp\XYZ1C6.tmpc:\Windows\Temp\XYZ1C7.tmpc:\Windows\Temp\XYZ1B4.tmpc:\Windows\Temp\XYZ1B5.tmp

if i delete them , they did appear after every reboot , can't understand what progra does generate them
no updated , just an antivirus Kaspersky free updated
for example they start with

<xs:schema targetNamespace="http://schemas.microsoft.com/win/2004/08/events" elementFormDefault="qualified" xmlns:man="http://schemas.microsoft.com/win/2004/08/events" xmlns:xs="http://www.w3.org/2001/XMLSchema">  <xs:simpleType name="GUIDType">    <xs:annotation>      <xs:documentation>        A globally unique identifier in Registry format.        e.g. {12345678-4321-ABCD-1234-9ABCDEF012345678}.        Use GUIDGen.exe or UUIDGen.exe to create a GUID.      </xs:documentation>

and one file with

<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd">    <metadata name="evt:meta/winTypes">        <channels>            <channel name="TraceClassic" type="Debug" symbol="WINEVENT_CHANNEL_CLASSIC_TRACE" value="0" message="$(string.channel.TraceClassic)">              Events for Classic ETW tracing.            </channel>            <channel name="System" type="Admin" symbol="WINEVENT_CHANNEL_GLOBAL_SYSTEM" isolation="System" value="8" message="$(string.channel.System)">              Events for all installed system services.  This channel is secured to applications running under              system service accounts or user applications running under local adminstrator privileges.            </channel>            <channel name="Application" type="Admin" symbol="WINEVENT_CHANNEL_GLOBAL_APPLICATION" isolation="Application" value="9" message="$(string.channel.Application)">              Events for all user-level applications.  This channel is not secured and open to any applications.              Applications which log extensive information should define an application-specific channel.            </channel>            <channel name="Security" type="Admin" symbol="WINEVENT_CHANNEL_GLOBAL_SECURITY" isolation="System" value="10" message="$(string.channel.Security)">              The Windows Audit Log.  For exclusive use of the Windows Local Security Authority.  User events              may appear as audits if supported by the underlying application.            </channel>        </channels>

i'm worried , i have scanned with kaspersky and malwarebyte , I can't understand what program/s does or do generate them
at the beginning i tought about Performance Counters Schema and i have disabled via

it could be disabled with cmd as administratorto disable diskperf -Nto enable diskperf -Y

can I ask you if you have these files?
and if you know from where do they come?
runned sfc /scannow , chkdsk

the files do look like
https://github.com/nihon-tc/Rtest/b...osoft SDKs/Windows/v7.0A/Include/eventman.xsd
thanks

 

[torchwood]

i highly suggest you shootover to Bleepingcomputers, malware section...
follow the links here

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help - Virus, Trojan, Spyware, and Malware Removal Help

 

[drugo]

i highly suggest you shootover to Bleepingcomputers, malware section...
follow the links here

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help - Virus, Trojan, Spyware, and Malware Removal Help

hi
but kaspersky and malwarebyte did find nothing
it's all clear
and these files are temp file , i have opened with notepad and are text file
thanks

 

[Alejandro85]

More often than not, temp files are leftovers from the normal operation of many programs. It's not uncommon to find many of them, including with strange names and diverse contents. Nothing of what you've shown is pointing to anything abnormal, much less of virus infection.

As for the file themselves, given the content, they seem to be related to some event registration in the global event store, and the text "Events for Classic ETW tracing" in the second snippet is pointing to some driver or the kernel itself being the origin of those files.

This is also consistent with their location. You're pointing to the system temp folder, not your user temp files, which greatly reduces its usability to services running as system, the Windows kernel or a kernel-mode driver, explaining why they reappear after each reboot (all those run since early stages of booting).

But again, there is nothing to worry about on this. Temp files are completely normal and unless they consume great amounts of space they pose no problem at all. Neither anything you posted indicates malware of any kind. I would kinda expect such files in a sane system.