Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Dahlgren on May 11, 2004, 01:11:19 AM

Title: ~df*.tmp File Not Deletable?
Post by: Dahlgren on May 11, 2004, 01:11:19 AM
- Win98SE
- avast! Home (Everything up to date) On-Access Protection (Internet Mail, Instant Messaging, Standard Shield Providers) running
- Outlook Express 6.00.2800.1123

It seems that whenever avast!'s Internet Mail Provider detects any kind of infection in an incoming e-mail, a temporary file starting with ~d is created in my C:\Windows\Temp folder.  I believe this is from avast! and may or may not be limited to the Internet Mail Provider.  If I attempt to delete this file manually (after permanently deleting the offending e-mail messsage), I receive an Access Denied error.  Selecting "Stop On-Access Protection and Exit" as well as killing the Ashmaisv.exe program (avast! e-Mail Scanner Service) fails to release this temporary file.  The only way i've found to get rid of it is to reboot and then manually delete it.  If not manually deleted, these temporary files simply continue to accumulate in the Windows TEMP folder.  So..., is this temporary file indeed created by avast! and, if so, why does avast! not release the file upon program termination?  Is there any way to get rid of it short of rebooting?

Thanks!
Title: Re:~df*.tmp File Not Deletable?
Post by: shgoh on May 11, 2004, 06:48:25 AM
from what i know...those ~df*.tmp files are definitely NOT related to avast ;)

however i'm not too sure which programs created those.. ???
Title: Re:~df*.tmp File Not Deletable?
Post by: igor on May 11, 2004, 10:20:00 AM
I also don't think that avast! creates any ~df*.tmp files (as far as I know, avast! uses different filenames).
You can try the sysinternals Handle (http://www.sysinternals.com/ntw2k/freeware/handle.shtml) tool (or their ProcessExplorer as well) to find out what process holds these files. Just type
handle FileName
from the command-line.
Title: Re:~df*.tmp File Not Deletable?
Post by: Analyzer on May 11, 2004, 12:12:05 PM
These files are mostly generated by Microsoft Office. If you take a look at the contents of the file(s) you may be able to discover their origin.

Anyway, often these files don't get cleaned up (read: deleted) because e.g. the application which created the temp file(s) crashed.

I normally perform this clean up action manually once in a few weeks. I then delete all files inside the TEMP folder, except for the few which are in use.

Hope this helps a bit.
Title: Re:~df*.tmp File Not Deletable?
Post by: Dahlgren on May 12, 2004, 02:24:35 AM
I also don't think that avast! creates any ~df*.tmp files (as far as I know, avast! uses different filenames).
You can try the sysinternals Handle (http://www.sysinternals.com/ntw2k/freeware/handle.shtml) tool (or their ProcessExplorer as well) to find out what process holds these files. Just type
handle FileName
from the command-line.


Thank you all for your replies.

Igor, I did as you suggested.  Running Handle 2.2 yields:

ASHSERV.EXE     pid: FFFE6F05  file: C:\WINDOWS\TEMP\~DFE45C.TMP

Ashserv.exe is the avast! antivirus service.  Theoretically, avast! should either delete or release this file once On-Access Protection Control is stopped and exited.  I do note, however, that on my system if I stop and exit On-Access Protection Control the ashmaisv.exe still remains in my <Ctl>+<Alt>+<Del> running programs list.  Is this normal?  What I can glean from the .Tmp file is that it contains an html-type e-mail message which of course contains pictures and links to several Web sites.  Could this .Tmp file relate to my running the SlipSteam Web Accellerator Service as provided and served by my ISP.  Basically, it compresses images on Web pages and, optionally, in e-mail messages (though I have it disabled for the latter).  I know that running SlipStream bypasses my AdSubtract proxy.

I suppose this .Tmp file business could be just another bit of anomalous behavior (among many) resulting from the fact that my current Windoze install is now about 2.5 years old. >:(   But if it is a bug in avast! I'd surely like to know, as I'm sure ALWIL would, also.
Title: Re:~df*.tmp File Not Deletable?
Post by: igor on May 13, 2004, 05:21:10 PM
Interesting...

In fact, this "Stop on-access protection" menu probably shouldn't say "and exit", because it just stops all the resident providers. The processes stay in memory - that's normal. In fact, it's quite important - e.g. for the ashmaisv.exe (Internet Mail provider). When you stop it, it will not scan the e-mail messages, but it has to keep running - because your e-mail client is configured to send/receive all the traffic through this process, so it has to pass it on; if it really exitted, you wouldn't be able to send/receive e-mails anymore.

I don't know SlipSteam Web Accellerator, so I can't say much about it - but if you say the problem is related to incoming e-mail messages, I sort of doubt it - Outlook Express is redirected to avast, but this SlipSteam probably not.

As for the .TMP file, however... can you somehow identify the content? I mean, is it a file that just came by e-mail? Is the file created only at the moment when an e-mail is received (and scanned)?
In the original post, you said "whenever Internet Mail Provider detects any kind of infection" - what infection did avast! announce in the e-mail? Does it really concern infected e-mails only? Is the TMP file this infected e-mail message, in fact?
Title: Re:~df*.tmp File Not Deletable?
Post by: Dahlgren on May 14, 2004, 01:02:30 AM
Whoops!  I just had another ~df*.tmp file appear -- no e-mail virus detected or anything.  This one was "in use" by the SlipStream service.  When I exited SlipStream, the file was released and I was able to manually delete it from my Windows Temp folder.  The file was created when I right-clicked the SlipStream Tray icon and activated its "Settings..." menu item.  The file appears to persist until the SlipStream process is exited normally at which time the file is usually cleaned up.  I can't explain why the contents of the non-deleteable ~DFE45C.TMP file appear to be a Web page or HTML e-mail content.  It doesn't seem to make any sense.  Maybe it's some other type of temporary file created by SlipStream.  In any case, it seems clear that SlipStream is the initial creator of these .tmp files.

I'm not sure how SlipStream works but it is somehow tied to a server run by the ISP.  It's the same technology that allows Dial-up ISPs to offer a "premium service" which enables users to "Surf the Web at up to 5-Times Faster!".  I can't say that I'm very impressed with it.  It breaks my ad blocker so the Web page ads are back; thus the speed gain isn't that great and may not be worth the degradation in image quality that the Web Accelerator requires to work its "magic".  Of course, if I could afford broadband I wouldn't even consider using it in the first place.  Maybe I'll just uninstall it as it's just another complication and possible trouble source.

I don't know why avast! latched onto the ~DFE45C.TMP file and won't let go, but it's probably related to how it interacts with SlipStream's E-mail Accelerator (even though I have it supposedly disabled) when an "infected" e-mail is detected by avast!.  The particular infection doesn't matter: the same thing happens whether it's Beagle, Klez, just a warning or whatever.  Scanning the .tmp file with avast! from the explorer context menu yields no infection.

So..., it appears this probably isn't an avast! problem so much as a SlipStream or anomalous Windows corruption.  For curiosity's sake, I've attached the contents of ~DFE45C.TMP, but I really don't think, now, that this should concern ALWIL.  Thanks for your efforts, igor.
Title: Re:~df*.tmp File Not Deletable?
Post by: igor on May 14, 2004, 09:48:14 AM
I'm afraid I'm not able to say much about the file.
It's an OLE file, obviously containing a lot of GIF files and HTML code snippets - but that's about all...