Hello folks,
Found this thread while googling the subject. I'm seeing these sigN.tmp files on an XP Pro desktop and an XP MCE notebook. Both are up to date, tightly configured, and generally unlikely to be infected.
Currently I'm testing on my notebook with no LAN connection and wireless *disabled* so no network connectivity period. I delete these sigN.tmp files, restart the machine, and at the earliest opportunity 1) open Windows Temp so I can watch for their creation, 2) Launch SysInternals Procman.exe so I can monitor what processes are up to. Approximately 7 or so minutes after restart (note: older notebook) these files get created. I, and presumably others, can reliable capture this using Procman and other tools.
During my initial captures I found it was AvastSvc.exe and cmdagent.exe that were performing operations on these files, with AvastSvc.exe being the first. Unsure of the interplay between these two, I first tried to eliminate Comodo from the picture by changing Defense+ to disabled, changing Firewall to disabled, and leaving Sandbox on disabled. That didn't stop cmdagent from running and showing up in the sigN.tmp manipulation log. I tried a couple more things but it appears that there are some protections against disabling Comodo and I didn't feel like digging into that right now. So leaving Comodo as just described, I went into Avast and disabled all the shields. I deleted those sigN.tmp files, restarted, and waited to see what happened.
My latest capture shows only AvastSvc.exe manipulating/creating the sigN.tmp files. Here is a quick pic of that capture with a "Path contains \sig" filter applied to narrow the results down to the manipulation of just these files:
http://oi51.tinypic.com/b7x6qx.jpg. It is late, I'm tired, and I'm not really sure what is behind this behavior. Perhaps others will carry the ball farther while I am attempting to dream of other things.
I'll check in tomorrow.
