Endpoint Protection

In C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\ there are TONS of these .tmp files

all of them are 4aadb231.tmp and they number accordingly up, with b switching to c as the last 3 digits hit 999, etc...

my question is...WHAT ON EARTH IS THIS? Symantec keeps finding these on our server...as .tmp files. They don't seem to be doing anything, but when I opened it up with internet explorer, it just has this graphic of a turtle (some type of java image, it movies around in a 1x1 box...just 2 different pictures.)...

and thats what each of these .tmp files is....very weird

I'd like some answers from anybody...we keep deleting them and they keep re-creating themselves.

there are no scheduled tasks running, AV is updated (SEP12), WIndows Server 2003 R2...

if you need any other info let me know.

also, when opening this up in IE I cannot view the page source. When opening it up in a text editor it's all windings....the last line of code has this address...

(removed unsafe website)

which leads to nothing...

Thanks for any help you all might have

MD

You may have a varient of Adware. Mirar - http://www.threatexpert.com/reports.aspx?find=getmira&x=0&y=0

http://www.symantec.com/security_response/writeup.jsp?docid=2004-091714-4329-99&tabid=2

See

The 5 Steps of Virus Troubleshooting

- http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007011014341948

Can you submit a sample file for Security Response to analyze ASAP?

Thomas

I removed the link you posted because that is a known infected site.

http://safeweb.norton.com/report/show?url=getmirar.com&x=0&y=0

I submit the file to threatexpert.com...anywhere else that you would like me to submit this?

You can submit to Symantec through one of the links on this page.

http://www.symantec.com/business/security_response/submitsamples.jsp

Thomas