You should have WinPatrol on your system

You really should have WinPatrol installed on your system.  It’s a service type of application that monitors changes to your system.  For example, if an app tries to register a web browser toolbar, WinPatrol will warn you and give you a chance to block it.  There’s a free version and a paid version.  The free version is very good, but you’ll want the paid version.  It’s very affordable and will keep your machine from being bogged down with crapware and suspicious processes.  WinPatrol is written and supported by Bill Pytlovany, a well known Windows security professional.

I just installed the MyHeritage Family Tree Builder desktop application on my main development box.  I’ve been using FTB for a few years on our shared family PC.  It’s a nice genealogy application that I have used to to publish my mother’s family tree online.  The technology is very cool and I will get back to describing it in more depth.

When I installed the FTB app, the installer asked if I wanted to change the default search provider to one provided by MyHeritage and to install a MyHeritage toolbar into Internet Explorer.  I declined both options.  I have IE set to use Bing as the default search provider and I didn’t want to change it.  I also did not want to install any toolbars into IE.

I avoid IE toolbars like they are the plague.  They eat up screen real estate, slow down the browsing experience, are the root cause of 70% of the browser crashes, and cause cancer in lab rats.  So I declined that option and installed FTB.  And the installer ignored my choices and tried to change the search provider and install their toolbar anyways. I don’t know if that was sloppy coding and testing on their part or it was intentional.  Either way, that wasn’t what I wanted.

How did I know this?  Because WinPatrol was doing it’s job and warned me about each change.  I saw a dialog that looked remarkably like this:

WinPatrol1

Scotty (the mascot and public face of WinPatrol) caught the attempt of the installer to register a new toolbar.  The “New Program Alert” dialog will display enough information about the pending change to your system that you can usually make a quick and informed decision on whether or not to block it.  If you see something you don’t recognize, clicking the “PLUS Info…” dialog will take you to a WinPatrol web page that will display more information about the object being installed.

Without WinPatrol, I would not have caught either change until the next time I started Internet Explorer.  With the MyHeritage stuff, it wasn’t malicious code, but it was code that I didn’t want to run.  And thanks to WinPatrol, it wasn’t going to run. I was able to prevent changes being made to IE, and that’s worth the price of admission.

Monitoring changes to IE is not the only thing in WinPatrol’s arsenal.  It gives you an easy way to see what apps are set to start when the computer boots up and the means to block them.  If you computer seems to be running slower and slower each day, the odds are you picked up some process that run in the background.  Most of them are pretty harmless, but when you start adding them up, they will show down your PC.  WinPatrol has an online database and can identify most of them and tell you if you should keep them running or block them.

Why are there randomly named folders with mpavdlta.vdm files on my C: drive?

I was looking for a folder on a PC at home (Vista, 32 bit) when I saw a bunch of folders with oddly formed filenames.  There were 13 of them, with names and dates like this:

05/15/2010  03:34 AM              2f934881647646785dbf842f86e91ec9
11/01/2009  03:24 AM              3b9e7b6e4c58a68b7e71c5e3
11/03/2009  04:18 AM              54693b59d80daf1421b7dda39a
10/31/2009  03:16 AM              56d6fe71d579ef79995fee64834082

They all had files with the name “mpavdlta.vdm” and every time I tried to open the folder with Windows Explorer, i would get the following dialog:

You don't currently have permission to access this folder

I would press the “Continue” button and would have to answer “Continue” to the UAC dialog that would pop up on the screen.

Ok, so what are these files, what are they doing here, and can I remove them? 

After a bit of searching, I found that they are the AntiSpyware definition files from the Microsoft Security Essentials antivirus application.  That answered the first question.  More precisely, they are the delta files for the antivirus definitions.  There is also a mpvabase.vdm, which is the base signature file.  The mpavdlta has all of the changes since the last mpvabase was downloaded. Gilham Consulting has a nice blog post that describes the various AV definition files that come with MSE.

As for how they got there, it appears to be a bug or design flaw with MSE.  The last randomly named folder from MSE was dated 5/26/2010, a good three months ago.  I fired up the the MSE console and it displayed that the virus definitions were current as of 8/21/2010.

mse

My first guess was that situation was causing the vdm files and folders being created all over my C: drive has been addressed.  With Windows Explorer, I went in and was able to delete most, but not all of the folders.  It appears that MSE is still doing the random folder thing.  But I was able to clear out most of them. So it looks like this is bug in the current release.  From the various posts in the MSE forums, it appears that MS is aware of the problem, but nothing official has been posted about a resolution.

I think it’s a bit odd that MSE is storing the AV definition files in this manner.  I’ve been pretty happy with how MSE is protecting my PC from virus attacks.  I wouldn’t call it perfect, but it’s more than good enough for my needs.  It’s a much lighter load on the system than the commercial AV solutions.  I can put up with a few randomly named folders for the protection that it provides, but I would be more comfortable of the files had been shoved in a folder under %ALLUSERSPROFILE% as a default location.  I’ll file this under “Nothing to see here, move along”.