Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Huge files occurring in c:\windows\temp\ do I have a problem?


  • This topic is locked This topic is locked
5 replies to this topic

#1 JAOWG

JAOWG

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 February 2011 - 01:05 PM

Hello folks, I'm new here, but you have been recommended to me as quote: "Knowing a thing or two about computer viruses and removal". Looking round this seems to be the case so I wonder if you might be able to help me.

Windows XP most recent service release. 40GB HP portable some years old.

Portable runs Zone Alarm anti virus/firewall (subscribed to) as standard, and router has firewall running. Sometimes runs on wireless internet through the home network served by that router and v.occasionally via a 3G dongle.

I've been having problems with a lack of space on the hard-drive. Got cross yesterday and went for a thorough search to see if I could find the missing space. The missing space turned up in a sequentially numbered set of .tmp files in the c:\windows\temp\ folder-directory. These were numbered forwards from AV1.tmp and, wait for it.....were around half a gigabyte each in size!! Deletion of these found me over 18GB of space!! However, there was one that I couldn't delete and it wouldn't let me view the contents either - telling me that it was in use.

I restarted the system and checked the directory and it had written a new half gig file, at this point the newly numbered file became the one that was 'in use', but the old one was still there - though now easily deleted.

I've chucked the might of ZA over the system to no benefit, I've run the rkill routine and followed by antimalware bytes, nothing found, I've ran the detection side of super antispyware over it, it finds things that it thinks could be, but they seem to check out as false positives if I search them on the internet. And I've tried 'stinger' (after rkill) which again only seems to throw up false positives.

I've opened one of the previous files under notepad, loads of gobbledegook, although in 'English' at one point I can find the words 'virus win32=renamer' and 'Trojan DDOS win 32'. This to my mind sounds more iffy, but I can't find anything to detect it.

Do you think this is sinister behaviour that should be investigated? Or can you guess at what might writing these half gig sized files in c:\windows\temp and know how to stop it? I would rather not have to continually remember to delete them and ZA won't let me run a batch file to delete them automatically as it thinks that IS 'sinister behaviour' and immediately quaratines the routine!!

I'd be grateful for some pointers - many thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:31 PM

Posted 27 February 2011 - 01:58 PM

Hello,this is usually a rootkit behavior.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware

Removal Logs
and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 JAOWG

JAOWG
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 February 2011 - 03:22 PM

Hello boopme

I'm on a different PC at the moment - I'm trying to work through 6-9 and have got as far as the Gmer routine, but now have problems - once I get up and going again I'm going to abandon the attempt and post what I have so far in accordance with your instruction, but I now have a PC that isn't overly impressed with life. I got as far as the Gmer bit without problems. It then appeared to run the Gmer routine after clicking the appropriate options OK, but once it completed the PC completely locked up and I couldn't save the log and do anything more with the PC. I had to hit the off button for 7 seconds just to get it turned off. It then took an absolute age to boot, and I thought I would just try the routine again as I had got so far along. Just the action of opening the directory and clicking the Gmer.exe caused the PC to stop responding in the same way as before and another 7 second turn-off ensued (winces!). I am now waiting again in the hope that the machine boots this time. Interestingly there wasn't a new half gig file created following the first hard switch off routine because I checked before I went for the Gmer.exe the second time. The only difference I could see was that I had run the DeFogger. Still it looks like I have the other PC booting now and I will not try Gmer again, but will post the other log as instructed on a new thread - in terms of posting the problem again, do I need to copy and paste the text I have typed here or can I just link back to this topic please?:

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:31 PM

Posted 27 February 2011 - 03:28 PM

Hi, Yep slip the GMER and link back is fine they can see all your issues that way.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 JAOWG

JAOWG
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 February 2011 - 04:06 PM

Hi boopme, OK, I'm there. The portable is running v. slowley at the moment, but the thread is posted. I read the advice, but as I didn't know what I was infected with I've given the thread a similar name to this one in the absence of any other ideas, I hope that is sufficient for those that pick up on it. Many thanks for your assistance, I assume that someone will tell me if I still need any of the logging programs that I downloaded - I think the DDS.scr (in particular) suggested it would only be needed once?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:31 PM

Posted 27 February 2011 - 04:38 PM

Ok that looks great. It's going ti be a day or two is we got backlogged in there I see. BUT ALL logs are answered..

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users