Since today I have noticed a rather strange behavior regarding the creation of a few tmp files in the directory C:\Windows\Temp. I will start at the beginning of my observations as it might give some insight how this has happened. It is rather lengthy though.
About 2/3 days ago I installed a new test SQL 2008 R2 server for study purposes. After the initial server and database setup I noticed a big increase in CPU and memory usage. I related this at first to the server not being optimized yet. The next day I optimized the server with a max memory limit and configured the CPU affinity setting. However after the restart I noticed that my CPU was steadily increasing and my memory wasn't dropping either.
My next action was to check if the OS was creating restore points or shadows copies. However this wasn't the case either. Next course of action was checking if winsxs had been creating abnormal amounts of aliases by using the program TreeSize and SequoiaView. winsxs seemed fine and no file seemed out of the ordinary by size. Ran CCleaner and Auslogics Disk Defrag than reviewed my files again but nothing out of the ordinary or a significant change. Except for the fun fact that my drive space started dropping with 100mb per second without telling where it went.
At this point I started looking for the more nasty explanations. Ran MSE, MBAM, HJT, ClamWin but nothing turned up.(removed the others before running a new one)
However while checking my processes I noticed that MSE toke around 250 mb ram while I had disabled it just 5 minutes ago. After disabling it forcefully I immediately noticed new files showing up in my C:\Windows\Temp they were all labeled tmp00000* followed by random characters. When I tried to remove them I got the error that they were in use. I launched the program Unlocker and it showed me they were tied to msmpeng.exe I knew at this point a logical explanation could be it was scanning itself but the folder was excluded already. I decided not to take any changes and remove the scanner. The moment I closed it however it restarted and out of nothing it showed me Two infections Java/CVE-2010-0094.EG 2010-0094.EH they were successfully removed but I didn't like the sign of this and reinstalled Java and MSE. Downloaded them by Mac, transfered them to windows and installed them with no problem. However after excluding again MSE from itself it started again eating diskspace.
At this point I already knew part of who did it and where it happened. So I started taking a few notes. There were a total of eight tmp00000* files in the directory with 6 showing 0kb and two showing 512kb. Further scan showed the actual size was between 2,3/3GB. The 2 files showing as 512 KB changed there number every second while keeping the shown size the same. Removing MSE stopped the tmpfiles again from increasing or changing. Event log did not show anything as in errors neither did I see increase in outgoing data in my router logs. Host and DNS configs as well show nothing strange.
So to summarize.
MSE creates tmpfiles in C:\Windows\Temp without a reason eating diskspace CPU and memory.
Two infections removed Java/CVE-EH 2010-0094.EG, 2010-0094.EH
MSE, MBAM, HJT, ClamWin show clean logs aswell as eventlog, router logs.
Removing MSE halts the problem but the real problem source is still unknown. Problem can be replicated 9/10 times by reinstalling MSE.
Either this is a really nasty bug or a really nasty infection.
Macbook Pro late 2010 edition DDR3 4GB i7 2,6GHZ
MacOS X 10.6 Bootcamp Windows 7 Ultimate 64bit SP1
Running SQL 2008 R2 Server (Can be shutdown if it is preferred.)
Prey antitheft protection (Could be recognized as rootkit/trojan: Cannot be removed)
Prey runs at C:\Windows\security\Pr3y\platform\windows\cronsvc.exe
Unable to run GMER (64bit)
Thank you for looking into my problem. I will patiently await further instructions.
Edited by m661, 01 August 2011 - 06:48 PM.