Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

tmp0000* files filling drivespace


  • This topic is locked This topic is locked
3 replies to this topic

#1 Guest_m661_*

Guest_m661_*

  • Guests
  • OFFLINE
  •  

Posted 01 August 2011 - 06:36 PM

Greetings everyone,

Since today I have noticed a rather strange behavior regarding the creation of a few tmp files in the directory C:\Windows\Temp. I will start at the beginning of my observations as it might give some insight how this has happened. It is rather lengthy though.


About 2/3 days ago I installed a new test SQL 2008 R2 server for study purposes. After the initial server and database setup I noticed a big increase in CPU and memory usage. I related this at first to the server not being optimized yet. The next day I optimized the server with a max memory limit and configured the CPU affinity setting. However after the restart I noticed that my CPU was steadily increasing and my memory wasn't dropping either.

My next action was to check if the OS was creating restore points or shadows copies. However this wasn't the case either. Next course of action was checking if winsxs had been creating abnormal amounts of aliases by using the program TreeSize and SequoiaView. winsxs seemed fine and no file seemed out of the ordinary by size. Ran CCleaner and Auslogics Disk Defrag than reviewed my files again but nothing out of the ordinary or a significant change. Except for the fun fact that my drive space started dropping with 100mb per second without telling where it went.

At this point I started looking for the more nasty explanations. Ran MSE, MBAM, HJT, ClamWin but nothing turned up.(removed the others before running a new one)
However while checking my processes I noticed that MSE toke around 250 mb ram while I had disabled it just 5 minutes ago. After disabling it forcefully I immediately noticed new files showing up in my C:\Windows\Temp they were all labeled tmp00000* followed by random characters. When I tried to remove them I got the error that they were in use. I launched the program Unlocker and it showed me they were tied to msmpeng.exe I knew at this point a logical explanation could be it was scanning itself but the folder was excluded already. I decided not to take any changes and remove the scanner. The moment I closed it however it restarted and out of nothing it showed me Two infections Java/CVE-2010-0094.EG 2010-0094.EH they were successfully removed but I didn't like the sign of this and reinstalled Java and MSE. Downloaded them by Mac, transfered them to windows and installed them with no problem. However after excluding again MSE from itself it started again eating diskspace.

At this point I already knew part of who did it and where it happened. So I started taking a few notes. There were a total of eight tmp00000* files in the directory with 6 showing 0kb and two showing 512kb. Further scan showed the actual size was between 2,3/3GB. The 2 files showing as 512 KB changed there number every second while keeping the shown size the same. Removing MSE stopped the tmpfiles again from increasing or changing. Event log did not show anything as in errors neither did I see increase in outgoing data in my router logs. Host and DNS configs as well show nothing strange.


So to summarize.
MSE creates tmpfiles in C:\Windows\Temp without a reason eating diskspace CPU and memory.
Two infections removed Java/CVE-EH 2010-0094.EG, 2010-0094.EH
MSE, MBAM, HJT, ClamWin show clean logs aswell as eventlog, router logs.
Removing MSE halts the problem but the real problem source is still unknown. Problem can be replicated 9/10 times by reinstalling MSE.
Either this is a really nasty bug or a really nasty infection.


System Information
Macbook Pro late 2010 edition DDR3 4GB i7 2,6GHZ
MacOS X 10.6 Bootcamp Windows 7 Ultimate 64bit SP1

Special notes
Running SQL 2008 R2 Server (Can be shutdown if it is preferred.)
Prey antitheft protection (Could be recognized as rootkit/trojan: Cannot be removed)
Prey runs at C:\Windows\security\Pr3y\platform\windows\cronsvc.exe
Unable to run GMER (64bit)


Thank you for looking into my problem. I will patiently await further instructions.

Edited by m661, 01 August 2011 - 06:48 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 01 August 2011 - 09:47 PM

Hello m661
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Guest_m661_*

Guest_m661_*

  • Guests
  • OFFLINE
  •  

Posted 02 August 2011 - 04:59 AM

Hi boopme,

My apologies, I was under the impression I first had to create a topic in here.
Created the topic per request at http://www.bleepingcomputer.com/forums/topic412467.html

Thank you for informing me.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:51 PM

Posted 02 August 2011 - 01:06 PM

You did OK. I can just see we cannot fix this here so we have to get you into the Malware forum.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users