Win32:Trojan-Gen: Deleted (unable move to chest), CPU high, disk space low, slow

Viruses and worms
1

Help!
I deleted the trojan because I was unable to move it to chest (Access Denied). My computer is still running slow and CPU usage is high (fan is running, loud), and disk space is low (140GB) even though I dont have files that do not take up total gig space (should only be around 60GB used. I already ran Full system scan, Malware Bytes, Spyware Blaster, RunScanner, and Dr. WebCureIt. What do I do?

Running Windows 7 x64

C:Users\Guest\AppData\Roaming\tempimage.exe

2

Did you update Malwarebytes before you run it ?

Follow this guide form our expert malware remover Essexboy and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log)

3

No, I just ran it without updating. I am currently running MalwareBytes again (I just updated to the current version). I also included the file in my initial post above.

4

If you just updated and got latest version then you must run one more update after install so you also get latest database before you scan

Then post all the logs and Essexboy will look at it when he arrives

5

What was the original file name of the Win32 trojan, and the full path, please?

6

If the original detection was by avast, then you should have scheduled a boot-time scan as that would have got round the access denied issue as it gets in before windows has fully started.

7

File Name - C:Users\Guest\AppData\Roaming\tempimage.exe

Threat- Win32:Trojan-gen

8

Yes, my mistake, I deleted it without doing a boottime scan. However I dont think Avast does boottime scan for X64 based OS, only X32.

9

Malware Bytes Log

Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org

Database version: 5420

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/29/2010 5:47:14 PM
mbam-log-2010-12-29 (17-47-14).txt

Scan type: Full scan (C:|D:|E:|)
Objects scanned: 254151
Time elapsed: 38 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

10

OTL attachments

11
12

I’d wait and see what an expert has to say about the OTL log. It looks decidedly rootkit-y to me, but I don’t know.
When I see numbers like that in the alternate data stream, and names like “tempimage.exe” that definitely raises suspicions.

Essexboy is the man to best analyse this one.

13

try gmer to see if there is a rootkit

http://www.gmer.net/

14

Thanks for your help. I ran the program and it found no modifications.

15

try a boot cd then

16

For what purpose? Do you know what you are dealing with, here? Because I sure don’t.

But if I did, I’d be posting precise directions, and download links (as applicable) rather than a nebulous “try a boot cd then”.

I recommend waiting for Essexboy. He knows how to interpret these logs; will post advice specific to your problem.

17

Most likely, the result you got in the quote box above is because avast uses gmer as it’s rootkit detector inside the avast program. Avast had already scanned for rootkits and a separate gmer scan was not needed.

Please wait for Essexboy to interpret your logs before doing anything else.
Essexboy is a certified malware expert.

18

Hi the log does not look to bad - what problems are you experiencing at the moment ?

the file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume D:.
I would recommend you run check disc on D

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

19

Im experiencing unusually high CPU Usage (around 50% idle, up to 100% in use)
Slower computer performance
Fan is constantly on (except when asleep or hibernation)
Disk Space (C: Primary Drive)is almost full. It fluctuates by GB every time I look at the disk space. Low disk space warnings also appear and say less than 6MB left on the drive.

I did a chkdsk on D (Recovery) and C (Primary) and found no errors.

Attached are the OTL logs, per your instructions. Thank you very much for your help, much appreciated!

20
Drive C: | 136.49 Gb Total Space | 100.29 Gb Free Space | 73.48% Space Free | Partition Type: NTFS
According to OTL you have plenty of drive space left

The fan being constantly on would tend to indicate an overheating problem, could you check the vents and clear any dust bunnies that you find

I can see nothing apprent in the logs that is indicative of malware