Jump to content

Hitman Pro find *.tmp.exe in temp directory


GC77063
 Share

Recommended Posts

Hi,

Hitman Pro has been finding and placing into quarantine files designated as malware.  The name is always a variation of (something).tmp.exe.  There are often multiple instances placed in quarantine, but the malware always reappears.  The malware is being discovered in my temp directory.  I use Malwarebytes Premium but it doesn’t catch the problem.  Windows 10, 64 bit.  Any assistance will be appreciated. 
Thanks
G77063
PS: My Real-Time Protection always turns itself off too but I guess that is a separate issue.

 

Edited by GC77063
noted OS
Link to post
Share on other sites

  • Root Admin

Hello @GC77063 and :welcome:

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

  • Root Admin


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Once that's done please scan with Hitman Pro again and make sure it no longer detects anything and let me know.

Ron

 

Link to post
Share on other sites

  • Root Admin

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Microsoft Edge
How to Reset Microsoft Edge in Windows 10

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

  • First, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
  • Scroll down until you see the  reset_chrome_sync.png "reset sync" button to clear your data from the server and remove your passphrase.
  • Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
  • Press the Windows key + R at the same time, to bring up the run dialog box.
    • run_command.png
  • Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\
  1. Press Ctrl + A to select all the files and folders.
  2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
  3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
  4. Example of all files and folders selected, except Bookmarks

chrome_files_folders.png

 

Restart your computer now run FRST again and make sure you place a check mark in the Additions.txt check box and attach back both new logs

Thanks

Ron

 

 

Link to post
Share on other sites

  • Root Admin

You don't appear to have Kaspersky antivirus or other tools installed but you do have a lot of services and files being loaded for Kaspersky. Did you use to use Kaspersky?

If you're no longer using any software from Kasperksy I would highly recommend you download their removal tool and run it.

http://media.kaspersky.com/utilities/ConsumerUtilities/kavremvr.exe

Are you running any type of tool from NirSoft?

The temporary file listed there seems to be labeled as belonging to them.

 

Link to post
Share on other sites

Kaspersky was loaded on my machine when I purchased it.  I'm a long time user of ZoneAlarm so I uninstalled Kaspersky.  I ran the uninstall file you linked...rebooted and ran Hitman...two instances of the tmp.exe files.  I have no idea of any app that uses NirSoft...I went to their website and I've never heard of or used those tools.  I did note that that Hitman indicated that the temp files were associated with App/NirCmd-Gen...I think we're getting somewhere. 

Link to post
Share on other sites

  • Root Admin

Okay, let's have you clean your temporary files using this utility. First create a new System Restore Point. Then right click it and choose "Run as administrator" It probably will not ask you to restart your computer, but go ahead and restart the computer. Then run your Hitman Pro scan again and let me know if it still finds anything.

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

Ron

 

Link to post
Share on other sites

  • Root Admin

You're having an error in the Event Logs that looks like it may be due to your antivirus. AVG and Kaspersky are known for errors like this as well.

System errors:
=============
Error: (02/14/2018 08:06:56 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
Access is denied.

Error: (02/14/2018 07:52:51 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
Access is denied.

Error: (02/14/2018 07:47:58 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
Access is denied.


You can try fully disabling your Zonealarm antivirus temporarily and see if that error goes away.

 

You also appear to have either an old version of Bonjour or a corrupted one. Please uninstall Bonjour for now.

 

Your System Restore is also experiencing issues. Please See if you can enable System Restore and create a new System Restore Point. If not the take a look at the following article and see if that can help you to get it fixed.

http://www.thewindowsclub.com/system-restore-not-working-windows

 


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Thanks

Ron

 

 

Link to post
Share on other sites

I don't know how to view the event log, but I bet it's Kaspersky leftovers...the uninstaller required me to choose from one of dozens of versions of their software in order to do the uninstall.  The exact product that I had wasn't exactly listed so I tried several that I thought were close(?) to the one I had installed...but I really am not sure I got the right one. I've never had AVG installed.  I take it that the event log is updated on system boots?  I haven't tried to disable Zonealarm yet.  How do I see the event log?

I uninstalled Bonjour and successfully created a system restore point (at least Windows reported that it was successful).  I found that I had been unable to create a restore point before the last Windows update was installed...was getting an access denied code.  Since the update it seems to work.

I re-booted and ran FRST64.  Attached is the log. I have not run Hitman.

Fixlog.txt

Edited by GC77063
update
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.