Hitman Pro find *.tmp.exe in temp directory

[AdvancedSetup]

I notice you have 2 versions of Hitman Pro installed.

Please temporarily uninstall both versions. 3.7 and 3.8

Then restart the computer again.

 

These errors were from earlier last night for you. They look to hopefully be gone now as I don't see one for 02/15/2018

 

Application errors:
==================
Error: (02/14/2018 07:44:04 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x000003c0,SYSTEM\CurrentControlSet\Services\VSS\Diag\VssvcPublisher,0,REG_BINARY,000000B6CA2FEF10.72).  hr = 0x80070005, Access is denied.
.

Error: (02/14/2018 07:44:04 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000264,(null),0,REG_BINARY,000000B6CA47EE20.72).  hr = 0x80070005, Access is denied.
.

Operation:
   BackupShutdown Event

Context:
   Execution Context: Writer
   Writer Class Id: {542da469-d3e1-473c-9f4f-7847f01fc64f}
   Writer Name: COM+ REGDB Writer
   Writer Instance ID: {80f951e2-fc9c-4a5f-8803-ffa620c25774}

Error: (02/14/2018 07:44:04 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000268,(null),0,REG_BINARY,00000057E147D9E0.72).  hr = 0x80070005, Access is denied.
.

 

[GC77063]

I uninstalled one of the instances of Hitman but both were nuked at the same time.  At least the directory is gone but in the add and remove programs version 3.7 is still shown with the option to uninstall...but when I select uninstall it says it cannot find the directory and leaves it showing.  Anyway, I've re-booted now.

[AdvancedSetup]

Open REGEDIT.EXE and browse to the following location.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Then search for HITMAN  - you should find the entry for it. Go ahead and delete that key only.

Then reboot and run a new FRST scan and post back the logs.

 

[GC77063]

Thanks,. I fixed the uninstall key, rebooted and ran FRST64.  Attached are the logs.

FRST.txt

Addition.txt

[GC77063]

It's gotten quite late here, I'll follow up in 15 hours or so.

[AdvancedSetup]

Let me have you run the following fix. This will zip up those files in temp for me to take a look at. It will create a new zip file on your desktop with the current date. Please attach that zip file.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

[GC77063]

Hi Ron,

Should the fix take more than 25 minutes?  Also, upon executing FRST64 I got an error message saying something to the effect that access was denied when it created the zip file...but there is a zip directory on my desktop now.  I have not stopped the fix from running.

Thanks,

Edited February 16, 2018 by GC77063
added the zip directory note

[AdvancedSetup]

No it should have been pretty quick. May need to stop it and see what's going on.

Do you know how to manually zip or archive a file on your own to upload to me?

 

[GC77063]

Ok, I killed the fix via task manager it was going on 50 minutes.  I do know how to zip a file...pretty much just right-click and send to a compressed folder if that is what you need. 

[AdvancedSetup]

Yes please. That's what I need. Then upload it here

Thanks

 

[GC77063]

Sorry but what file do you need to be zipped up?  The temp directory?  I cannot zip the temp directory...get the notice that file not found or no read permission.  I tried to turn off read only properties...but it defaults back to read only. 

[AdvancedSetup]

Not the entire folder. Just one of the exe files please. If that does not work then let me know and I'll use FRST to copy the files somewhere else.

 

[GC77063]

okay, I think I found one of the tmp.exe files...it shows as an application but the title of the file is 68BA.tmp....I'm not seeing the exe portion of the file name.

68BA.tmp.zip

zip15.02.2018_17.34.39.zip

Edited February 16, 2018 by GC77063
I found your zip file in the temp folder but I had to zip it

[GC77063]

Please let me know if I need to pursue help elsewhere.

Thanks,

 

[AdvancedSetup]

I'm sorry @GC77063

I thought I had posted a reply to you and was waiting. It looks like my post did not complete.

Please run the following for me and we'll see if we can find the application creating them. It may be normal but does seem odd.

Create an Autoruns Log:

• Please download Sysinternals Autoruns from here.
• Save Autoruns.exe to your desktop and double-click it to run it.
• Once it starts, please press the Esc key on your keyboard.
• Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures
• Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
• When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
• Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the Autoruns.zip folder you just created to your next reply
  

 

Thanks

Ron

 

[GC77063]

Hi Ron,

Attached are the results.  I've been having system reboots that I thought were being caused by the Spectre threat fix so I turned it off.  Turning it off stopped the WHEA logger warnings (internal parity errors) but the system still reboots.

Thanks

DESKTOP-L5QSB16-Autoruns.zip

[AdvancedSetup]

Thanks - nothing obvious showing.

Please start MSCONFIG (click on Start and type in MSCONFIG) and set it to Diagnostic startup then click OK and restart the computer. Go in and delete the files in that temp folder. Then reboot one more time and see if any new files are created in that folder now.

C:\Users\Gordon Collins\AppData\Local\Temp\

Ron

 

[GC77063]

The system rebooted on it's own since our last exchange. Anyway:

Did the diagnostic reboot...deleted the temp files, rebooted and there were no new instances of the tmp application files.  Booted in normal startup and two new tmp application files have appeared.

G

[AdvancedSetup]

Yes, but we need to go into a selective mode and uncheck Startup items

Then delete the temp files and reboot again and see if any new ones or not.

 

 

[GC77063]

Deleted the temp files, Went to selective mode and unchecked the Startup Item box and rebooted.  There were two new tmp application files created.  The only thing that I see not loaded is real time protection for Malwarebytes...everything else seems to be normal.  If I visit msconfig again it has defaulted back to normal startup.  I have not rebooted since the selective mode boot option was chosen.

[GC77063]

I'm signing off for the evening (morning)...I'll visit again in 15 hours or so

[AdvancedSetup]

Basically we're tying to use MSCONFIG as a quick tool to load, not load programs so we can track down which program is creating these files. You can also use AutoRuns which might be quicker to use, just uncheck an item to have it not load and restart.

We could also set permissions on the folder and enable auditing to try to track it down. There are also a couple other more advanced methods of tracking it. Please give the MSCONFIG or AutoRuns a try to not load applications to see which one is creating these files. Again, I don't think they are dangerous but since we're not sure what is creating them it's kind of odd.

Will check back on you again tomorrow.

Ron

[GC77063]

I figured out that my Western Digital Discovery software package used with my Passport USB 3 drive creates the files when loaded.  I'm going to address the issue on the Western Digital forum and see what the folks there say.

[AdvancedSetup]

Since this issue is resolved the topic will now be closed to prevent others from posting here.

If you need assistance please start your own new topic and someone will be happy to assist you.

Thanks