Jump to content
Seif1993

.tmp popup on every startup

Recommended Posts

Those are fresh logs after startup without me deleting anything. Which files would I be deleting in safe mode?

Share this post


Link to post
Share on other sites

By the way, if it makes any difference, when I restart into safe mode I don't get the popup or any of the tmp files associated with it. Does this matter in any way? 

Share this post


Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Share this post


Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 01.12.2018 01
Ran by PC (07-12-2018 03:17:24) Run:12
Running from C:\Users\PC\Desktop\FRST
Loaded Profiles: PC (Available Profiles: PC)
Boot Mode: Safe Mode (minimal)
==============================================

fixlist content:
*****************
start
unlock: C:\Program Files (x86)\GUT84CB.tmp
C:\Program Files (x86)\GUT84CB.tmp
unlock: C:\Users\PC\AppData\Local\Temp\InsEC01.tmp
C:\Users\PC\AppData\Local\Temp\InsEC01.tmp
HKU\S-1-5-21-1745146063-4005962234-3562053907-1001\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKU\S-1-5-21-1745146063-4005962234-3562053907-1001\...\Policies\Explorer: [NoResolveSearch] 1
HKU\S-1-5-21-1745146063-4005962234-3562053907-1001\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-1745146063-4005962234-3562053907-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
R3 cpuz138; C:\Users\PC\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [28392 2018-12-07] (CPUID) <==== ATTENTION
R2 gzflt; C:\WINDOWS\System32\DRIVERS\gzflt.sys [183576 2016-10-27] (BitDefender LLC)
R3 Trufos; C:\WINDOWS\System32\DRIVERS\TRUFOS.sys [520032 2016-11-02] (BitDefender S.R.L.)
U3 aswbdisk; no ImagePath 
C:\ProgramData\{F86B0233-9A85-4589-8AAF-524CC4F8211B}
2018-12-06 00:27 - 2018-12-06 00:27 - 000000000 ____D C:\WINDOWS\System32\Tasks\Avast Software
2018-12-06 00:27 - 2018-12-06 00:27 - 000000000 ____D C:\Program Files\Common Files\AVAST Software
2018-12-06 00:26 - 2018-12-06 00:45 - 000000000 ____D C:\ProgramData\AVAST Software
Task: {CFF925E7-F747-4A69-9AE3-7DAD19080F6E} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe [2018-12-06] (AVAST Software)
FirewallRules: [{EFFF15ED-1116-481B-BD6D-71F690EE0765}] => (Allow) LPort=3389
FirewallRules: [{114F3CBD-C645-4BC8-BBFF-23B36F7EB519}] => (Allow) C:\Users\PC\AppData\Local\Temp\InsEC01.tmp
FirewallRules: [{015FD867-BFB4-46FB-9628-0093DE3DFF45}] => (Allow) C:\Users\PC\AppData\Local\Temp\InsEC01.tmp
emptytemp:
end 


*****************

"C:\Program Files (x86)\GUT84CB.tmp" => not found
"C:\Program Files (x86)\GUT84CB.tmp" => not found
"C:\Users\PC\AppData\Local\Temp\InsEC01.tmp" => not found
"C:\Users\PC\AppData\Local\Temp\InsEC01.tmp" => not found
"HKU\S-1-5-21-1745146063-4005962234-3562053907-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\LinkResolveIgnoreLinkInfo" => removed successfully
"HKU\S-1-5-21-1745146063-4005962234-3562053907-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoResolveSearch" => removed successfully
"HKU\S-1-5-21-1745146063-4005962234-3562053907-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoInternetOpenWith" => removed successfully
"HKU\S-1-5-21-1745146063-4005962234-3562053907-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoLowDiskSpaceChecks" => removed successfully
HKLM\System\CurrentControlSet\Services\cpuz138 => not found
HKLM\System\CurrentControlSet\Services\gzflt => removed successfully
gzflt => service removed successfully
HKLM\System\CurrentControlSet\Services\Trufos => removed successfully
Trufos => service removed successfully
U3 aswbdisk; no ImagePath => Error: No automatic fix found for this entry.
"C:\ProgramData\{F86B0233-9A85-4589-8AAF-524CC4F8211B}" => not found
C:\WINDOWS\System32\Tasks\Avast Software => moved successfully
"C:\Program Files\Common Files\AVAST Software" => not found
"C:\ProgramData\AVAST Software" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{CFF925E7-F747-4A69-9AE3-7DAD19080F6E}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CFF925E7-F747-4A69-9AE3-7DAD19080F6E}" => removed successfully
"C:\WINDOWS\System32\Tasks\Avast Software\Overseer" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Avast Software\Overseer" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EFFF15ED-1116-481B-BD6D-71F690EE0765}" => removed successfully
FirewallRules: [{114F3CBD-C645-4BC8-BBFF-23B36F7EB519}] => (Allow) C:\Users\PC\AppData\Local\Temp\InsEC01.tmp => Error: No automatic fix found for this entry.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{015FD867-BFB4-46FB-9628-0093DE3DFF45}" => removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 10510336 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9701181 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 113409 B
Edge => 0 B
Chrome => 1107274 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 1814 B
LocalService => 0 B
NetworkService => 0 B
NetworkService => 0 B
PC => 4925400 B

RecycleBin => 87771284 B
EmptyTemp: => 108.8 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 03:17:26 ====

Share this post


Link to post
Share on other sites

Went into safe mode and deleted pretty much all the files I can find that have any association with this software, ran malware byte scan, ccleaner, adwcleaner, and your FRST txt. Restarted and it still popped up...

Share this post


Link to post
Share on other sites

Yes this is proving to be frustrating for sure.... do this please:

Create a boot log

  1. Download Process Monitor, then extract the file ProcessMonitor.zip to your Desktop.
     
  2. To start logging, double-click Procmon.exe to run the tool.
     

  3. Select OptionsEnable Boot Logging.
    pastedImage_13.png
     

  4. Click OK.
    pastedImage_15.png
     

  5. Restart the computer.
    Wait for approximately 5 - 15 minutes or until Windows and any startup programs have loaded.
     

  6. Once Windows has finished loading, double-click Procmon.exe.
     

  7. To save the log file, click Yes.
    pastedImage_9.png
     

  8. In the Save As window, click Save.
    pastedImage_11.png
     
  9. After Process Monitor has converted boot-time event data, attch Bootlog.pml to your reply
  10. Process Monitor may save multiple boot logs to your Desktop.  If additional boot logs were created, attach to your reply...

Thanks,

Kevin

 

Edited by kevinf80
typo

Share this post


Link to post
Share on other sites

The app created 4 bootlogs after restart, which are 350+megabytes each, how should I attach them? Also, when I came back from work I opened my PC and it didn't pop up, however when i restarted after cleaning the registry it popped up again.

Share this post


Link to post
Share on other sites

I am uploading the files to Google drive. One other thing I wanted to note, when I restarted I opened Process Monitor before the actual popup appeared as it takes 2 minutes or so to appear after startup, would this make a difference? 

Share this post


Link to post
Share on other sites

Thanks for those logs, they will take an age and half to check. Run this for me please:

Create an Autoruns Log:

Please download Sysinternals Autoruns from here and save it to your desktop.

Note: If using Windows VistaWindows 7Windows 8/8.1 or Windows 10 then you also need to do the following:

Right-click on Autoruns.exe and select Properties
Click on the Compatibility tab
Under Privilege Level check the box next to Run this program as an administrator
Click on Apply then click OK

  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

Hide empty locations
Hide Windows entries

  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

Verify code signatures
Check VirusTotal.com

  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply

 

Thank you,

Kevin

Share this post


Link to post
Share on other sites

Appreciate all your efforts Kevin, hopefully we'll resolve this soon. Also please confirm that the comment above, "when I restarted I opened Process Monitor before the actual popup appeared as it takes 2 minutes or so to appear after startup, would this make a difference?"  is not of importance as I don't want you to go through all those bootlogs with there being something incorrect. 

 

 

SHELBY.zip

Share this post


Link to post
Share on other sites

Hello Seif1993,

Have not found anything obvious in those logs.... Sighhhhhhhh... I want to look at this from a different view, I want you to set up and run your system in "Clean Boot" mode.

Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135

Basically all none MS services are disabled, see how your system runs in that mode.
 
If the popup ceases we should be able to trace its source...

If clean boot stops the popup it is now a process of elimination to find which non MS service(s) was affecting your system...

Go through the process again, this time with all MS services hidden again enable the top half of non MS services, re-boot and see how your system responds, if still ok the top half can be left enabled.

Repeat again, enable so many of the bottom half then re-boot. Continue until you locate the problem service(s). A process of elimination, a bit long winded but worth the effort. Let me know the outcome...

If that process proves fruitless I would suggest we try the following:

With FRST we revert the full registry to this back up - LastRegBack: 2018-05-16 21:36 or

We use system refresh and reinstall Windows, refresh does leave all personal files, folders, pictures, videos etc intact. Any personal software you`ve installed yourself would have to be reinstalled...

Let me know if clean boot makes any difference....

Thank you,

Kevin...

 

 

 

Share this post


Link to post
Share on other sites

I started up in clean boot and it still pops up... Is this real life? How can something so silly be so difficult to pin point? There surely has to be a way aside from a system refresh...

Share this post


Link to post
Share on other sites

And when I click on "go to services" in the "detail360detail.thumb.jpg.01d7e37b5f6f268e5c2b6d9689b0bd5f.jpgs" section of task manager, it moves me to the "services" tab but does not highlight any service.

Share this post


Link to post
Share on other sites

And when I click on "go to services" in the "detail" section of task manager, it moves me to the "services" tab but does not highlight any service.

 

PLEASE IGNORE MY LAST COMMENT. 

360detail.jpg

Share this post


Link to post
Share on other sites

Hello Seif1993,

Have just finshed trawling the .pml logs, nothing related to 360 found... Regarding clean boot, we use that to see if a none MS service was at fault, that is usually productive. In your case we fell at the first fence... another big sigh as the popup showed its face....

Safe mode is only basic services loading, popup does not show. The only problem there is we have no idea which non starter is our culprit.

The link you post SpyHunter is a typical sale offer, their program will do the fix, but not for free. I always wonder how these guys always seem able to fix unmovalble and unfindable programs.

Finding the listed .dll files would mean each one being searched for, they could be anywhere, system32 folder, windows folder, wow64 folder, Programs folder... etc etc...

I assume a System Refresh is not an option you would consider, does the same go for the registry restore " LastRegBack: 2018-05-16 21:36"

When you have Taskmanager open if you right click on InsF075.tmp entry you will have the option to "open file location"...

There is a discussion at Bleeping Computers regarding a thread very similar to yours, no  obvious fix yet...

Continue with the following:

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.


Next,

Please read carefully and follow these steps.
  • Download TDSSKiller from here  http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.
  • Doubleclick on user posted image to run the application.
  • The "Ready to scan" window will open, Click on "Change parameters"

    user posted image

     
  • Ensure all entries are Checkmarked under Additionl Options, Ensure all entries are Checkmarked under Objects to scan When Loaded Modules is checkmarked a re-boot will be offered, allow that to happen...

    user posted image

     
  • Continue after reboot select "Change Parameters" make sure entries are checkmarked and then Select "Start Scan"

    user posted image

     
  • If an infected file is detected, the default action will be Cure, click on Continue.

    user posted image

     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    user posted image

     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    user posted image

     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Post those two logs in your reply..

Thanks,

Kevin

Share this post


Link to post
Share on other sites

Also I noticed that when I had the antivirus/malware program deactivated, the popup would come up at the exact same time my system alerts me that my computer's antivirus is turned off. Does this help in anyway? 

Share this post


Link to post
Share on other sites

Restoring the registry to the last confirmed good back up is dated 16th May 2018 (LastRegBack: 2018-05-16 21:36) It really depends what changes were made since then, windows updates, software changes/updates etc... I would only go that route if we had no other options..

Run FRST one more time:

Type or copy/paste the following in the edit box after "Search:".

03374065

Click Search Registry button and post the log (Search.txt) it makes to your reply.

Share this post


Link to post
Share on other sites

Run FRST one more time:

Type the following in the edit box after "Search:".

03374065.sys

Click Search Files button and post the log (Search.txt) it makes to your reply.

Share this post


Link to post
Share on other sites

Farbar Recovery Scan Tool (x64) Version: 09.12.2018
Ran by PC (10-12-2018 02:33:09)
Running from C:\Users\PC\Desktop\FRST
Boot Mode: Normal

================== Search Files: "03374065.sys" =============


====== End of Search ======

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.