Jump to content
Seif1993

.tmp popup on every startup

Recommended Posts

I've uninstalled my iObit softwares before and it made no difference. I've had these programs for years now and never had an issue. I have around 5 iObit related softwares so uninstalling them once again would be tedious and it hasn't solved the issue before. 

 

There is a similar thread over on BleepingComputer, https://www.bleepingcomputer.com/forums/t/687511/360-safe-popup-after-reboot/page-5; in the last comment the OP explained that he was able to edit the host file which prevented the pop-up from happening. I am not quite sure what that means, can you care to explain? 

Share this post


Link to post
Share on other sites

That is not a fix. It is a band-aid to the issue. Basically, the computer has some type of automated entry allowing this object to run. Because it appears to have access to the network to help launch the process the inclusion of an entry in the "hosts" file redirects that IP to an invalid IP, thus preventing the launch. But again, that is not a fix, it's a workaround as the cause has not been found yet.

There are probably well over 50 ways to launch an object many of them are very easily checked and tested for. Others are a bit more complex in how they run.

Scheduled tasks are one major way. On XP there were no scheduled tasks, on Vista, there was a handful, on Windows 7 it has dozens, in Windows 10 they really jumped that number up and now there are over 100 scheduled tasks. FRST ignores most of the Microsoft ones so that leaves us with still quite a few that in "theory" are safe or known, however, you have an anomaly here where typical scans and reviews are not revealing the exact launch point. There are drivers that can perform the task that you're experiencing but there is no known database that contains every single driver out there and a known verified coding and behavioral analysis. The same thing for every executable and DLL on the system as well as some other file types that are also not listed.  Then there are com events where applications talk to each other that are not easily shared or tracked at that level too well even with process monitor. In some cases, it may show that the applications are loaded and exchanging data but at a machine code level that is not evident what is actually being read or written. There is software to track that but it is not free, but there are some other options if it comes down to that.

A couple of things that help us is that you say that it does not appear to run in Safe Mode.  In Safe Mode, most of the scheduled tasks don't run. Many of the underlying data exchange between applications are no longer operational the same way they are in Normal Mode. I'm not saying iObit is the cause but it has a ton of tasks and underlying communications that is difficult to just shut off in Normal Mode. 

There are also many other types of launch methods available to different browsers, etc.

Before we dive into more exotic tracking modes let me get a better look at your scheduled tasks and see if I can find something in there. Please open an elevated Admin command prompt and type exactly as shown, or copy/paste that into the command window. This will create a MyScheduledTasks.txt file on your desktop. Please upload that file on your next reply.

SCHTASKS /Query /FO TABLE  /V >"%USERPROFILE%\desktop\MyScheduledTasks.txt"  

Thanks again

Ron

 

Share this post


Link to post
Share on other sites

Just now looking at your task list. Interesting is that iObit is blocking its own Scheduled Task from even opening. I can understand blocking it from modification outside of the program but not from reading it.

I'll try to be back with you soon, if not, then later tonight.

 

Share this post


Link to post
Share on other sites

I did not find any obvious unexpected entries in the Scheduled Tasks list.

Let's verify that all files in your C:\Windows folder and below are signed

As there are many good diagnostic tools from Microsoft Sysinternals I would recommend creating a folder to keep all the files. As we may need to use more than one to help us out, let's go ahead and download their suite of programs.

My suggestion would be to create a folder structure something like this, but you're free to use any name you like. Just make sure it's a new folder with just the Sysinternals Tools in it.

C:\Admin\Utils\Sysinternals


Please download the entire set of Sysinternals Utilities rolled up into a single download - 23MB
 

After the file has been saved extract all of the files into the new folder: C:\Admin\Utils\Sysinternals

If you need further instructions on doing any of this please let me know.

Then change directory to C:\Admin\Utils\Sysinternals from an elevated admin command prompt and run each of the following commands and click OK to allow the tool to run the first time.
 

sigcheck64.exe -u -e -s -c c:\windows\system32 >"%USERPROFILE%\desktop\UnsignedFiles.txt"

sigcheck64.exe -u -e -s -c c:\windows\SysWOW64 >"%USERPROFILE%\desktop\UnsignedFilesSysWOW64.txt"


Then upload these files from your desktop when ready. UnsignedFiles.txt and UnsignedFilesSysWOW64.txt

Thanks

 

 

Edited by AdvancedSetup
Updated information

Share this post


Link to post
Share on other sites

Hello,

I am not quite sure what you mean by "change directory to C:\Admin\Utils\Sysinternals from an elevated admin command prompt".  I created the folder C:\Admin\Utils\Sysinternals and extracted all the Sysinternals Utilities from the download to that folder. Not sure what I need to do with regards to changing the directory. 

asdf.jpg

Share this post


Link to post
Share on other sites

The file below is bad no matter what. No file with the extension of .tmp belongs in the Drivers folder period. For the most part except during an install, no file with .tmp extension belongs on the computer for more than a very short period of time. Please zip up this file and upload so that I can review it. It is probably not the cause of your issue but does not belong and we should verify what it really is. If you need help on how to zip it up please let me know.

c:\windows\system32\drivers\SETB9F4.tmp

 

I'm guessing you installed Windows 10 as an upgrade to a previous installation of Windows 7. Is that correct?

 

 

Share this post


Link to post
Share on other sites

Is there an explanation as to why the pop-up, along with it's temp files, do not appear post starting up my PC from a long period of it being shut down? 

Share this post


Link to post
Share on other sites

The file is legit but an invalid name. Should never have been in that location. Maybe a crash or other installation issue left it behind.

File Version Information

Copyright
Copyright (C) 2001-2010 Qualcomm Atheros Communications, Inc.
Product
Driver for Qualcomm Atheros CB42/CB43/MB42/MB43 Network Adapter
Description
Qualcomm Atheros Extensible Wireless LAN device driver
Original Name
ATHR.SYS
Internal Name
ATHR.SYS
File Version
10.0.0.329

 

As for why it does not launch after a long period of time we don't know yet as we've still not tracked down what is causing it in the first place.

 

 

Share this post


Link to post
Share on other sites

Please perform a Windows Defender Offline scan and post back the results

Windows Defender Offline is a powerful offline scanning tool that runs from a trusted environment, without starting your operating system.
This topic describes using Windows Defender Offline in Windows 10, Windows 8.1, and Windows 7.

Using Windows Defender Offline on Windows 10

  1. Select Start , and then select Settings  > Update & Security  > Windows Security  > Virus & threat protection .
  2. On the Virus & threat protection screen, do one of the following:
    • In the current version of Windows 10: Under Current threats, select Scan options.
    • In previous versions of Windows: Under Threat history, select Run a new advanced scan.
  3. Select Windows Defender Offline scan, and then select Scan now.

Using Windows Defender Offline on Windows 7 and Windows 8.1

If you're using Windows Defender Offline on Windows 7 or Windows 8.1, you need to follow four basic steps:
  1. Download Windows Defender Offline and create a CD, DVD, or USB flash drive.
  2. Restart your PC using the Windows Defender Offline media.
  3. Scan your PC for malicious and other potentially unwanted software.
  4. Remove any malware that's found from your PC.
Windows Defender Offline will walk you through the details of these four steps when you're using the tool. If you've been prompted in Microsoft Security Essentials or Windows Defender Security Center to download and run Windows Defender Offline, it's important to do so, to make sure that your data and your PC isn't compromised.
 
 
To get started, find a blank CD, DVD, or USB flash drive with at least 250 MB of free space and
then download and run the tool — the tool will help you create the removable media.

Download x86: http://go.microsoft.com/fwlink/?LinkID=234123
Download x64: http://go.microsoft.com/fwlink/?LinkID=234124

If you're not sure which version to download, see Is my PC running the 32-bit or 64-bit version of Windows?

Where can I find scan results?

To see the Windows Defender Offline scan results:

  1. Select Start , and then select Settings  > Update & Security  > Windows Security  > Virus & threat protection .
  2. On the Virus & threat protection screen, do one of the following:
    • In the current version of Windows 10: Under Current threats, select Scan options, and then select Threat history.
    • In previous versions of Windows: Select Threat history,

 

Thanks, Ron

 

Share this post


Link to post
Share on other sites

Yes, but it hides what the real cause was. Microsoft replaces thousands of files on that large update and makes many changes so now we'll never know what the root cause was.

However, I can understand your frustration with the issue and just wanted it fixed. I'll go ahead then and close this topic now.

Take care and stay safe out there. I would highly recommend you look at obtaining an external USB drive and both imaging your main drive as well as regular data backups.

Backup Software


Happy Holidays

Ron

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.