1972vet Posted September 16, 2023 ID:1589343 Share Posted September 16, 2023 Need assistance in removing temp files in driver/store that have my curiosity piqued (see details below). I found these files when I ran a scan with Revo for junk files. These files showed up dated Sept. 8 in the early morning hours. Recently, I discovered a hack of my google account. When I investigated, I discovered three phone accounts with names I didn't recognize nor did I own, or have I ever owned, so I removed them from my google account, used a "send erase" request and changed my password. Hopefully now, they wont return. Two of those sign in dates for the intruders correspond nicely with the date of those errant temp driver store files. The other one signed in back in June, followed several months by the others. I've scanned of course with mbam and as usual, nothing found. Now, I cant say with certainty that these files resulted from anything nefarious, but I've not run across any temp driver files before that I couldn't remove. I suspect these files are left over from some uninstalled game driver probably related to bluestacks, although I haven't been able to nail that down. Only other coincidence is the google hack. My laptop is a Dell inspiron 15 running windows 11. I've only had it for these past several months. Anyone with suggestions is appreciated. Thanks! vet Details: Driver/Store temp files: C:\Windows|System32\DriverStore\Temp\DEL66F7.tmp C:\Windows|System32\DriverStore\Temp\DEL6727.tmp C:\Windows|System32\DriverStore\Temp\DEL6738.tmp C:\Windows|System32\DriverStore\Temp\DEL6748.tmp Intruders: Galaxy S21 Ultra 5G Crystal City, MO, USA Last activity: Yesterday, 5:10 AM Signed out First sign-in: Sep 7 Galaxy S22 Crystal City, MO, USA Last activity: September 7, 6:27 AM Signed out First sign-in: Sep 6 This session was used only briefly, and not recently. It’s already ended and has no access to your account. OnePlus5 Crystal City, MO, USA Last activity: September 5, 5:03 AM Signed out First sign-in: Jun 12 ...by the way, Crystal City is a neighboring town. I live just about three miles from there. Link to post Share on other sites More sharing options...
Porthos Posted September 16, 2023 ID:1589355 Share Posted September 16, 2023 1 hour ago, 1972vet said: but I've not run across any temp driver files before that I couldn't remove. Stupid question, Have you tried safe mode? Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 16, 2023 ID:1589356 Share Posted September 16, 2023 Howdy. I hope you are doing well. Let me first start by remarking that those 4 .TMP files in the TEMP section of driver store are fair game for deletion. You have most likely used Cleanmgr before. I suggest you start with running that. Open an elevated Command-prompt window i.e. run Command Prompt as an administrator . On the Taskbar Search box, type in cmd.exe click the line for "run as administrator" On that Command-prompt, Copy & Paste this command cleanmgr.exe press Enter-key on keyboard and watch & write down the result on the tab "Disk Cleanup" then on the scrollable window marked "Files to Delete" be sure to UN-tick the box on the line "Downloaded Program files" DO tick the check boxes on these lines: Windows Update Cleanup Windows upgrade log files Temporary Internet Files Recycle Bin Temporary files Any other lines you can un-tick. then click OK to proceed you will get a "Are you sure" prompt click on "Delete Files" button One other procedure as to the hardware router. Secure your router by resetting it and then setting a strong password to sign into the router, and a strong wireless key to sign into your network. You can find your router manual by googling the exact model (on bottom) to follow the reset instructions, set the password and wireless key, optimize Security and Performance per these articles: https://www.lifewire.com/resetting-a-home-network-router-818061 https://www.techradar.com/broadband/how-to-change-your-router-password It will show a progress window. When it finished, it will auto-close its window. Link to post Share on other sites More sharing options...
1972vet Posted September 16, 2023 Author ID:1589364 Share Posted September 16, 2023 Thanks for the responses. Yes I've tried safe mode. Done all you suggested Maurice (btw, how've you been all these years?), scanned again with revo, junk files sill there. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 16, 2023 ID:1589367 Share Posted September 16, 2023 Try what follows in normal mode ( if no joy, repeat while in Safe mode). Needs to be done in an elevated Powershell. we need to enter a pair of lines $Folder = "C:\Windows\System32\DriverStore\Temp\" Get-ChildItem $Folder | Remove-Item –recurse -Force Link to post Share on other sites More sharing options...
1972vet Posted September 16, 2023 Author ID:1589375 Share Posted September 16, 2023 again, no joy, I'm baffled. I have several entries similar to these: + FullyQualifiedErrorId : RemoveFileSystemItemArgumentError,Microsoft.PowerShell.Commands.RemoveItemCommand Remove-Item : Cannot remove item C:\Windows\System32\DriverStore\Temp\DEL66F7.tmp: Access to the path is denied. At line:3 char:25 ...and now I found I have another one. These files obviously are being generated by some active process but I am hard pressed to find out what it is. Link to post Share on other sites More sharing options...
1972vet Posted September 16, 2023 Author ID:1589376 Share Posted September 16, 2023 DEL66C7.tmp is the latest one Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 16, 2023 ID:1589378 Share Posted September 16, 2023 "Access denied". hummh. Let's see about getting a couple of diagnostic reports. I would recommend getting a readout report as to update status of some key apps. Temporarily disable Microsoft SmartScreen to download the next software below Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt download & save a new copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ We will use that. Go to Downloads folder. RIGHT-click on FRST64 and select Run as Administrator and tap ENTER. And reply YES to allow to proceed. When the tool opens click Yes to the disclaimer. And be very sure to TICK the box for Addition.txt Press the Scan button. It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run Have patience since the run may take something like 10 or so minutes (less depending on your hardware speed) Close Notepad IF those show up on Notepad. Just please Attach the 2 files FRST.txt +Addition.txt with your next reply. You may enclose the 2 into a ZIP file & attach same. Link to post Share on other sites More sharing options...
1972vet Posted September 16, 2023 Author ID:1589384 Share Posted September 16, 2023 Here we go Maurice! FRST.zipAddition.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 16, 2023 ID:1589385 Share Posted September 16, 2023 Thank you! Dont forget to also do the SecurityCheck tool. I am also going to be customizing a inquiry procedure-run for you. Link to post Share on other sites More sharing options...
1972vet Posted September 16, 2023 Author ID:1589386 Share Posted September 16, 2023 smacked my forehead, here ya go SecurityCheck.zip Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted September 16, 2023 Solution ID:1589392 Share Posted September 16, 2023 Thank you. I need for you to do these 2 important steps. Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start. Show-Hidden-Folders-Files-Extensions https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/ Disable-Fast-Startup https://forums.malwarebytes.com/topic/299350-disable-fast-startup/ Next is the first round. We will do a 2nd round later to take care of MS Defender ( which needs help for update failures). This round we hope to get details on ownership of those TMP files in the subject folder. The procedure will also do a SFC scannow & a DISM scanhealth to check system. It also will give another attempt to delete the .tmp Please Close all open work before you actually do begin this run. Please download the attached fixlist.txt file and save it to Desktop Fixlist.txt <- < - - - - NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. Right-click with your mouse on FRST64 and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important. next, press the Fix button just once and wait. You will see a green-color scroll display while FRST is running. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop folder (Fixlog.txt) . Please attach or post it to your next reply. Link to post Share on other sites More sharing options...
1972vet Posted September 16, 2023 Author ID:1589409 Share Posted September 16, 2023 Fixlog.zip Nice ride, do your stuff Maurice! Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 17, 2023 ID:1589413 Share Posted September 17, 2023 Can you see whether those .tmp files are still around? The owner of the files is / was NT AUTHORITY\SYSTEM Link to post Share on other sites More sharing options...
1972vet Posted September 17, 2023 Author ID:1589416 Share Posted September 17, 2023 Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 17, 2023 ID:1589421 Share Posted September 17, 2023 This is a round for helping the updating of MS defender, as per my earlier note. It needs a touch of help. This is a new script. Please Close all open work before you actually do begin this run. Please download the attached fixlist.txt file and save it to Desktop Fixlist.txt <- < - - - - NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. Right-click with your mouse on FRST64 and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important. next, press the Fix button just once and wait. You will see a green-color scroll display while FRST is running. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop folder (Fixlog.txt) . Please attach or post it to your next reply. Link to post Share on other sites More sharing options...
1972vet Posted September 17, 2023 Author ID:1589426 Share Posted September 17, 2023 K partner, here it is: Fixlog.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 17, 2023 ID:1589542 Share Posted September 17, 2023 (edited) Hi. Thanks. One adjustment so that we have Microsoft Defender to run alongside Malwarebytes. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Close Malwarebytes. ( 2 ) Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. ( 3 ) Want to visually look at MS Defender status & summary. ( sorry for over-wordy direction) From the Windows Start menu, select Settings, then select Update and Security. Next, look at the left-side menu & select Windows Security Next, In Windows Security section: Click on the grey button Open Windows Security Now, click on the shield Virus and threat protection Look to see that Microsoft Defender is shown & available for use. I surmise that MS Ddefender is the resident antivirus. One other separate thing. Check that MS Edge is the latest release.Microsoft Edge v.116.0.1938.81 advisory Download Update Edited September 17, 2023 by Maurice Naggar Link to post Share on other sites More sharing options...
1972vet Posted September 17, 2023 Author ID:1589551 Share Posted September 17, 2023 Yes, MS Defender is the only antivirus. MBAM is my more reliable defense so I didn't (haven't for years) install anything else. Microsoft Edge version for me is: Version 117.0.2045.31 (Official build) (64-bit) K, here we go: FSS.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 17, 2023 ID:1589554 Share Posted September 17, 2023 Thank you. The FSS is all normal. It looks like this is all good-to-go. What do you think? 😉 Link to post Share on other sites More sharing options...
1972vet Posted September 17, 2023 Author ID:1589557 Share Posted September 17, 2023 Thanks Maurice for taking the time. The files are still present for whatever reason, but not causing any harm. Enough of your time has been spent chasing this ghost, but I do appreciate the time and attention. Good to know you're still working. As you might be able to tell from my profile, I haven't been active on these forums for about nine years now. My last big hurrah was the final five years I spent on the help sites as Microsoft MVP along with you and all the others. It was good, those years ago but time has been more precious and less available for me. Thanks again, and many good wishes for your future endeavors! vet Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 17, 2023 ID:1589560 Share Posted September 17, 2023 You're very welcome, friend and colleague. Yes, I am still around here as volunteer. You may delete the tools I had you download. All my very best wishes to you. Link to post Share on other sites More sharing options...
Recommended Posts