Unknow setup.exe pop up

I have a pop up at least once a day to run a setup.exe file.  Looking at the properties on the popup it is located:

c:\users\username\appsdata\local\temp\different location here every time.

I write down the location, do not run the install and then go look for the file.  The directory listed is never there.  How can I find out where this file actually is located?

January 12th, 2014 3:01am

Please download the free version of Malwarebytes.
Update it immediately.
Do a full system scan
Let us know the results at the end.

http://www.malwarebytes.org/products
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2014 3:12am

I had forgotten all about that program.  I ran it twice.  Here is a text file of the first run:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.12.06

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16750
John :: LENOVO_LAP [administrator]

Protection: Enabled

1/12/2014 6:36:58 PM
mbam-log-2014-01-12 (18-36-58).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 548764
Time elapsed: 1 hour(s), 25 minute(s), 15 second(s)

Memory Processes Detected: 5
C:\ProgramData\Updater\updater.exe (PUP.Optional.TubeDimmer) -> 3952 -> No action taken.
C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe (PUP.Optional.SearchDonkey.A) -> 3164 -> No action taken.
C:\ProgramData\RHelpers\FirefoxHelper\FirefoxHelper.exe (PUP.Optional.SearchDonkey.A) -> 5064 -> No action taken.
C:\ProgramData\RHelpers\IeHelper\IeHelper.exe (PUP.Optional.SearchDonkey.A) -> 3720 -> No action taken.
C:\ProgramData\Updater\updater.exe (Trojan.Agent) -> 3952 -> Delete on reboot.

Memory Modules Detected: 1
C:\Users\John\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.

Registry Keys Detected: 12
HKCR\CLSID\{45470599-8237-486D-87B5-E89CD6AED154} (PUP.Optional.MyWordTool.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45470599-8237-486D-87B5-E89CD6AED154} (PUP.Optional.MyWordTool.A) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{45470599-8237-486D-87B5-E89CD6AED154} (PUP.Optional.MyWordTool.A) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{45470599-8237-486D-87B5-E89CD6AED154} (PUP.Optional.MyWordTool.A) -> No action taken.
HKCR\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6} (PUP.Optional.DynConIE.A) -> No action taken.
HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C} (PUP.Optional.OptimzerPro.A) -> No action taken.
HKCR\TypeLib\{DCABB943-792E-44C4-9029-ECBEE6265AF9} (PUP.Optional.OutBrowse) -> No action taken.
HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534} (PUP.Optional.OutBrowse) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWordTool (PUP.Optional.MyWordTool.A) -> No action taken.
HKCU\SOFTWARE\MyWordTool (PUP.Optional.MyWordTool.A) -> No action taken.
HKCU\SOFTWARE\OPTIMIZER PRO (PUP.Optional.OptimizerPro.A) -> No action taken.
HKLM\SOFTWARE\MyWordTool (PUP.Optional.MyWordTool.A) -> No action taken.

Registry Values Detected: 7
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Updater (PUP.Optional.TubeDimmer) -> Data: C:\ProgramData\Updater\Updater.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Updater (PUP.Optional.TubeDimmer) -> Data: C:\ProgramData\Updater\updater.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Optimizer Pro (PUP.Optional.OptimizerPro) -> Data: C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NextLive (PUP.Optional.NextLive.A) -> Data: C:\WINDOWS\SysWOW64\rundll32.exe "C:\Users\John\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l -> No action taken.
HKCU\Software\Optimizer Pro|AdsBuyNowURL (PUP.Optional.OptimizerPro.A) -> Data: http://pcup49.pcutilitiespro.revenuewire.net/driverpro/register?121001042-US-006_227E5A47-03E2-CF9A-FE41-F88197935A9D -> No action taken.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Updater (Trojan.Agent) -> Data: C:\ProgramData\Updater\updater.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Updater (Trojan.Agent) -> Data: C:\ProgramData\Updater\Updater.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 8
C:\Users\John\AppData\Local\Temp\smartbar (PUP.Optional.SmartBar.A) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2 (PUP.Optional.OptimizerPro) -> No action taken.
C:\Users\John\AppData\Roaming\MyWordTool (PUP.Optional.MyWordTool.A) -> No action taken.
C:\ProgramData\RHelpers\ChromeHelper (PUP.Optional.Searchagent) -> No action taken.
C:\ProgramData\RHelpers\FirefoxHelper (PUP.Optional.Searchagent) -> No action taken.
C:\ProgramData\RHelpers\IeHelper (PUP.Optional.Searchagent) -> No action taken.
C:\Users\John\AppData\Roaming\newnext.me (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\John\AppData\Roaming\newnext.me\cache (PUP.Optional.NextLive.A) -> No action taken.

Files Detected: 28
C:\ProgramData\Updater\updater.exe (PUP.Optional.TubeDimmer) -> No action taken.
C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe (PUP.Optional.SearchDonkey.A) -> No action taken.
C:\ProgramData\RHelpers\FirefoxHelper\FirefoxHelper.exe (PUP.Optional.SearchDonkey.A) -> No action taken.
C:\ProgramData\RHelpers\IeHelper\IeHelper.exe (PUP.Optional.SearchDonkey.A) -> No action taken.
C:\Users\John\AppData\Roaming\MyWordTool\temp.dat (PUP.Optional.MyWordTool.A) -> No action taken.
C:\Users\John\AppData\Local\Microsoft\Windows\INetCache\Content.IE5\E3WJO5XH\Setup[1].exe (PUP.Optional.InternetUpdater.A) -> No action taken.
C:\Users\John\AppData\Local\Microsoft\Windows\INetCache\Content.IE5\U1FZ0DC8\stubinst_pkg_en-us[1].cab (PUP.Optional.OpenCandy) -> No action taken.
C:\Users\John\AppData\Local\Temp\DownloadManager.exe (PUP.Optional.OutBrowse) -> No action taken.
C:\Users\John\AppData\Local\Temp\nsh6189.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\nssA2EA.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\nsuC269.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\RegClean10.exe (PUP.Optional.RegCleanerPro) -> No action taken.
C:\Users\John\AppData\Local\Temp\SearchProtectINT.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\smartbar\Installer.msi (PUP.Optional.SmartBar.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\smartbar\GUIDCREATOR.DLL (PUP.Optional.SmartBar.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\smartbar\Installer.exe.config (PUP.Optional.SmartBar.A) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (PUP.Optional.OptimizerPro) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (PUP.Optional.OptimizerPro) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (PUP.Optional.OptimizerPro) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (PUP.Optional.OptimizerPro) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (PUP.Optional.OptimizerPro) -> No action taken.
C:\Users\John\AppData\Roaming\MyWordTool\.build (PUP.Optional.MyWordTool.A) -> No action taken.
C:\Users\John\AppData\Roaming\MyWordTool\.user (PUP.Optional.MyWordTool.A) -> No action taken.
C:\Users\John\AppData\Roaming\MyWordTool\uninst.exe (PUP.Optional.MyWordTool.A) -> No action taken.
C:\Users\John\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\John\AppData\Roaming\newnext.me\nengine.cookie (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\John\AppData\Roaming\newnext.me\cache\spark.bin (PUP.Optional.NextLive.A) -> No action taken.
C:\ProgramData\Updater\updater.exe (Trojan.Agent) -> Delete on reboot.

(end)

January 12th, 2014 8:35pm

Removed everything and ran it again.  This is the second scan:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.12.06

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16750
John :: LENOVO_LAP [administrator]

Protection: Enabled

1/12/2014 8:22:25 PM
MBAM-log-2014-01-12 (20-26-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235860
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\John\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.

Registry Keys Detected: 12
HKCR\CLSID\{45470599-8237-486D-87B5-E89CD6AED154} (PUP.Optional.MyWordTool.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{45470599-8237-486D-87B5-E89CD6AED154} (PUP.Optional.MyWordTool.A) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{45470599-8237-486D-87B5-E89CD6AED154} (PUP.Optional.MyWordTool.A) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{45470599-8237-486D-87B5-E89CD6AED154} (PUP.Optional.MyWordTool.A) -> No action taken.
HKCR\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6} (PUP.Optional.DynConIE.A) -> No action taken.
HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C} (PUP.Optional.OptimzerPro.A) -> No action taken.
HKCR\TypeLib\{DCABB943-792E-44C4-9029-ECBEE6265AF9} (PUP.Optional.OutBrowse) -> No action taken.
HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534} (PUP.Optional.OutBrowse) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWordTool (PUP.Optional.MyWordTool.A) -> No action taken.
HKCU\SOFTWARE\MyWordTool (PUP.Optional.MyWordTool.A) -> No action taken.
HKCU\SOFTWARE\OPTIMIZER PRO (PUP.Optional.OptimizerPro.A) -> No action taken.
HKLM\SOFTWARE\MyWordTool (PUP.Optional.MyWordTool.A) -> No action taken.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Optimizer Pro (PUP.Optional.OptimizerPro) -> Data: C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NextLive (PUP.Optional.NextLive.A) -> Data: C:\WINDOWS\SysWOW64\rundll32.exe "C:\Users\John\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l -> No action taken.
HKCU\Software\Optimizer Pro|AdsBuyNowURL (PUP.Optional.OptimizerPro.A) -> Data: http://pcup49.pcutilitiespro.revenuewire.net/driverpro/register?121001042-US-006_227E5A47-03E2-CF9A-FE41-F88197935A9D -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 8
C:\Users\John\AppData\Local\Temp\smartbar (PUP.Optional.SmartBar.A) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2 (PUP.Optional.OptimizerPro) -> No action taken.
C:\Users\John\AppData\Roaming\MyWordTool (PUP.Optional.MyWordTool.A) -> No action taken.
C:\ProgramData\RHelpers\ChromeHelper (PUP.Optional.Searchagent) -> No action taken.
C:\ProgramData\RHelpers\FirefoxHelper (PUP.Optional.Searchagent) -> No action taken.
C:\ProgramData\RHelpers\IeHelper (PUP.Optional.Searchagent) -> No action taken.
C:\Users\John\AppData\Roaming\newnext.me (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\John\AppData\Roaming\newnext.me\cache (PUP.Optional.NextLive.A) -> No action taken.

Files Detected: 24
C:\Users\John\AppData\Roaming\MyWordTool\temp.dat (PUP.Optional.MyWordTool.A) -> No action taken.
C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe (PUP.Optional.SearchDonkey.A) -> No action taken.
C:\ProgramData\RHelpers\FirefoxHelper\FirefoxHelper.exe (PUP.Optional.SearchDonkey.A) -> No action taken.
C:\ProgramData\RHelpers\IeHelper\IeHelper.exe (PUP.Optional.SearchDonkey.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\DownloadManager.exe (PUP.Optional.OutBrowse) -> No action taken.
C:\Users\John\AppData\Local\Temp\nsh6189.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\nssA2EA.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\nsuC269.exe (PUP.Optional.SearchProtect.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\RegClean10.exe (PUP.Optional.RegCleanerPro) -> No action taken.
C:\Users\John\AppData\Local\Temp\SearchProtectINT.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\smartbar\Installer.msi (PUP.Optional.SmartBar.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\smartbar\GUIDCREATOR.DLL (PUP.Optional.SmartBar.A) -> No action taken.
C:\Users\John\AppData\Local\Temp\smartbar\Installer.exe.config (PUP.Optional.SmartBar.A) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (PUP.Optional.OptimizerPro) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (PUP.Optional.OptimizerPro) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (PUP.Optional.OptimizerPro) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (PUP.Optional.OptimizerPro) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (PUP.Optional.OptimizerPro) -> No action taken.
C:\Users\John\AppData\Roaming\MyWordTool\.build (PUP.Optional.MyWordTool.A) -> No action taken.
C:\Users\John\AppData\Roaming\MyWordTool\.user (PUP.Optional.MyWordTool.A) -> No action taken.
C:\Users\John\AppData\Roaming\MyWordTool\uninst.exe (PUP.Optional.MyWordTool.A) -> No action taken.
C:\Users\John\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\John\AppData\Roaming\newnext.me\nengine.cookie (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\John\AppData\Roaming\newnext.me\cache\spark.bin (PUP.Optional.NextLive.A) -> No action taken.

(end)

I still have a lot of work to do it seems.

Free Windows Admin Tool Kit Click here and download it now
January 12th, 2014 8:39pm

John

You do and none of them were fixed.  You ran in scan only mode (that's why it says "no action taken).  You need to check the documentation on how to run it in scan and repair mode.

January 12th, 2014 8:43pm

Wanikiya and Dyami,

Final scan, thanks for your help.  John

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.12.06

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16750
John :: LENOVO_LAP [administrator]

Protection: Enabled

1/12/2014 8:57:20 PM
mbam-log-2014-01-12 (20-57-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235730
Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Free Windows Admin Tool Kit Click here and download it now
January 12th, 2014 9:09pm

John

Much better don't you think?  Are you still having problems?

I would re-run Malwarebytes in about a week to make sure you are not re-infected.

January 12th, 2014 9:15pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics