Jump to content

Recommended Posts

       I've been reading up on this _iu14D2N.tmp file because it is always in my C:\Windows\Temp folder. It never seems to appear anywhere else. If I try to delete it I get a message that "The file cannot be deleted because it is in use by another program." When I look to see what that program is, it shows _iu14D2N.tmp - in other words itself. I'm pretty sure I have never seen that before, is that even possible? Something else that seems to be a real anomaly is the attribute of the file is set to "N". Yet I cannot find any reference to an attribute of "N" in Microsoft documentation.  The Digital Signatures page in the Properties box shows the file was signed by Lamantine Software a.s. Interestingly they do not appear to have a website (that I could find) rather they are referenced by other sites that present "Sticky Password Manager" which they have created.
       I have had my head so deep in this I've been dazed and confused for so long it's not true! Really I am looking for some guidance. My understanding is that it may be from an Inno setup file. However my fear is this "The _iu14d2n.tmp file should be located in the folder C:\Users\\AppData\Local\Temp. Otherwise it could be a Trojan." Not only that, but Inno Setup is not on my machine.
       Malwarebytes has been a constant on this machine yet has never reported anything with regard to this file or any setup program. But I have had numerous instances of Malwarebytes Action blocking access to web sites with a bunch of different IP's. All detection's have been RTP Events; although I have every reference to Remote Access services disabled on my machine. 4 have Event Details of "Trojan", the others are "Malware" or "Compromised". All have been RTP  "Outbound Connections"
all of which are trying to use Port 0. Also note that I use an Anti-Virus program as well.
       To further muddy the waters, I use a VPN and one of the files referenced in the Detection History Summary is the VPN service executable. Another file is simply referenced as "System". I have screen shots of (I think) all relevant info that I am
more than happy to upload. The IP_Scanner file I've included was just one IP scan. I haven't done any others.

_iu14D2N.tmp - Attributes.JPG

_iu14D2N.tmp - Signer.JPG

Advanced_IP_Scanner_Results.doc

Link to post
Share on other sites

  • Root Admin

Hello @SirEssex and :welcome:

Please run the following three steps to get started and we'll see what we can find and get you fixed up.

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

Dear Root Admin -

Wow! Unbelievable that you responded 1 hour after my post. I can't thank you enough for that.  I followed your directions and ran the scans. I've saved the log files and am attaching them to this post
The files are attached as requested. If you need something more please let me know. Thank you again.

Addition.txt AdwCleaner[S00]_Scan_02-03-2022.txt FRST.txt Malwarebytes_Scan_02-03-2022.txt

Link to post
Share on other sites

  • Root Admin

Hello @SirEssex

 

The computer appears to be having a few minor issues but I'm not seeing any obvious infections. Often times a temp file can be one that is being used as part of an installer process and left behind by not getting cleaned up.

Please enable System Protection and create a new System Restore Point

ATTENTION: System Restore is disabled (Total:475.67 GB) (Free:130.37 GB) (27%)

 

I would recommend that you uninstall the following

Bonjour (unneeded on Windows, it is a very noisy network discovery tool)
CCleaner  (computer experts no longer recommend this program)
Defraggler (unneeded on Windows 10 it already automates defrag)
Recuva (if you really have a need for data recovery it should not be run from the drive where you're wanting to recover files, also a paid program is often going to provide better results)

 

If you like we can do some other scans and some generic clean up of the system. Just let me know.

 

Link to post
Share on other sites

  • Root Admin

It does look like an odd name but sometimes that's just the way things go. We can do a secondary scan just to make sure there is nothing there and to help ease your mind. @SirEssex

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • 3 months later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.