Virus/worm. Help needed.

Nalced_irl

Hiya guys,

I have noticed recently that Norton keeps giving messages that "win###.tmp.exe is trying to access the internet". The ### are usually made up of numbers or letters. I have also noticed about 2,000 win###.tmp.dll files in the Windows/Temp folder and every now and then in Task Managers Running Processes, there is a file by the same name running. I have checked a few forums with suggested fixes but the problem simply will not go away. I was wondering if anyone here would have any idea how to remove it? I have tried a few cleaners and scanners but they have all failed to pick it up.
Cheers,
Dec.

Static M.e.

Seems a bit of pain in the ass. This is 2nd hand info so use at your own risk.

You're talking about an infection called smitfraud.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Ill check back before the end of the day 4:40 and also tomorrow morning, let me know how you get on

NutJob

Have you run an av scan in safe mode


try these links for info but do the steps in safe mode
http://www.bullguard.com/forum/9/Please-help-me-remove-tmpexe-v_24895.html



in the event that first attempt at above fails heres the hardcore approach


http://www.symantec.com/avcenter/venc/data/backdoor.optixpro.10.b.html

Get bartPE or some such tool and mount the regestry from the live cd (windows)
KnoppexSTD despite its wonderful name works as iv used it for this kind of thing



The trojan starts from the following reg keys (dont touch them if you dont know what ur doing)

Remove the crap entrys from these
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

This one is the biggy(will be live in safe mode)
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command

Should look like this

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
@="\"%1\" %*"

if its windows9x just run sysedit and remove it from win.ini


if iv lost you pm me

gordonnet

run mcafee stinger

http://download.nai.com/products/mcafee-avert/stng260.exe

Nalced_irl

Ok, eweedo seems to have cleared it. I dont know why it wasnt suggested anywhere as it seems to have worked. Fingers crossed anyway. I have discovered a new problem also tho. When i try to install a program that uses Installshield, i get an error like "1607: Installshield was unable to Install Runtime" or something like that. Im at work at the moment so dont have the exact error. I tried unregistering and re-registering it using cmd which was suggested to me but that didnt help. Would anyone know what else i can try. Looks like i have one healthy computer eh?
Cheers,

Dec

Static M.e.

First off Simple solution.

Reinstall Windows Installer

http://support.microsoft.com/?kbid=884016

As a troubleshooting step to guarantee proper installation, you may need to make sure that the Windows Installer Service is properly installed on your computer. Installations that are based on the Windows Installer Service require the MSI engine to be installed properly to ensure smooth installation. Most installations based on the Windows Installer Service automatically install the MSI engine on the computer prior to running the installation

You can also try the following Windows Installer CleanUp Utility
http://support.microsoft.com/?kbid=290301

What OS are you running?

Static M.e.

logged into a server this morning and got your error

"1607 Unable to install InstallShield Scripting runtime" argggghhhhhhh

Installing WI 3 didnt do squat for me + a bunch of other solutions, ill let you know what works

Static M.e.

For Xp
http://support.microsoft.com/default.aspx?scid=kb;en-us;888019

V.Interesting stuff below
http://consumer.installshield.com/kb.asp?id=q108340

http://consumer.installshield.com/kb.asp?id=Q108158

Nalced_irl

Static M.e. wrote:

http://consumer.installshield.com/kb.asp?id=q108340

This one seems to have done it. I just changed all options under Software/Install Shield in the registry editor to Full control and its is working again. Thanks a million for the help!