iu14D2N.tmp What is that?

Yeah um hi. My comodo firewall just reported 3 attempts that iu14D2N.tmp was trying to get through, and i accidently clicked on Allow on the third time. I am now so scared. Could somebody please tell me, what the heck is this program? .__.‘’

Probably not good. tmp’s are supposed to be temporary files, not executables.

Is the file still present on your machine? If so, then I’ll suggest submitting it to http://www.virustotal.com/ and to http://www.cwsandbox.org/ to see what each of these on-line analyzers says about the file.

Umm yeah. Good question. It hasn’t popped up since my last message. Can’t find it from where i am looking. Any ideas where it should be? And i checked it in Uniblues ProcessLibrary. [url=http://]http://www.processlibrary.com/directory/files/iu14D2N.tmp/[/url] Says it belongs to Inno Setup. And what wikipedia has to say to this: Inno Setup - Wikipedia

So nothing too serious, i think? But any help regarding this thing, and, if it is a virus, info about how to remove it is most appreciated. :slight_smile:

I found a script on google that was refering to Skype the voip software with this file…
Did you install this lately ? Maybe it’s a good time to do some antivirus/spyware scan…

It is not normal for .tmp files to connect to the internet, these are most of the times packed installers within a setup file but i’ve also seen this in malware analysis the “downloader” get’s started and executes .tmp files to install nasty stuff… don’t mean to scare you but make sure to run at least 2 virus and spyware scanners to be sure.

Also check you firewall policy to see if it’s there and change the alllow to block.
Can’t hurt to check the Defence+ policy also.

No, this computer does not have Skype installed to it. Defence+ has some temp files on the pending list, but no iu14D2N.tmp. And stupid question. How and from where can i check my firewalls allowed/blocked list and etc? :s

Edit: Well now i found something. In “networks security policy->Application rules->C:\Documents and settings\Bracca\Local settings[b]temp[/b][b]iu14D2N.tmp[/b]
—>Allow IP Out From IP Any To IP Any Where Protocol Is Any”

Seems like that it is in the temp folder. But why did it try to connect to internet then?

Editedit: Well i blocked it untill i get more information about this. And if something radical happens when im trying to install a new piece of software in the future, we could say that it has something to do with that thing?

It appears also on http://www.iolo.com/ for the System Mechanic.
Does that ring a bell ? or did it “drive-by-download” while you where surfing ?

Can you check to see if there is something left of this in c:\windows\prefetch\iu14d2n… ?

Have you run Virusscanners and Spyware scanners yet ? because there are some articles on the net being referenced to virus/malware for this file.

Just ran Evido, AVG, F-secure and ad-avare and norton free scan. Every single one of them with full-system scan. Found nothing. And i have never, ever heard of system mechanic O_o Anyways, iu14D2N.tmp connected to internet for the first time while i was about to start playing Valve’s Portal-game few days ago. Just few minutes before i contacted you guys in here. Only Comodo firewall pro said that this .tmp file tried to connect to internet. F-secure and other programs said nothing during that time.

Does this file stil exist on your machine: C:\Documents and settings\Bracca\Local settings\temp\iu14D2N.tmp

If it is still there, upload it to http://www.virustotal.com/ and to http://www.cwsandbox.org/ to see what each of these on-line analyzers says about the file. Post the results here.

Ehhehheeh, how to explain this now. I cannot find the folder local settings. Window’s own “search” funktion finds some files from that folder. But when i MANUALLY try to navigate my self to C:\Documents and settings\Bracca\Local settings\temp\iu14D2N.tmp, There is no folder “local settings”. What is this now?

The “Local Settings” folder is a hidden folder. That’s normal Windows setup.

There are two ways to proceed:

First, open Windows Explorer, then click Tools → Folder Options, the View tab, and topwards the top of the long list of options is Hiden Files and Folders. Make the setting for Show Hidden Files and Folders. Then Apply to All Folders, and OK back out. Then go back and navigate to the folder. You should see it now.

Second method, using a command prompt, with these commands:

cd "\Documents and settings\Bracca\Local settings\temp\"
copy iu14D2N.tmp "\Documents and settings\Bracca\Desktop\"

This will put a copy of that file onto your Desktop. Submit that file to the on-line scanners.

Note all the quotes on the pathnames. Command lines don’t like pathnames with spaces. You have to quote everything that has spaces.

Well i got the folder to show up, but. The iu14D2N.tmp is nowhere in there. Hmmm.

do you have any “undelete” sofware installed on your system like

PC Inspector file recovery

maybe you can still undelete it and upload to the mentioned sites ?

Have you checked the Windows Recycle bin?

Are there any other files in the “Local Settings/Temp/” directory? It likely would be worthwhile to submit some of those also, if the dates on the files are recent.

Just as a paranoia check, check c:\windows\system32 for newly added files (sort by file date, either modification or creation). If there are new files, as in the last week or so, then submit those files also.

What anti-malware applications do you have installed? There may be some scan settings or tools that might be of use that aren’t in the default setup.

[i]hey, i came across the same problem while trying to install and uninstall some shareware. i’ve managed to find the hidden temp file _iu14D2N.tmp, and put it through www.virustotal.com.

These are the results i get:[/i]
Antivirus Version Last Update Result
AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 2008.08.29 -
Authentium 2008.08.29 -
Avast 4.8.1195.0 2008.08.29 -
AVG 2008.08.29 -
BitDefender 7.2 2008.08.29 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.08.29 -
DrWeb 2008.08.29 -
eSafe 2008.08.28 -
eTrust-Vet 31.6.6056 2008.08.29 -
Ewido 4.0 2008.08.29 -
F-Prot 2008.08.29 -
F-Secure 7.60.13501.0 2008.08.29 -
Fortinet 2008.08.29 -
GData 19 2008.08.29 -
Ikarus T3. 2008.08.29 -
K7AntiVirus 7.10.432 2008.08.29 -
Kaspersky 2008.08.29 -
McAfee 5372 2008.08.28 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3399 2008.08.29 -
Norman 5.80.02 2008.08.29 -
Panda 2008.08.29 -
PCTools 2008.08.29 -
Prevx1 V2 2008.08.29 -
Rising 2008.08.29 -
Sophos 4.33.0 2008.08.29 -
Sunbelt 3.1.1592.1 2008.08.29 -
Symantec 10 2008.08.29 -
TheHacker 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.29 -
ViRobot 2008.8.29.1355 2008.08.29 -
VirusBuster 2008.08.29 -
Webwasher-Gateway 6.6.2 2008.08.29 -
Additional information
File size: 674074 bytes
MD5…: ec306c833870b90cea411d92bcd42417
SHA1…: ca65d3aed266bc5d5adf90b5081851358d41ed14
SHA256: 0e9580f1614353057dc01045eea42f1416d8850d856d94b3754dd007434484b4
SHA512: 18b2214357f6b4b7c41b78a7d795d87008e554ca6b0653c3d051e7472bf79bd9
PEiD…: -
TrID…: File type identification
Windows OCX File (86.8%)
Win32 Executable Delphi generic (10.3%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x48c108
timedatestamp…: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x8b32c 0x8b400 6.59 5cf79c3e7f907697320964c110d21b5c
DATA 0x8d000 0xf1c 0x1000 4.27 6ab365960e7b11befc27f13019563a45
BSS 0x8e000 0x1354 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x90000 0x2522 0x2600 4.98 e068ef670c64a3bfe264015154c1da16
.tls 0x93000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x94000 0x18 0x200 0.21 4e8fbd995725397d9edd0cb2499e1930
.reloc 0x95000 0x800c 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x9e000 0x13000 0x13000 4.96 1aaf500f1a5525e7a4905136369a78b8

( 17 imports )

kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll: MessageBoxA
oleaut32.dll: SafeArrayPutElement, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll: RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumValueA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
kernel32.dll: lstrcmpA, WriteProfileStringA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualFree, VirtualAlloc, UnmapViewOfFile, TransactNamedPipe, TerminateThread, TerminateProcess, Sleep, SizeofResource, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesA, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, RemoveDirectoryA, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileExA, MoveFileA, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryA, IsDBCSLeadByte, IsBadWritePtr, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetTickCount, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetShortPathNameA, GetProfileStringA, GetProcAddress, GetPrivateProfileStringA, GetOverlappedResult, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetComputerNameA, GetCommandLineA, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FlushFileBuffers, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, DeleteFileA, CreateThread, CreateProcessA, CreateNamedPipeA, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CompareFileTime, CloseHandle
mpr.dll: WNetOpenEnumA, WNetGetUniversalNameA, WNetEnumResourceA, WNetCloseEnum
version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll: UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceA, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetTextColor, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetCurrentPositionEx, GetClipBox, GetBitmapBits, ExtFloodFill, ExcludeClipRect, EnumFontsA, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateFontIndirectA, CreateDIBitmap, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceA
user32.dll: WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendNotifyMessageA, SendMessageTimeoutA, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollPos, GetPropA, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassInfoW, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcW, CallWindowProcA, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuA, CharPrevA, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemBuffA, AdjustWindowRectEx
comctl32.dll: ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Create, InitCommonControls
ole32.dll: CoTaskMemFree, CLSIDFromProgID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll: GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
shell32.dll: ShellExecuteExA, ShellExecuteA, SHGetFileInfoA, ExtractIconA
shell32.dll: SHChangeNotify, SHBrowseForFolder, SHGetPathFromIDList, SHGetMalloc
comdlg32.dll: GetOpenFileNameA
ole32.dll: CoDisconnectObject
advapi32.dll: AdjustTokenPrivileges

( 0 exports )

i wonder if that helps. it seems that virustotal, and all the other virus scanners don’t see it as any type of threat! >_____<

Hey comodo, I have also found this file while running a scan with comodo but had to run it with the rootkit scan option enabled to locate it! I definitely think something is up with this file.

Since it has been found on my computer I haven’t been able to complete a full Comodo scan! it get’s right into the scan then just stops, when I stop the scan it keeps telling me insufficient resources.

Please upload this file to Virus Total, Comodo Instant Malware Analysis and Comodo Valkyrie and provide us with the links to their reports.