Discovered: January 14, 2015
Type: Removal Information
This tool (version 220.127.116.11) is designed to remove and repair infections of W32.Tempedreve.
How to download and run the W32.Tempedreve removal tool
- Selecting "Run as administrator" will result in an incomplete repair. You must be logged in to the Administrator account and all other users must be logged out in order for the tool to work correctly.
- There are two versions of this tool-one designed to run on 32-bit computers and one designed to run on 64-bit computers. To find out if your computer is running a 32-bit or 64-bit version of Windows, please read the following Microsoft Knowledge Base article: How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system
- Please make sure all the network shares are disconnected before running the Fixtool. The removal and repair tool will remind you of this once executed.
- If the infected files are located on network shares, it is recommended that you run the tool on the server host and make sure that no users have locked the infected files.
- The tool must be executed in safe mode or while the Symantec auto-protect technology is disabled
Note for network administrators: If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a command line, with the Exclude switch. For more information, please read the following Microsoft Knowledge Base article: Issues caused by a back up or a scan of the Exchange 2000 M drive
Follow these steps to download and run the tool:
- Download FixTempedreve64-v2408.exe for 64-bit computers or FixTempedreve32-v2408.exe for 32-bit computers.
- Save the file to a convenient location, such as your Windows desktop.
- If you are sure that you are downloading this tool from the Security Response website, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the Digital Signature section before proceeding with step 4.
- Close all running programs.
- If you are running Windows XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation.
- Make sure you are in safe mode or you have disabled the Symantec auto-protect technology.
- Make sure to disconnect your network shares before running the tool.
- Double-click FixTempedreve64-v2408.exe or FixTempedreve32-v2408.exe to start the removal tool.
- Click “I Accept” to accept the End User License Agreement (EULA) and then click “Start” to begin to run the removal tool.
- Once the tool has finished running, you will see a message prompting you to check the log file for results.
- At this point, some of W32.Tempedreve’s files may still be loaded in the memory. The tool may ask you to restart your computer once it has finished running. Execute the tool again after the computer has been restarted.
- If files on network shares are compromised with the threat, then run the tool on the server storing the files, if possible. If this is not possible, then reconnect the network shares to the recently cleaned computer and run the tool against them.
Why do you need to disconnect network shares before cleaning a local infection?
If the network shares have not been disconnected, there is a chance that the infected files on other compromised computers on the network may infect the recently cleaned computer. In addition, the threat may still be active on the infected computer while running the tool and may be locking files on network shares.
The removal tool writes a summary of its operation to a log file named FixTempedreve64-v2408.log or FixTempedreve32-v2408.log, with results similar to the following:
- List of terminated processes
- List of removed registry values
- Lift of repaired and unrepaired files
Note: For unrepaired files, the tool will move them to %Temp%\FixtoolQuarantine. You should scan the quarantine folder with Symantec Endpoint Protection (SEP) in order to filter out the malicious component of the threat from the potentially infected documents.
Will the removal tool overwrite an existing file if a remediated file is renamed to an existing file name?
No, the file will not be overwritten and the removal tool will repair and rename the remediated file to the following:
- [ORIGINAL FILE NAME]_1.[ORIGINAL EXTENSION]
What does the removal tool do?
- Terminates the associated proceses
- Removes registry keys and values added by the threat
- Repairs infected .pdf, .exe, and .msi files
The following switches are designed for use by network administrators:
- Display help message: /HELP, /H, /?
- Enable silent mode: /SILENT, /S
- If silent mode is enabled, no reboot will occur: /NOSILENTREBOOT
- Create a log file where the removal tool’s output is stored in [PATH NAME]: /LOG=[PATH NAME]
- By default this switch creates the log file in the same folder the removal tool was executed from.
- Scan mapped network drives: /MAPPED (Symantec does not recommend using this switch.)
It is important to note that using the /MAPPED switch does not ensure the complete removal of the virus on the compromised remote computer. This occurs because scanning mapped drives only scans the mapped folders, which may not include all folders on the remote computer. This can lead to missed detections. If a viral file is detected on the mapped drive, the repair may fail if a program on the remote computer uses that file.
On Windows Vista or Windows 7 computers, a scan of mapped drives may fail if the account that’s running the removal tool is not the administrator account, even if it is a member of the Administrator group. In these cases, the mapped drive will appear as disconnected after scanning with the removal tool. Please see the following Microsoft Knowledge Base article for more information: Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or newer operating systems .
We advise that you run the removal tool on every computer.
For security purposes, the removal tool is digitally signed. Symantec recommends that you only use copies of the removal tool that have been directly downloaded from the Symantec Security Response website. If you are not sure, or are a network administrator and need to authenticate files before deployment, check the authenticity of the digital signature by following these steps:
- Go to http://www.wmsoftware.com/free.htm.
- Download and save the Chktrust.exe file to the same folder in which you saved the removal tool.
Note: Many of the following steps are performed through command prompt. If you downloaded the removal tool to the Windows desktop, move the tool to the root of the system drive and save the Chktrust.exe file to this location too. Step 3 assumes that both the removal tool and Chktrust.exe are in the root of the system drive.
- Click “Start” and then click “Run”.
- Type “cmd” and then click “OK”.
- In the command window, type the following and press “Enter” after each line:
chktrust -i FixTool.exe
- You should see one of the following messages, depending on your operating system:
Windows XP SP2: The Trust Validation Utility window will appear. Under “Publisher”, click the Symantec Corporation link and the following Digital Signature Details will appear.
Verify the contents of the following fields to ensure that the tool is authentic:
Name: Symantec Corporation
Signing Time: 05:15:00, April 03, 2015
All other operating systems: You should see the following message:
Do you want to install and run "FixTool.exe" signed on the 3rd April 2015.
Notes: The date and time in the digital signature above are based on Pacific Time. They will be adjusted for your computer's time zone and regional options settings. If you are using Daylight Saving Time, the displayed time will be exactly one hour earlier.
If this dialog box does not appear, it may be because the removal tool is not from Symantec. Unless you are sure that the removal tool is legitimate and that you downloaded it from the legitimate Symantec website, do not run it.
- Click “Yes” or “Run” to close the dialog box.
- Type “exit”, and then press “Enter” to close the MS-DOS session.