Strange Program Installed


Old 06-20-03, 02:40 AM
Visiting Guest
Posts: n/a
Angry Strange Program Installed

My daughter was online and reading her email. She received an email from a name that sounded familiar and opened it. In the email there was a hyperlink for her to click on and thinking it was something concerning one of the scholarships she had applied for she clicked on the link. The name of the file contained in the link was:ar505enu.exe. When given the option to save the file to the hard drive or run it from it's location, she chose run it from current location. It took a few seconds then the download window disappeared. She could not find the file to see what it was once it downloaded and called me. I finally found the file and deleted it. But I also found another file that had been installed. The name of this file is:IISP.exe. I have tried repeatedly to delete this file and I get the error message that it is in use by windows and cannot be deleted. I have also found that it has been added to the group of "start up" items on my computer. I have tried unchecking the box so it will not start up when windows starts, and restarted the computer to save the changes I made. But when I go back to the msconfig to make sure it's not checked to start up, There it is again, checked to start when windows starts.
I have also tried to see what the properties of this file are and all it says is that it is an application and the path it was installed on.
Can someone PLEASE help me to get rid of this file ? I'd also like to know how the file got installed and what kind of a file it is. Any and all information and help will be greatly appreciated !! Thanks in advance. 4u2
Sponsored Links
Old 06-20-03, 03:53 AM
Visiting Guest
Posts: n/a
the file "ar505enu.exe." is an acrobat reader file. try doing this...use "google" as asearch engine, type in "ar505enu.exe." and look at the links supplied and see if any of them offer assistance. you should be able to delete that file using "windows explorer" and force the deletion.

also, there's another email scam going on right now. it's allegedly from Best-Buy. the email claims that someone has used your credit card to purchase something and they felt there was fraud involved so they stopped the order. they want you to contact them to send info for verification.... DO NOT REPLY!!!!!
it's a scam and calling Best_Buy will verify this.

the bottom line is to NEVER open emails from anyone you do not know, and ALWAYS run an anti virus program!!!!

if you still have trouble deleting the file, post back and we can go deeper into the computer to find/delete it

Last edited by maadi_griffin; 06-20-03 at 04:44 AM.
Old 06-20-03, 06:18 AM
Join Date: Nov 2001
Location: Taylors, SC
Posts: 9,483
What operating system are you running?
Old 06-20-03, 06:47 AM
Visiting Guest
Posts: n/a
The name doesn't neccessarily mean much. It could easily have been a trojan, worm, or virus.

Thats the file name of the Acrobat Reader installer, but if you're running windows, it probably would have started an installer. Since it didn't, there is a good chance that it is something else. Even if it did, there could have been a trojan included.

Scan for viruses! Another thing you might want to do is compare that file with a legitimate one. You can just compare the md5sums, or do a diff if you have that utility.
Old 06-20-03, 08:02 AM
Visiting Guest
Posts: n/a
Thanks Everyone for the info about the ar505enu.exe file. I already have Adobe Acrobat Reader installed, so why would another one just install by itself ? I was able to delete this file: ar505enu.exe by just right clicking on it, but the other file I also mentioned, IISP.exe, is the one I have not been able to get rid of no matter what I try. One of the ways I tried to delete this file already was using my Windows Explorer and I kept getting the same error message- Cannot Delete file, it is in use by windows. And I am running Windows 98 Second Edition. I have also not been able to keep it from starting as soon as my windows does even though I have gone to my "msconfig" , then to the start up tab and unchecked the box in front of it and re-started my computer to save the changes. ** I guess we will have to go deeper, maadi_griffen, to be able to get rid of this stupid thing !! Thanks again for the suggestions and help. 4u2
Old 06-20-03, 08:07 AM
Plumber2000's Avatar
Join Date: May 2000
Location: Eugene, Oregon
Posts: 5,841
Hit ctrl alt delete at same time, or how ever you get to your task manager, then tab to prosesses, see it the file/s your looking for are running, if they are shut it down and then try to delete the fil/s
Old 06-20-03, 08:20 AM
Visiting Guest
Posts: n/a

Hi Plumber2000,
I tried this and the program does not show up as running but when I go to Start, Programs, Accessories, System Tools, then to my System Information, shows up in the "Running Tasks" and in the "Start up Programs as well. Hope this helps!! **Waiting with anticipation ! ** Thanks, 4u2
Old 06-20-03, 08:26 AM
Plumber2000's Avatar
Join Date: May 2000
Location: Eugene, Oregon
Posts: 5,841
Have you tried to delete it from the start up, then reboot to see if it's gone?
Old 06-20-03, 08:35 AM
Visiting Guest
Posts: n/a
i just did a search thru google to see what i could find on that file. it gave me numerous sites with information but none of them claimed this to be a virus or worm.
apparently something you have is using that file. have you done a search for that file using windows file-search option? it may be in hidden deep in your system registry and will require more detective work to remove.
Old 06-20-03, 11:04 AM
Visiting Guest
Posts: n/a
As suggested, the original file your daughter downloaded (you should work on that "problem") obviously was masquerading as the Reader install, because it should've taken longer than a couple of seconds to run and would've required some degree of interaction.

As for the "problem" file;
Off the top of my head; <UL><LI>Try renaming it, reboot and then, msconfig/delete;<LI>Try booting into <A HREF=";en-us;180902">Safe Mode</a> and then, either rename or delete</A><LI>Try renaming it from the DOS prompt (ren iisp.exe junk.cow) or deleting it (del iisp.exe)</UL>Though, I can't find anything about a program of any sort using that name; This doesn't mean that it is not something you may actually need and are mistakenly trying to get rid of it; So, if it were me, I would stick to trying to rename it until you know that it is unimportant, because you can always name it back if it is needed, but with a new name whatever is calling it cannot use it...

Good Luck;

Note: Depending from where you are with the DOS prompt, you may need to preface the iisp filename with the path; For example, if the problem file is in the "junk" directory, you would rename it by going "ren c:\junk\iisp.exe junk.cow" (without the quotes)

Also, you may want to note the file's modification date and use your "Find Files" utility to look for obvious sisters...

Last edited by magister; 06-20-03 at 11:21 AM.
Old 06-20-03, 11:29 AM
Visiting Guest
Posts: n/a
Yes, I have tried to do that and each time I start back up again and go back to my msconfig there it is, checked again to start back up. Dang it !!

Thanks for doing the search for me to see what you could find out. If something I have is using that file, wouldn't I have needed it before now ? And why would it have installed by itself ? By the way, I do not have an automatic windows update installer. Yes, I have done a "find files" and it shows up there in this path:Windows\allusers\start menu\programs\startup.

Oh, here is one more piece of informatiuon that might be helpful. Before my daughter clicked on the link in her email she wrote the file name down so she would be able to find it, just in case she had a problem. This is the file name that was on the link she clicked on:ar505enu.exe.pif. She said she actually clicked on it the first time and she thought nothing had happened (no download options or progress, nothing). Since she had no indication of anything happening, she clicked on it again, for a second time. Since it had obviously already installed by itself the first time she clicked on it, the second time she clicked on it, she was given the option of saving it to the disk or to run it from the location.
When I looked for whatever had been downloaded and finally found a file, there were actually 2 files with almost exactly the same name:ar505enu[1].exe and the file size is 1.04KB, and the second file name was:ar505enu[2].exe and the size for this one was 1.57KB. In the properties for both of these files it says it is a shortcut to MS-DOS Program and the origin of both of them are:2ITU8SOT. At the bottom of their properties page where the Attributes are, the Archive box is checked on both of them but they are also grayed out so you can not click to change their attributes. I had no problem right clicking on these 2 files and deleting them. But the file named:IIsp.exe, I CAN NOT get rid of !!
I hope this info helps and I'm waiting for your expertise. Thanks again. 4u2
magister, please read this last post from me and then see what you think. I'll follow any directions, but to make sure I do it right and make no mistakes, please give it to me step-by-step. Thanks again all. 4u2
Old 06-20-03, 11:54 AM
Visiting Guest
Posts: n/a
i found this :

it has the file "ar505enu.exe.pif" noted and you may want to read this.....................

from what i've read it appears to be part of the "bugbear" virus. symantec has programs that you can download and run to remove bugbear, check their website. this is, of course, if you happen to have a virus. chances are you probably do. it's more of a hassle than anything else.

do you run norton's antivirus at all? it's supposed to filter emails if you kept it updated. if not, you might want to look into getting it. i run nortons 2003 pro and nortons internet security programs.
Old 06-20-03, 06:43 PM
tae's Avatar
tae is offline
Join Date: Nov 2002
Posts: 2,469
one option overlooked, but came close...reboot into safemode, and then run your updated antivirus program. Also, are you using a firewall?Tiny personal firewall has a free 30 day trial. It will tell you if any program is trying to access the net, so it can help track down any unauthorized program. Alot of trojans/viruses attempt to shut down the bigname antivirus and firewall programs(like norton,zone alarm, and sygate), but were not written for any of the smaller less used companies products.
Old 06-21-03, 10:04 AM
Visiting Guest
Posts: n/a


This nasty, aggravating, (and all the other descriptive words you could think of) VIRUS, and YES it WAS a virus, (notice the word WAS) is finally gone from my computer !!!! YEA !!!
Even though I do run Norton Anti Virus, AND Tiny Personal Firewall, SOMEHOW or other, this "THING" still infected my computer. Had it not been for all of you here, it would still be doing so !

maadi_griffin, after getting your last post, I went to the Symantec website and downloaded the fix for it, I also read the article you suggested. Thanks SOOOO much for the heads up. Some interesting reading in the article and the EXACT file my daughter clicked on.


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Thread Tools
Search this Thread
Display Modes