Strange Program Installed
#1
Strange Program Installed
PLEASE HELP !!!!
My daughter was online and reading her email. She received an email from a name that sounded familiar and opened it. In the email there was a hyperlink for her to click on and thinking it was something concerning one of the scholarships she had applied for she clicked on the link. The name of the file contained in the link was:ar505enu.exe. When given the option to save the file to the hard drive or run it from it's location, she chose run it from current location. It took a few seconds then the download window disappeared. She could not find the file to see what it was once it downloaded and called me. I finally found the file and deleted it. But I also found another file that had been installed. The name of this file is:IISP.exe. I have tried repeatedly to delete this file and I get the error message that it is in use by windows and cannot be deleted. I have also found that it has been added to the group of "start up" items on my computer. I have tried unchecking the box so it will not start up when windows starts, and restarted the computer to save the changes I made. But when I go back to the msconfig to make sure it's not checked to start up, There it is again, checked to start when windows starts.
I have also tried to see what the properties of this file are and all it says is that it is an application and the path it was installed on.
Can someone PLEASE help me to get rid of this file ? I'd also like to know how the file got installed and what kind of a file it is. Any and all information and help will be greatly appreciated !! Thanks in advance. 4u2
My daughter was online and reading her email. She received an email from a name that sounded familiar and opened it. In the email there was a hyperlink for her to click on and thinking it was something concerning one of the scholarships she had applied for she clicked on the link. The name of the file contained in the link was:ar505enu.exe. When given the option to save the file to the hard drive or run it from it's location, she chose run it from current location. It took a few seconds then the download window disappeared. She could not find the file to see what it was once it downloaded and called me. I finally found the file and deleted it. But I also found another file that had been installed. The name of this file is:IISP.exe. I have tried repeatedly to delete this file and I get the error message that it is in use by windows and cannot be deleted. I have also found that it has been added to the group of "start up" items on my computer. I have tried unchecking the box so it will not start up when windows starts, and restarted the computer to save the changes I made. But when I go back to the msconfig to make sure it's not checked to start up, There it is again, checked to start when windows starts.
I have also tried to see what the properties of this file are and all it says is that it is an application and the path it was installed on.
Can someone PLEASE help me to get rid of this file ? I'd also like to know how the file got installed and what kind of a file it is. Any and all information and help will be greatly appreciated !! Thanks in advance. 4u2
#2
the file "ar505enu.exe." is an acrobat reader file. try doing this...use "google" as asearch engine, type in "ar505enu.exe." and look at the links supplied and see if any of them offer assistance. you should be able to delete that file using "windows explorer" and force the deletion.
also, there's another email scam going on right now. it's allegedly from Best-Buy. the email claims that someone has used your credit card to purchase something and they felt there was fraud involved so they stopped the order. they want you to contact them to send info for verification.... DO NOT REPLY!!!!!
it's a scam and calling Best_Buy will verify this.
http://www.newsday.com/business/prin...business-print
the bottom line is to NEVER open emails from anyone you do not know, and ALWAYS run an anti virus program!!!!
if you still have trouble deleting the file, post back and we can go deeper into the computer to find/delete it
also, there's another email scam going on right now. it's allegedly from Best-Buy. the email claims that someone has used your credit card to purchase something and they felt there was fraud involved so they stopped the order. they want you to contact them to send info for verification.... DO NOT REPLY!!!!!
it's a scam and calling Best_Buy will verify this.
http://www.newsday.com/business/prin...business-print
the bottom line is to NEVER open emails from anyone you do not know, and ALWAYS run an anti virus program!!!!
if you still have trouble deleting the file, post back and we can go deeper into the computer to find/delete it
Last edited by maadi_griffin; 06-20-03 at 04:44 AM.
#4
The name doesn't neccessarily mean much. It could easily have been a trojan, worm, or virus.
Thats the file name of the Acrobat Reader installer, but if you're running windows, it probably would have started an installer. Since it didn't, there is a good chance that it is something else. Even if it did, there could have been a trojan included.
Scan for viruses! Another thing you might want to do is compare that file with a legitimate one. You can just compare the md5sums, or do a diff if you have that utility.
Thats the file name of the Acrobat Reader installer, but if you're running windows, it probably would have started an installer. Since it didn't, there is a good chance that it is something else. Even if it did, there could have been a trojan included.
Scan for viruses! Another thing you might want to do is compare that file with a legitimate one. You can just compare the md5sums, or do a diff if you have that utility.
#5
Thanks Everyone for the info about the ar505enu.exe file. I already have Adobe Acrobat Reader installed, so why would another one just install by itself ? I was able to delete this file: ar505enu.exe by just right clicking on it, but the other file I also mentioned, IISP.exe, is the one I have not been able to get rid of no matter what I try. One of the ways I tried to delete this file already was using my Windows Explorer and I kept getting the same error message- Cannot Delete file, it is in use by windows. And I am running Windows 98 Second Edition. I have also not been able to keep it from starting as soon as my windows does even though I have gone to my "msconfig" , then to the start up tab and unchecked the box in front of it and re-started my computer to save the changes. ** I guess we will have to go deeper, maadi_griffen, to be able to get rid of this stupid thing !! Thanks again for the suggestions and help. 4u2
#6
Hit ctrl alt delete at same time, or how ever you get to your task manager, then tab to prosesses, see it the file/s your looking for are running, if they are shut it down and then try to delete the fil/s
#7
Hi Plumber2000,
I tried this and the program does not show up as running but when I go to Start, Programs, Accessories, System Tools, then to my System Information, shows up in the "Running Tasks" and in the "Start up Programs as well. Hope this helps!! **Waiting with anticipation ! ** Thanks, 4u2
I tried this and the program does not show up as running but when I go to Start, Programs, Accessories, System Tools, then to my System Information, shows up in the "Running Tasks" and in the "Start up Programs as well. Hope this helps!! **Waiting with anticipation ! ** Thanks, 4u2
#9
i just did a search thru google to see what i could find on that file. it gave me numerous sites with information but none of them claimed this to be a virus or worm.
apparently something you have is using that file. have you done a search for that file using windows file-search option? it may be in hidden deep in your system registry and will require more detective work to remove.
apparently something you have is using that file. have you done a search for that file using windows file-search option? it may be in hidden deep in your system registry and will require more detective work to remove.
#10
As suggested, the original file your daughter downloaded (you should work on that "problem") obviously was masquerading as the Reader install, because it should've taken longer than a couple of seconds to run and would've required some degree of interaction.
As for the "problem" file;
Off the top of my head;
Good Luck;
R
Note: Depending from where you are with the DOS prompt, you may need to preface the iisp filename with the path; For example, if the problem file is in the "junk" directory, you would rename it by going "ren c:\junk\iisp.exe junk.cow" (without the quotes)
Also, you may want to note the file's modification date and use your "Find Files" utility to look for obvious sisters...
As for the "problem" file;
Off the top of my head;
- Try renaming it, reboot and then, msconfig/delete;
- Try booting into Safe Mode and then, either rename or delete
- Try renaming it from the DOS prompt (ren iisp.exe junk.cow) or deleting it (del iisp.exe)
Good Luck;
R
Note: Depending from where you are with the DOS prompt, you may need to preface the iisp filename with the path; For example, if the problem file is in the "junk" directory, you would rename it by going "ren c:\junk\iisp.exe junk.cow" (without the quotes)
Also, you may want to note the file's modification date and use your "Find Files" utility to look for obvious sisters...
Last edited by magister; 06-20-03 at 11:21 AM.
#11
Plumber2000,
Yes, I have tried to do that and each time I start back up again and go back to my msconfig there it is, checked again to start back up. Dang it !!
Maadi_griffin,
Thanks for doing the search for me to see what you could find out. If something I have is using that file, wouldn't I have needed it before now ? And why would it have installed by itself ? By the way, I do not have an automatic windows update installer. Yes, I have done a "find files" and it shows up there in this path:Windows\allusers\start menu\programs\startup.
Oh, here is one more piece of informatiuon that might be helpful. Before my daughter clicked on the link in her email she wrote the file name down so she would be able to find it, just in case she had a problem. This is the file name that was on the link she clicked on:ar505enu.exe.pif. She said she actually clicked on it the first time and she thought nothing had happened (no download options or progress, nothing). Since she had no indication of anything happening, she clicked on it again, for a second time. Since it had obviously already installed by itself the first time she clicked on it, the second time she clicked on it, she was given the option of saving it to the disk or to run it from the location.
When I looked for whatever had been downloaded and finally found a file, there were actually 2 files with almost exactly the same name:ar505enu[1].exe and the file size is 1.04KB, and the second file name was:ar505enu[2].exe and the size for this one was 1.57KB. In the properties for both of these files it says it is a shortcut to MS-DOS Program and the origin of both of them are:2ITU8SOT. At the bottom of their properties page where the Attributes are, the Archive box is checked on both of them but they are also grayed out so you can not click to change their attributes. I had no problem right clicking on these 2 files and deleting them. But the file named:IIsp.exe, I CAN NOT get rid of !!
I hope this info helps and I'm waiting for your expertise. Thanks again. 4u2
magister, please read this last post from me and then see what you think. I'll follow any directions, but to make sure I do it right and make no mistakes, please give it to me step-by-step. Thanks again all. 4u2
Yes, I have tried to do that and each time I start back up again and go back to my msconfig there it is, checked again to start back up. Dang it !!
Maadi_griffin,
Thanks for doing the search for me to see what you could find out. If something I have is using that file, wouldn't I have needed it before now ? And why would it have installed by itself ? By the way, I do not have an automatic windows update installer. Yes, I have done a "find files" and it shows up there in this path:Windows\allusers\start menu\programs\startup.
Oh, here is one more piece of informatiuon that might be helpful. Before my daughter clicked on the link in her email she wrote the file name down so she would be able to find it, just in case she had a problem. This is the file name that was on the link she clicked on:ar505enu.exe.pif. She said she actually clicked on it the first time and she thought nothing had happened (no download options or progress, nothing). Since she had no indication of anything happening, she clicked on it again, for a second time. Since it had obviously already installed by itself the first time she clicked on it, the second time she clicked on it, she was given the option of saving it to the disk or to run it from the location.
When I looked for whatever had been downloaded and finally found a file, there were actually 2 files with almost exactly the same name:ar505enu[1].exe and the file size is 1.04KB, and the second file name was:ar505enu[2].exe and the size for this one was 1.57KB. In the properties for both of these files it says it is a shortcut to MS-DOS Program and the origin of both of them are:2ITU8SOT. At the bottom of their properties page where the Attributes are, the Archive box is checked on both of them but they are also grayed out so you can not click to change their attributes. I had no problem right clicking on these 2 files and deleting them. But the file named:IIsp.exe, I CAN NOT get rid of !!
I hope this info helps and I'm waiting for your expertise. Thanks again. 4u2
magister, please read this last post from me and then see what you think. I'll follow any directions, but to make sure I do it right and make no mistakes, please give it to me step-by-step. Thanks again all. 4u2
#12
i found this :
http://archiver.rootsweb.com/th/read...-10/1033475695
it has the file "ar505enu.exe.pif" noted and you may want to read this.....................
from what i've read it appears to be part of the "bugbear" virus. symantec has programs that you can download and run to remove bugbear, check their website. this is, of course, if you happen to have a virus. chances are you probably do. it's more of a hassle than anything else.
do you run norton's antivirus at all? it's supposed to filter emails if you kept it updated. if not, you might want to look into getting it. i run nortons 2003 pro and nortons internet security programs.
http://archiver.rootsweb.com/th/read...-10/1033475695
it has the file "ar505enu.exe.pif" noted and you may want to read this.....................
from what i've read it appears to be part of the "bugbear" virus. symantec has programs that you can download and run to remove bugbear, check their website. this is, of course, if you happen to have a virus. chances are you probably do. it's more of a hassle than anything else.
do you run norton's antivirus at all? it's supposed to filter emails if you kept it updated. if not, you might want to look into getting it. i run nortons 2003 pro and nortons internet security programs.
#13
one option overlooked, but came close...reboot into safemode, and then run your updated antivirus program. Also, are you using a firewall?Tiny personal firewall has a free 30 day trial. It will tell you if any program is trying to access the net, so it can help track down any unauthorized program. Alot of trojans/viruses attempt to shut down the bigname antivirus and firewall programs(like norton,zone alarm, and sygate), but were not written for any of the smaller less used companies products.
http://www.tinysoftware.com/home/tin...=solo_download
http://www.tinysoftware.com/home/tin...=solo_download
#14
FIRST OF ALL, I WANT TO THANK EVERYONE WHO HELPED !!!!!
This nasty, aggravating, (and all the other descriptive words you could think of) VIRUS, and YES it WAS a virus, (notice the word WAS) is finally gone from my computer !!!! YEA !!!
Even though I do run Norton Anti Virus, AND Tiny Personal Firewall, SOMEHOW or other, this "THING" still infected my computer. Had it not been for all of you here, it would still be doing so !
maadi_griffin, after getting your last post, I went to the Symantec website and downloaded the fix for it, I also read the article you suggested. Thanks SOOOO much for the heads up. Some interesting reading in the article and the EXACT file my daughter clicked on.
THANKS AGAIN EVERYONE !!!!!! 4u2
This nasty, aggravating, (and all the other descriptive words you could think of) VIRUS, and YES it WAS a virus, (notice the word WAS) is finally gone from my computer !!!! YEA !!!
Even though I do run Norton Anti Virus, AND Tiny Personal Firewall, SOMEHOW or other, this "THING" still infected my computer. Had it not been for all of you here, it would still be doing so !
maadi_griffin, after getting your last post, I went to the Symantec website and downloaded the fix for it, I also read the article you suggested. Thanks SOOOO much for the heads up. Some interesting reading in the article and the EXACT file my daughter clicked on.
THANKS AGAIN EVERYONE !!!!!! 4u2