[XP] What on earth is this?

By Dan~
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

Dan~

Posted
Posted

Hello, well I'm on my girlfriends laptop as we speak. Ever since I first went on her laptop I noticed a weird windows top right of the screen, you can move it about, it even goes active when you click it then unactive when you click away.

I've ran anti virus's, spyware remover, hijack this (didn't reall know what i was doing) and it stil remains.

I've found out the process it is in Task Manager, it's showing up as iexplore.exe when I end the process it doesn't come back, and it's not the proper Internet Explorer neither so I'm not really too sure, I'm guessing its some spyware.

i have attached it, please let me know i'm very curious and it's bugging me

post-28640-1191675671.jpg

Link to comment
Share on other sites
Grand Master

Dan~

Posted
  • Author
Posted

No I don't have Opera installed.

I just ran that Process Explorer.

regscan.exe is there with a + to the left of it, when I click on the + iexplore.exe is there.

So what does that mean?

I've just googled regscan.exe says its a trojan? Yet i've scanned it with Norton Anti Virus Corporate Edition (the one without the prtty gui)

I right clicked on iexplore.exe and debugged it, then the little windows disapred and also disapeared from process explorer :s

When I restart I bet it'll be back

Link to comment
Share on other sites
Collaborator

Zimmedon

Posted
Posted

It appears to be a window at the bare minimum size (notice the caption bar).

As suggested before, I would open Sysinternals Processor Explorer and use the "Find Window's Process" (the last icon on the tool bar) feature by dragging it over the offending window. It should show you what process this window was spawned from. At this point you should be able to kill the process.

Link to comment
Share on other sites
Grand Master

Dan~

Posted
  • Author
Posted

Hello, yes I found out the process when I end the process it goes away, but why is it coming up anyway?

it is only use 2,492k mem usuage, which shows me that its not the proper explorer.

In Process explorer, when I right click and properties on the offending item (iexplore.exe) the command line says

"C:\Program Files\Internet Explorer\iexplore.exe" ??^??W?<Zt,A???ج,Aê??X??????ILOMOIAJAAAAAAJAJAJAJAJAJAJAJAJAFOAPDBLJAIAAAAAAILNAFG

IKMCCEAPAEEBIIAGEGMBOKAEOCPCMGAGAAFOILHNAEIDMHBFDDMAFGFHFAGKAEFAGKPPLIFMJEIAHMP

PNAILNIIFMAHFBALIDBADJBHMPPNADNLHAAAAAAHELJOLEODDMAFHFAFAGIBPAAAPAAFDLIAFLJIAHMPPN

AIFMAHEDALJAJAAAAAAIJAEAIIJFMAIAEOIBEAAAAAAILOMILHFAEILFOANPPHGAJLIHELJIAHMPPNAOLALIP

EEAIAIILPIPMPDKEOLAKFDLIEHJLIAHMPPNADDMAILOFMDZ

when I run normal internet explorer it says

"C:\Program Files\Internet Explorer\iexplore.exe" which is correct

so what is that extra crap afterwards, it's something deffiently suspect, hmmmmm

Link to comment
Share on other sites
Grand Master

ThisSiteHasLostItsCharm

Posted
Posted

Have you:

used windows search to find regscan.exe?

searched the registry for regscan.exe?

tried startupcpl (free download) and checked if regscan.exe is loaded at startup?

Link to comment
Share on other sites
  • 3 weeks later...
Apprentice

Zytan

Posted
Posted

mikemyres, did you ever figure out what this was?

or how to get rid of it?

what programs helped you?

I have the EXACT same symptoms:

- the same little window in the upper right corner, that you can move, that changes colors if its in focus or not

- it was launched by regscan.exe which exists in C:\WINDOWS\system32 and is 340 KB (348,672 bytes), and it launches iexplore.exe with the command line:

"C:\Program Files\Internet Explorer\iexplore.exe" ??^??W?<Zt,A???ج,Aê??X??????ILOMOIAJAAAAAAJAJAJAJAJAJAJAJAJAFOAPDBLJAIAAAAAAILNAFGIKMCCEAPAEEBIIAGEGMBOKAEOCPCMGAGAAFOIL

NAEIDMHBFDDMAFGFHFAGKAEFAGKPPLIFMJEIAHMPPNAILNIIFMAHFBALIDBADJBHMPPNADNLHAAAAAAHELJOLEODDMAFHFAFAGIBPAAAPAAFDLIAFLJIAHMP

NAIFMAHEDALJAJAAAAAAIJAEAIIJFMAIAEOIBEAAAAAAILOMILHFAEILFOANPPHGAJLIHELJIAHMPPNAOLALIPEEAIAIILPIPMPDKEOLAKFDLIEHJLIAHMPP

ADDMAILOFMDZ

Were in the same boat.....

Link to comment
Share on other sites
Apprentice

Zytan

Posted
Posted

(i cant for the life of me find out how to subscribe to this topic. i realize that i am not auto-subscribed, so i turned on that setting, and now i cant subscribe to it manually. so im replying so that i will be)

Link to comment
Share on other sites
Apprentice

Zytan

Posted
Posted

Ive run avast and adaware, and they didnt find anything wrong. regscan.exe is being run on startup from msconfig, in the registry HKCU\software\microsoft\windows\currentversion\run

If i run regscan.exe again myself, it makes the same iexplorer.exe run, with that same little window in the top left corner. the window is iexplorer, since it remains if i close down regscan.

so, this is going to run everytime i reboot my computer. what is going on?

a windows bug?

a virus? a worm? a backdoor?

why would a virus make itself visible?

Link to comment
Share on other sites
Apprentice

Zytan

Posted
Posted

is the real regscan.exe even required? can i just delete regscan.exe and references to it, and be ok even if i mistakingly delete the real one?

thanks ZombieFly, i was just looking at that page, but it doesnt explain anything about the iexplorer.exe or the strange window, or strange command line... and why doesn't my uptodate AV program not find this trojan??? strange... now i need to find out how to rid myself of this thing

Link to comment
Share on other sites
Mentor

ZombieFly

Posted
Posted

usually these browser hijacks involve a "hidden" ie which is constantly intercepting your normal browser usage. The tiny window enables the trojan to run scripts to do things such as reset your default search page or worse, in some cases.

Link to comment
Share on other sites
Apprentice

Zytan

Posted
Posted
usually these browser hijacks involve a "hidden" ie which is constantly intercepting your normal browser usage. The tiny window enables the trojan to run scripts to do things such as reset your default search page or worse, in some cases.

thanks ZombieFly for that info. i understand.

i just deleted the regscan.exe file, and the reference to it from the registry.

(this page http://www.liutilities.com/products/wintas...ibrary/regscan/ was completely useless, they lead me to believe that their software could remove it, for free, so i downloaded it, ran it, waited, it told me of 500 minor, meaningless registry entries, fixed 15 of them, told me to buy their software to do the rest, so i uninstalled it, and it left itself referenced in mscongif on startup. so i wasted all that time, and the software didnt do a damn thing about what it promised, so i wrote them an email thanking them for wasting 15 minutes of my time while im trying to do something useful, like fix my computer. also, their software (called registry booster, btw) changed my system settings by turning off window contents visibility while dragging. unless of course, the trojan that it was supposed to delete did that. sorry, rant over)

i'd really love to find a program that can actually detect whatever trojan this really is... i believe i got it from visiting a website, so it may be a zero day exploit, something the AV people haven't figured out yet

Link to comment
Share on other sites
Mentor

ZombieFly

Posted
Posted
thanks ZombieFly for that info. i understand.

i just deleted the regscan.exe file, and the reference to it from the registry.

(this page http://www.liutilities.com/products/wintas...ibrary/regscan/ was completely useless, they lead me to believe that their software could remove it, for free, so i downloaded it, ran it, waited, it told me of 500 minor, meaningless registry entries, fixed 15 of them, told me to buy their software to do the rest, so i uninstalled it, and it left itself referenced in mscongif on startup. so i wasted all that time, and the software didnt do a damn thing about what it promised, so i wrote them an email thanking them for wasting 15 minutes of my time while im trying to do something useful, like fix my computer. also, their software (called registry booster, btw) changed my system settings by turning off window contents visibility while dragging. unless of course, the trojan that it was supposed to delete did that. sorry, rant over)

i'd really love to find a program that can actually detect whatever trojan this really is... i believe i got it from visiting a website, so it may be a zero day exploit, something the AV people haven't figured out yet

oh! i should've checked that page out before pointing you there! sorry! :unsure: I've edited my previous posts and removed the offending link, you might want to do the same to prevent any other people being directed there...

i've always found a combination of adaware, spyware doctor and counterspy work well when cleaning. Many people recommend spybot s&d too.

Link to comment
Share on other sites
Grand Master

Panacik

Posted
Posted
is the real regscan.exe even required? can i just delete regscan.exe and references to it, and be ok even if i mistakingly delete the real one?

thanks ZombieFly, i was just looking at that page, but it doesnt explain anything about the iexplorer.exe or the strange window, or strange command line... and why doesn't my uptodate AV program not find this trojan??? strange... now i need to find out how to rid myself of this thing

thanks ZombieFly for that info. i understand.

i just deleted the regscan.exe file, and the reference to it from the registry.

(this page http://www.liutilities.com/products/wintas...ibrary/regscan/ was completely useless, they lead me to believe that their software could remove it, for free, so i downloaded it, ran it, waited, it told me of 500 minor, meaningless registry entries, fixed 15 of them, told me to buy their software to do the rest, so i uninstalled it, and it left itself referenced in mscongif on startup. so i wasted all that time, and the software didnt do a damn thing about what it promised, so i wrote them an email thanking them for wasting 15 minutes of my time while im trying to do something useful, like fix my computer. also, their software (called registry booster, btw) changed my system settings by turning off window contents visibility while dragging. unless of course, the trojan that it was supposed to delete did that. sorry, rant over)

i'd really love to find a program that can actually detect whatever trojan this really is... i believe i got it from visiting a website, so it may be a zero day exploit, something the AV people haven't figured out yet

http://www.sophos.com/security/analyses/w32rbotep.html

Follow the instructions there to remove it.

Link to comment
Share on other sites
Apprentice

Zytan

Posted
Posted
oh! i should've checked that page out before pointing you there! sorry! :unsure: I've edited my previous posts and removed the offending link, you might want to do the same to prevent any other people being directed there...

i've always found a combination of adaware, spyware doctor and counterspy work well when cleaning. Many people recommend spybot s&d too.

hey dont worry, i shouldn't have assumed that "Free System Scan" meant that it would actually solve the problem, silly me. i actually used to like the http://www.liutilities.com/ website until this experience just now, since i always thought they had good info.

i cant seem to edit that post, anyway, there's no "edit" button for it, even though there are for this post im editing now. strange.

i just ran spybot s&d, and it also found nothing. adware found nothing. avast found nothing. there's a few more i should try

thanks for all your help

Link to comment
Share on other sites
Apprentice

Zytan

Posted
Posted
http://www.sophos.com/security/analyses/w32rbotep.html

Follow the instructions there to remove it.

thanks Rich,

but i dont think i have W32/Rbot-EP, since neither of these exist:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update

only this exists in my registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

great, thanks, Rich!!

running them now! :D

Link to comment
Share on other sites
Grand Master

Panacik

Posted
Posted
thanks Rich,

but i dont think i have W32/Rbot-EP, since neither of these exist:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update

only this exists in my registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

great, thanks, Rich!!

running them now! :D

On the Sophos link, did you go to the worm removal tab? Although the virus itself is named as a trojan, it is not a trojan as it does not allow another person to enter your machine, but it does hijack your browser etc.

If neither of those two products work, give the worm removal instructions a go and see how you get on. It does say on that Sophos page that those entries MIGHT be there, but not that they definitely are.

Link to comment
Share on other sites
Apprentice

Zytan

Posted
Posted
On the Sophos link, did you go to the worm removal tab? Although the virus itself is named as a trojan, it is not a trojan as it does not allow another person to enter your machine, but it does hijack your browser etc.

If neither of those two products work, give the worm removal instructions a go and see how you get on. It does say on that Sophos page that those entries MIGHT be there, but not that they definitely are.

yes i went to the Recovery tab in the http://www.sophos.com/security/analyses/w32rbotep.html page. all it says is to delete the two registry entries. it doesn't even say to delete the trojan file itself. and both of these registry entries are non existant on my computer. so this isn't the trojan (or strand) that i have.

i didnt go to this page http://www.sophos.com/support/disinfection/worms.html if that's what you were talking about it. i'll check it out after these 2 programs finish up

thanks for all of your help!!

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.