[XP] What on earth is this?

[Panacik]

yes i went to the Recovery tab in the http://www.sophos.com/security/analyses/w32rbotep.html page. all it says is to delete the two registry entries. it doesn't even say to delete the trojan file itself. and both of these registry entries are non existant on my computer. so this isn't the trojan (or strand) that i have.

i didnt go to this page http://www.sophos.com/support/disinfection/worms.html if that's what you were talking about it. i'll check it out after these 2 programs finish up

thanks for all of your help!!

Thats the one mate (Y)

Hopefully one of those two programs will find and remove it for you, however if not, that worms removal link should do the trick for you.

[Panacik]

Let us know how you got on mate... if you return to Neowin that is ;)

[Zytan]

Let us know how you got on mate... if you return to Neowin that is ;)

Sure thing Rich!! dont mean to keep you hanging, i am still running the two programs that you suggested, and i have another one to run. im being slow since im havent been on this computer all day.

but no worries, i will update this thread with everything that i do and find out, even if my AV scanner eventuallys knows how to detect this thing a month later, ill come back and let you guys know

thanks for all the help, its great! ;)

[Panacik]

Sure thing Rich!! dont mean to keep you hanging, i am still running the two programs that you suggested, and i have another one to run. im being slow since im havent been on this computer all day.

but no worries, i will update this thread with everything that i do and find out, even if my AV scanner eventuallys knows how to detect this thing a month later, ill come back and let you guys know

thanks for all the help, its great! ;)

Good stuff (Y).

We are always glad to help mate :)

[Zytan]

I just ran Windows Defender, and it didn't find anything, either.

[Zytan]

Thats the one mate (Y)

Hopefully one of those two programs will find and remove it for you, however if not, that worms removal link should do the trick for you.

If it is a worm, this website says:

"Worms infect computers, but do not infect files. They can simply be identified and deleted. However, they often make registry or startup file changes so that they are executed on boot-up."

So, just me finding the culprit and deleting it manually is all i really needed to do... IF it was merely a worm...

Im going to leave the file sitting around on my computer, just so it exists, just to see if a later update to my AV or A-spyware programs eventually finds it.

[JRosenfeld]

Another good free one to try: SuperAntispyware:

http://www.superantispyware.com/

[Panacik]

If it is a worm, this website says:

So, just me finding the culprit and deleting it manually is all i really needed to do... IF it was merely a worm...

Im going to leave the file sitting around on my computer, just so it exists, just to see if a later update to my AV or A-spyware programs eventually finds it.

Have you checked your startup items? Have you attached to your .default in the registry and checked any startup items in there?

Also, if you kill the process and go and remove it simply by deleting what happens?

[Zytan]

Another good free one to try: SuperAntispyware:

http://www.superantispyware.com/

thanks JRosenfeld, ill give that a try right now!

[Knife Party]

try getting Kaspersky 7 trial, update and do a scan in safe mode

u can find KAV, here at www.filehippo.com --- under anti virus section

that should sort out your problem, oh and superantispyware comes highly recommended, its very decent for getting rid of spyware

[Zytan]

Have you checked your startup items?

yes, thats one of the first things i did. i used msconfig to get to the System Config Utility, and regscan.exe was being run on startup via registry entry, which i deleted.

Have you attached to your .default in the registry and checked any startup items in there?

what do you mean "attached to your .default in the registry"? ive never heard of this before

Also, if you kill the process and go and remove it simply by deleting what happens?

thats precisely what i did, and ive never seen it again, and its never started, and i havent seen it running in Task Manager or Process Explorer, and ive never seen it readded to the start programs, or anything, so i think just deleting the program solved the problem.

i must ask....... why would a program make itself so visible? and what was the purpose of this program? it seems that i easily removed it. perhaps most people wouldnt know how, even though it was just a matter of deleting the .exe

[Zytan]

try getting Kaspersky 7 trial, update and do a scan in safe mode

u can find KAV, here at www.filehippo.com --- under anti virus section

that should sort out your problem, oh and superantispyware comes highly recommended, its very decent for getting rid of spyware

thanks Kaboose, i dont like installing trial versions of software, so i think ill use their free scanner via the web:

http://usa.kaspersky.com/products_services...rus-scanner.php

that should be decent

thanks a bunch!

[Zytan]

Another good free one to try: SuperAntispyware:

http://www.superantispyware.com/

Didn't find anything. And I still have the .exe sitting on my desktop, just to see if my AV and A-spyware programs will find it... none have, yet...

[Zytan]

thanks Kaboose, i dont like installing trial versions of software, so i think ill use their free scanner via the web:

http://usa.kaspersky.com/products_services...rus-scanner.php

that should be decent

they have a file scanner on the same page, so i scanned the regscan.exe itself, and it finds nothing wrong with it. strange.

maybe the regscan.exe is fine, and the iexplorer.exe it was running is fine, and maybe its just that it instructed regscan to open iexplorer.exe with a website that does something nasty. is that plausible?

[Zytan]

WTF, this is the second time i replied to a post of mine, and noticed that the post i replied to was STILL QUOTED even though i ctrl+a, deleted it. and now i realize that this forum MERGED the posts, and because i already CORRECTED the flaw i thought was happening, my original post is now gone. :( you can see by this automatically merge post with another post of mine, how it makes no sense whatsoever, since although im in one thread, im talking about 2 totally different things, which i am sure happens often.....

ever since i've had Windows Defender and SUPERAntiSpyware running, both of which launch on boot and run in the background always, each time i delete a file, the window showing it is being deleted stays up FOREVER... like 5 or 10 minutes. if i delete a favorite from the favorites menu in IE6, the menu itelf stays up forever, staying on top of all other windows, since its a menu.

im removing both of these to see if they really are the cause of this curse

i have a hunch i's SUPERAntiSpyware, since it appears not well polished off, and Windows Defender has never given me problems...

[Zytan]

ever since i've had Windows Defender and SUPERAntiSpyware running, both of which launch on boot and run in the background always, each time i delete a file, the window showing it is being deleted stays up FOREVER... like 5 or 10 minutes. if i delete a favorite from the favorites menu in IE6, the menu itelf stays up forever, staying on top of all other windows, since its a menu.

uninstalling them both solved this problem. what used to happen every single time, now never happpens. since Windows Defender has never caused this for me before, i must assume SUPERAntiSpyware was the culprit.

[Panacik]

yes, thats one of the first things i did. i used msconfig to get to the System Config Utility, and regscan.exe was being run on startup via registry entry, which i deleted.

what do you mean "attached to your .default in the registry"? ive never heard of this before

thats precisely what i did, and ive never seen it again, and its never started, and i havent seen it running in Task Manager or Process Explorer, and ive never seen it readded to the start programs, or anything, so i think just deleting the program solved the problem.

i must ask....... why would a program make itself so visible? and what was the purpose of this program? it seems that i easily removed it. perhaps most people wouldnt know how, even though it was just a matter of deleting the .exe

I have a feeling this was either not a spyware, but was some software trying to load itself. Maybe some software that never uninstalled properly or something.

Either that, or some viruses/spyware are just that easy to remove.

The .Default registry is the main hive that if you edit will effect every user created before and after that change. It is a bit like the "all users" but is far further than that. You can only connect to it if you have all files and folders, including hidden and system files showing.

uninstalling them both solved this problem. what used to happen every single time, now never happpens. since Windows Defender has never caused this for me before, i must assume SUPERAntiSpyware was the culprit.

I'm not sure about this SuperAntiSpyware program to be honest. The guy has made a few posts advertising it, yet just the name makes me think it is a little of a problem in itself. The name also makes me want to rip my eyes out with my nails.

It is also not a good idea to have more than on antivirus and one anti spyware software installed at one time. I have seen some machines where the two separate antivirus or anti spyware programs try to un-install or disable each other.

I never really got on with Windows Defender. I love Spybot though, because it tells you what is trying to access the registry and allows you to make the decision on what changes should be allowed.

[Zytan]

I doubt it's something that didn't uninstall itself properly. Whatever it was, it placed regscan.exe in the start up via registry entry, which appears in msconfig, and this loads a copy of iexplorer.exe which shows as a very small window, probably as small as you can make it, which is visible on screen. And it started IE with a strange command line that both I and the O.P. seen, which is identical. I haven't uninstalled any software recently (other than anti-spyware and AV software in an attempt to remove this regscan.exe program).

They say worms don't infect files, so you just need to delete them. Since I removed this so easily, it's not a virus, nor can it be spyware. So, worms, I guess are easy to remove.

This SuperAntiSpyware program is definitely the cause of slowdown, and extreme slowdown of deletion of files, on my computer. It's not polished off at all. You can tell by the polish just how legitimate it is, since the guy who did the banner start up graphic spent about 2 seconds doint it. Google searches reveal little on the program except webpages promoting it, so it's NOT well known. If the same guy is promoting it, then he's involved with it. I wish he hadn't spammed me this product, I regret that it ever touched my computer system.

To all others who may read this:

DO NOT INSTALL SUPERAntiSpyware ON YOUR COMPUTER. YOU WILL REGRET IT.

I know it's not good to have more than one antivirus or one anti spyware software installed at one time, but I didn't realize that these were all going to stay resident, and run at the same time, and run at start up. Now I know. Not all do this.

[Zytan]

Isn't regscan.exe the same on every WinXP, anyway?

The fact that this culprit is 341 KB (as shown in Windows explorer) or 340 KB (348,672 bytes) (as shown in Properties) should show that it's guilty... since no one else should have a regscan.exe of that size. I haven't found anyone on the net that does.

im running winXP home ed, btw, if that matters, which i doubt, with full SP2 and updates.

(i could zip up the file and let you guys look at it... i still have it sitting on my desktop, waiting for an AV program to detect it... just to see if eventually they do.)

[Panacik]

Isn't regscan.exe the same on every WinXP, anyway?

The fact that this culprit is 341 KB (as shown in Windows explorer) or 340 KB (348,672 bytes) (as shown in Properties) should show that it's guilty... since no one else should have a regscan.exe of that size. I haven't found anyone on the net that does.

im running winXP home ed, btw, if that matters, which i doubt, with full SP2 and updates.

(i could zip up the file and let you guys look at it... i still have it sitting on my desktop, waiting for an AV program to detect it... just to see if eventually they do.)

I have a feeling that it MIGHT be a joke virus that spread to you through maybe an email or something. Only some virus scanners will detect joke viruses.

To be honest, if it is sorted, its not worth worrying about any more.

[Zytan]

I have a feeling that it MIGHT be a joke virus that spread to you through maybe an email or something. Only some virus scanners will detect joke viruses.

To be honest, if it is sorted, its not worth worrying about any more.

Nope, I didn't get it through email. It's on my business machine, and there's no jokes or anything sent through any email that is checked on my business machine. Only my team membes send me emails on this machine.

It was from a website i visited while i researching proxy servers. My AV told me the website was trying to install a virus, and it caught it. Perhaps this website, or another like it, did this. I am 99% sure one of them did. I would have noticed the window before, since it sits in the top left corner totally visible and my desktop is empty, it doesnt even have a wallpaper, so its so visible. A website did this for sure.

[PermaSt0ne]

I doubt it's something that didn't uninstall itself properly. Whatever it was, it placed regscan.exe in the start up via registry entry, which appears in msconfig, and this loads a copy of iexplorer.exe which shows as a very small window, probably as small as you can make it, which is visible on screen. And it started IE with a strange command line that both I and the O.P. seen, which is identical. I haven't uninstalled any software recently (other than anti-spyware and AV software in an attempt to remove this regscan.exe program).

They say worms don't infect files, so you just need to delete them. Since I removed this so easily, it's not a virus, nor can it be spyware. So, worms, I guess are easy to remove.

This SuperAntiSpyware program is definitely the cause of slowdown, and extreme slowdown of deletion of files, on my computer. It's not polished off at all. You can tell by the polish just how legitimate it is, since the guy who did the banner start up graphic spent about 2 seconds doint it. Google searches reveal little on the program except webpages promoting it, so it's NOT well known. If the same guy is promoting it, then he's involved with it. I wish he hadn't spammed me this product, I regret that it ever touched my computer system.

To all others who may read this:

DO NOT INSTALL SUPERAntiSpyware ON YOUR COMPUTER. YOU WILL REGRET IT.

I know it's not good to have more than one antivirus or one anti spyware software installed at one time, but I didn't realize that these were all going to stay resident, and run at the same time, and run at start up. Now I know. Not all do this.

you have no clue what you are talking about

SUPERantispyware is well known and it is the best spyware scanner out there. rivaled, if at all, by counterspy. your computer is only slow because it has an options to scan at startup and every time it updates that are enabled by default. plus the realtime file monitor will scan all files that are accessed, slowing your comp down even more. you just have to set it up correctly

and having multiple scanners is fine, since they all miss stuff that the others might pick it up. just don't have them all running at startup :rolleyes:

nothing finds your file as a virus / worm / trojan because it doesn't do anything dangerous. it just launches IE explorer as a tiny window. delete it and move on

[Zytan]

PermaSt0ne, im just stating what i see.

SUPERAntiSpyware was not running a scan when my computer was going slow. imagine how silly it would be to complain about a slow computer WHILE SCANNING, c'mon.

what i said is that everytime i *deleted a file from windows explorer, or from the favorites menu*, the deletion dialog box would remain on the screen (or the favorites menu, which hides everything behind it, believe me, i know after this experience) for over 10 minutes. i dont know just how long it'll take, since i grew tired of this, so i'd shut down the program.

after removing SUPERAntiSpyWare, the issue disappeared...

i 'get' that the program scans all files as they are used, and slows the computer down. but to leave a favorites menu onscreen blocking the view of all other windows for 10 minutes is NOT ACCEPTABLE.

i can't believe you thought i was complaining because you thought i had multiple programs scanning all at the SAME TIME, lol, and then couldn't stand my computer being so slow, lol. but of course, you assumed i was a newbie, which is easy to do, since most people are... funny tho

btw, i have deleted it, and it likely doesn't do anything dangerous, i agree. i think maybe it's half of a real threat, and my AV program stopped the dangerous half, but let this annoyance get through.

[Zytan]

I should note... the amount of polish on an anti-spyware program says NOTHING about how good it is at finding and removing spyware...

please dont confuse the two.

SUPERAntiSpyware may be very good at what it does. i really don't know, so i can't say one way or the other.

All i know is that it's not polished off. that's it. its presence on my computer, if no one else's, was annoying. In short, it made my computer unusable, since i delete files ALL the time. imagine 10 deletion dialogs, and an IE favorites menu that stays on top of everything, all over your desktop, to get an idea of what i was going through... lol. not fun. and it wasnt during a scan. and no other scanners were running.

[Panacik]

you have no clue what you are talking about

SUPERantispyware is well known and it is the best spyware scanner out there. rivaled, if at all, by counterspy. your computer is only slow because it has an options to scan at startup and every time it updates that are enabled by default. plus the realtime file monitor will scan all files that are accessed, slowing your comp down even more. you just have to set it up correctly

and having multiple scanners is fine, since they all miss stuff that the others might pick it up. just don't have them all running at startup :rolleyes:

nothing finds your file as a virus / worm / trojan because it doesn't do anything dangerous. it just launches IE explorer as a tiny window. delete it and move on

Superanti what? I never heard of it until you started posting news on this product as well as others created by the same company. I also have a feeling you may be connected to the software in some way? It definitely is not the best out there and im 100% sure on that, however much you may personally like it. This counterspy software i have not even heard of.

As far as im concerned, in my 14 years IT experience i heard of it, but not heard of it being "well known" or well rated.

Spybot and Hijack this are the two most popular to be honest.

You are correct that you can have more than one installed as long as you don't have them run at startup... but that then kind of avoids the point of having the software installed don't you think? So really all i can say to that is :rolleyes:

The only really justifiable thing you said is that it was not a virus and was just a window.