Trojan Horse downloader

Linda

Former JREF Goddess
Linda
Joined
Jul 23, 2001
Messages
788
Ok, I have a problem on my computer. I'm running the free version of AVG anti-virus software, along with Zone Alarm firewall.
I'm using Windows XP.

Over the past few weeks I periodically get a message box pop up from AVG telling me I have "Trojan Horse Downloader.Agent.AL" in c\DOCUME~1\Linda\LOCALS~1\Temp\randreco.exe. Then it tells me to run my anti-virus to remove it, which I always do and it always comes up clean, never finding a virus. I update my anti-virus daily and run a scan daily. I did try disabling the System Restore feature and rebooting and then re-enabling the System Restore feature. That didn't help.

I searched on my C drive for this file, but can't find it. Could someone explain to me in layman's terms what to do and if I should worry? I often get email messages warning I'm trying to send out an email with a virus attached, but they're always addressed to people I've never sent emails to.
 
The actual directory you will find it in is
C:\Documents and Settings\Linda\Local Settings\Temp\

You *might* be able to just delete it, reboot, and move on.

one way to make it easier to find is to open "My Computer", right-click on your C: drive, and choose to "search" or "find" -- put the filename randeco.exe in the box, and delete anything that pops up that ends in randreco.exe.

According to what I can find on the net, anything titled randreco.exe is this spyware that you have.

On that note, ad-aware (www.lavasoftusa.com) miiight catch it and remove it, but one of the posts I read complaining about getting it removed was from a user of ad-aware, so maaaaybe not.

If deleting it "by hand" doesn't do the trick, then see if you can right-click, rename it to something else, and then reboot. go find the renamed file, and then delete it.

SUPPOSEDLY Windows allows renaming of a currently running file for exactly this reason -- you can't directly delete a program that's running.

In practice, it doesn't always work. Let me know how it turns out.
 
Linda, I found both these on:
http://forums.thetechguys.com/archive/index.php/t-5857.html

...you need to first serach your HD for the EXE itself. Then delete it as well as any Prefech files it created. Next goto Regedit and search for randreco and delete the startup that creates it in the frist place. Where it is may vary depending on where it puts itself. Then Download SpyBot Search and Destory @ www.download.com and run it. This will clean out any and all entries of known Trogans and spyware you may have.

and

I was infected with randreco.exe. Based on the recommendation from geotec I downloaded Spybot Search and Destroy. It found all the registry entries associated with the VX2 betterinternet objects. My machine is clean after weeks of searching for how to get rid of the randreco.exe crap.
Click to expand...

Good luck.

RayG
 
Linda, I would like to concur with the previous posters that Ad-Aware is a very good thing to run on your box. Don't worry if it finds tons of stuff: most of those are just harmless cookies.

It sounds to me, Linda, that there is a 'loader' program that keeps bringing this file into your computer.

However: there's a very easy way of defeating it:

1. Find a fairly small program that you already have on your computer, such as notepad.exe.
2. Make a copy of it, and move the copy it to the same folder that it keeps finding randreco.exe in.
3. Delete randreco.exe if it's already in there. Rename your copy: randreco.exe
4. Then, everytime the hidden obnoxous loader program starts up, it'll find randreco.exe in there already, and not bother to load a new copy of randreco.exe.

Everytime it tries to run the spam/ad/mal/trojan file randreco.exe, it'll just be running a harmless copy of notepad instead.

PLEASE don't mess with your registry unless you've done it before and know what you're doing. Have someone who knows a good deal about computers do that bit for you.
 
I did find the file right where Scribble told me to look and deleted it. I already have ad-aware on my computer, and obviously that didn't help, but I did reboot and it seems to be gone now. I also downloaded SpyBot Search and Destroy and ran that and eliminated 82 cookies. I did not do anything to my registry as I got confused when I went to Regedit and decided to leave it alone.
So we'll see. Thanks Scribble, RayG and bignickel.
 
bignickel- That's elegant, and so obvious (like most neat ideas) after someone has suggested it.
 
Soapy Sam said:
bignickel- That's elegant, and so obvious (like most neat ideas) after someone has suggested it.
Click to expand...

Can't claim credit for it.

I've been fighting enough of these things on my and other people's systems this year that I've learned a few tricks of the trade.

It's when you get to randomly named dll's everytime you reboot that you run into trouble...
 
You must log in or register to reply here.

Back
Top Bottom