RANDRECO.EXE keeps coming back !

Status
Not open for further replies.
rstones12,

I'm not sure what you mean by proxy service. I have Comcast High Speed Internet Service. I only use Hotmail or Yahoo for my email accounts (and I always scan files first before opening them). I've never used Outlook Express cause I heard it's so vunerable to Viruses. Randreco.exe came back several times as I was on the internet tonight.

Thanks again for your help with this annoying problem.

drmajcher
 
drmajcher,

This one is really stubborn.

Download VX2 Cleaner Lavasoft - Ad-Aware SE Plug-In
Install VX2 Cleaner.
Dont run it just yet.

Scan with HJT and place a checkmark next to the following items.


O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL

O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

All of the O16's, they will come back if needed.


Close all browsers and windows except HJT and click Fix Checked

Restart in Safe Mode, search and remove the following files/folders if present.

C:\WINDOWS\BTGRAB.DLL
C:\WINDOWS\SYSTEM\khooker.exe
pctptt.exe
ptsnoop.exe

Run the VX2 cleaner in safe mode:

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.

Reboot normally and post a new HJT log by using Post a Reply
 
Hello rstones12,

I followed your latest instructions and the one hitch I ran into when running Hijackthis and having checked all the items you said to was the following message:

Could not Delete O16 - DPF: Java AS400 Display (ASD) - http://www.co.kent.de.us/w2hlegacy/java/wdasd.cab because it does not exist anymore.

Also, just wanted to note that when Randreco.exe does pop up , I get a message from my AVG Shield that it's present and I click delete file each time. I also have been deleting all the contents of the Windows/TEMP file on a regular basis.

Again, I appreciate your help in ridding me of this annoyance.

drmajcher

Logfile of HijackThis v1.99.0
Scan saved at 12:27:58 PM, on 2/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TWAIN_32\PAPRPORT\3100BUSB\FLATBED.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69:136.241.91:05
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\STOPzilla!\SZMsgSvc.exe
O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O16 - DPF: Java AS400 Display (ASD) - http://www.co.kent.de.us/w2hlegacy/java/wdasd.cab
 
That litte nasty is hidden some where.

Lets try another scannner, because there must be something that reloads it.

Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/tds3setup.exe
install it, but do not launch it yet

Update it: right click the link below, select "save as"
http://www.diamondcs.com.au/tds/radius.td3

Save it to the directory where you installed tds-3, overwriting the previous radius.td3.


Then launch tds-3. in the top bar of tds window click system testing> full system scan.
detections will appear in the lower pane of tds window. after the scan is finished ( this will take a while ) right click the list> select save as txt. save it and post the contents of the scandump.txt here

After posting the scanlog go ahead and right click the list again, this time select delete! Delete everything labelled positive identification
_________________
 
Delete the following keys
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\adstartup
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bokja
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\sqinstaller
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\stcloader
 
finally rid of RANDRECO.exe

Hello rstones12,

I didn't have to follow through with your last set of instructions as I've been free of RANDRECO.exe since I followed your previous series of instructions.

Somewhere in the instructions below , was the answer:

Scan with HJT and place a checkmark next to the following items.


O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL

O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

All of the O16's, they will come back if needed.


Close all browsers and windows except HJT and click Fix Checked

Restart in Safe Mode, search and remove the following files/folders if present.

C:\WINDOWS\BTGRAB.DLL
C:\WINDOWS\SYSTEM\khooker.exe
pctptt.exe
ptsnoop.exe

--------------------------

I remember in Safe mode that I found and deleted 3 of the 4 above files and then ran vx2 cleaner & it came up clean.

Once again, I can't thank you enough for all your help in solving this annoying and persistant problem.

I hope I won't need to come back to this Forum again but to me it seems like just going on the internet has everyone at risk to getting infected with Trojan Horses and other various virus bugs. So, I'm glad I know where to come should I get infected again.

Thanks a million -- this Forum & people like yourself are invaluable to us regular compter users.

drmajcher

P.S. Thanks also to Warez Monster for your input
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
G
Computer slow and work in background
Replies
0
Views
3K
grecycle99
G
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
Back
Top Bottom