As of today, I’ve received a message from one of my mates in MSN and the message was one which I wouldn’t have expected, which goes like “Can you have a look at my pic, I’m going to use it on Myspace?” and a file “Image26.zip” was sent. Being a bit suspicious, I asked a few questions and didn’t get a reply.
I downloaded the file and got it scanned with AVG Free, and NO virus or warnings was shown. Inside the zip file, instead of an image file, there was an executable file image26_photobucket.exe. Double clicked on the file but nothing turns up on the screen. On that point forward, I know I’ve just done something wrong.
My computer hanged for a while and MSN wasn’t responsive. The reason was that the file that I have just clicked triggered and installed a custom built service known as rndsvc.exe to open up threads to keep on sending the same Image26.zip to all of your friends in your contact list. I had to immediately disconnect from the internet to stop the file from being sent.
How you can delete the worm/virus
1. If you haven’t, disconnect from the internet
2. Press CTRL+ALT+DEL and shut down the service rndsvc
3. Goto C:\windows\system32\ and delete the filename rndsvc.exe
4. Never ever double click on any executable file (*.exe) received from unknown sources, especially those says that it’s an image file but then turned up as executables.
* Just a bit surprised why AVG Free didn’t pick up it as a worm/trojan when i scan the file. Anyway, it wasn’t quite a problem as I know what I was dealing with.
Updated (November 11 2007)
Just checked my registry and saw that the worm/trojan was one of the process/services that was set to be run automatically each time windows is started up. You can delete it by:
1. Start Menu -> Run -> type in Regedit -> OK
2. Expand HKEY_LOCAL_MACHINE -> SOFTWARE ->Microsoft -> Windows -> CurrentVersion -> Run
3. On the right side window, you will see an entry with Name=Application Process and Data=rndsvc.exe (that’s the worm/trojan!)
4. Right click on that entry, and DELETE it once and for all!
5. Grab a beer and celebrate your achievement 🙂
* Previously brfore the update, you could have just deleted it from \windows\system32 and it will disinfect the worm/trojan. Since it has nothing to run during startup, the entry in the registry won’t do any harm anyway. Clearing that entry from the registry is more of like a final cleanup.
mob1900 says
And if it got worse, use this:
http://www.arswp.com
So far it was the only Anti-virus which really detects and remove the above variant trojan/worm.
Me suspects, they’re the ones that made the trojan in the first place.
😉
admin says
since the link given by mob1900 is in chinese, a direct download link would be: this
I haven’t test it, so use at your own risk.
liam says
Cheers
Guillermo Gilverto says
Hi i would like it if you could send the rndsvc.exe file to my email. I am conducting an experiment on how to delete, remove, or heal files with viruses, worms, trojans, ect. I find the easiest ways to do this through my experiments. I would really appreciate it. thank you
computer says
Wow, that’s what I was looking for, what a information! existing here at this webpage, thanks admin of this web site.