A week ago I got a pop-up advertising trojan by merely visiting a site. I NEVER download or open emails. The pop-up ad is served by a company called UnderGroundLair.net. I tried SEVERAL anti-virus programs and the latest version of Ad-Aware and none of them were able to remove the program. Much research did reveal the following info which I hope may help you: They used a renamed version of the winpup.exe trojan. It has two files, one located in the windows directory, the other in windows/system32. The file names USED to be pup.exe and over.exe. In my case the files were named Rico.exe and MRTL.exe. The best way to locate the files is to do a search on your computer for .exe files in the window directory and sub directory that are 64kb in size. You'll see the Trojan files have the same date/time stamp. One of the files will be running as a service. You will probably have to turn off the process (hit ctrl-alt-delete and go to the running processes, then turn the process off) before you'll be able to delete the file. One of the files will also be set to run every time your computer starts up. You'll have to go to start --> run and type in 'msconfig' to bring up the System Configuration Utility. Click the "startup" tab and find the program. You can remove it here. There will also be a registry entry which you may want to remove. The hosting company for undergroundLair.net is DataPipe.net. They know about this company (and have for some time). They can provide you with removal instructions. ************************************** Datapipe.net has a 24 hour support line at 877-773-3306. You can also do live chat support on their web site at datapipe.net and they can walk you through it. ---------- The producer of this virus is Invisible Inc. Advertising, invinc.com - their phone number is 702-967-0216 but they don't answer their phone for obvious reasons. They are the same as, or affiliated with: BruggeNet - 71 Lakeview Drive Suite 398 Gibbsboro, NJ 08026 belgiandip.com POPUPTRAFFIC.com STANDARDINTERNET.com CYBERTURF.COM freehomepages.com DCOMM.COM inet-traffic.com THEMANSEARCH.COM SMARTBOTPRO.NET PASSTHISON.COM Good luck!

Imagine my own surprise at the pop-up(s) when opening IE the other morning. After momentarily wondering if the folks at Google (my home page) had gone completely insane, I did my own research and obviously found your post. Thanks so much for the info and instructions! Like you, one of the files was "rico.exe" and it was found easily enough. The second, in my case, was "smg.exe." The latter was the one running as a service and at start-up. Folks beware, muzlhed is correct: Norton, Zone Alarm, AdAware and SpyBot - not one of them picked this up. Thanks again!

Much like the above posts, I started tracking this down thanks to rico.exe. I found two other ones that were uninvited as well: ispexd.exe, and ptnfilev.exe. Both the executables were in my windows/system32 directory, as well as localmachine/software/microsoft/windows/currentversion/run registry entries, and matching startup items. I deleted the registry entries, deleted the executables from the system32 (killed the process first), and disabled them on startup. It seemed to clear them out, as they no longer appear as startup items. AVG, Adaware, and Spybot were all unable to spot this one. I'd like to give my thanks to Rico.exe, for helping himself and his fellows out of my machine (and I am now immediately suspicious of anything bearing a VB icon ;)

The trojan tries to infect my PC yesterday, it keeps trying to run rico.exe whenever I try to load Windows Media Player, but my anti-virus detected it (I use Avast! anti-virus, it's free for home user), so does my firewall (kerio personal firewall, also free for non-commercial, sorry if I look like I'm promoting them) XD here's some information on it from Avast!: Virus Name: Win32: Trojano-025 [Trj] File Name: C:\Windows\rico.exe VPS version 0429-0, 2004/07/12 so far my AV and firewall can only block it from running, but I don't seem to be able to remove it completely, everytime I try running WMP it popsup again, and everytime I block it, my WMP won't run, anyone know how to remove the trojan if it's like this? :| It's not yet in the registry, I checked... any help would be appreciated

okay, nevermind that, just done a quick reinstallation of WMP and reboot so far everything is working fine, no trojan warning pop-up, no rico.exe in my system, the registry is also still clean, hmmm I'll post more if I found out something wrong, but so far so goo :> Thx for the thread guys ^^

A little name variation as this evolves..rico.exe-->nre.exe, llictblz.exe..Same browser hole got me while I was visiting a bravenet freesite, ironically enough about linux firewall, router freesco..64.95.76.3, 66.115.136.93 IP's these files where trying to connect to respectively. WhoIs for more information..

I am working on a computer for a freind and found two suspicious files using Hijackthis. The files were fani13nl.exe and vrsrun.exe. When I clicked on the properties tab it revealed the company that made the files is called Thunderdome and the properties tab revealed that files' original name was rico.exe. There is another file called shill.exe but I can't find any information it. If anyone out there knows what is please post here to let me know. Anyway I hope my information about the rico variant names helps.