AVG popped up a message saying it had found Downloader.Rameh.E but did not detect it when I ran a scan. Ad-Aware, Spybot and Housecall (trendmicro site)all failed to detect it. All scans were run with system restore off. Any ideas on how to get rid of this would be much appreciated. Thanks very much, Laura. Hijak This

I would think that if you turned system restore off and restarted the computer and all the scans you have run are now negative, that AVG probably reported a false positive. You might try running AVG's scan while the system is in the safe mode for one more check. False postives do occur, they are annoying, but nothing to panice about. From your post I would say that you took all the appropriate steps. You could try a trojan scan using a trial version of TDS, or the scan at http://www.pcflank.com/

Found this in the search function...it might help http://www.computing.net/security/wwwboard/forum/12341.html Alan56 If it ain't broke....Then why the hell not?

Here is the Hijack This file as suggested in the other thread, I don't know which items to delete. Logfile of HijackThis v1.97.7 Scan saved at 19:30:52, on 21/09/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\SOUNDMAN.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\WINDOWS\System32\TrayIcon.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RUNDLL32.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe C:\Program Files\WinZip\WZQKPICK.exe C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe C:\Program Files\palmOne\HOTSYNC.exe C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\msagent\AgentSvr.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe C:\WINDOWS\system32\mmc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Grisoft\AVG6\AVGCC32.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\Grisoft\AVG6\avgw.exe C:\Documents and Settings\Laura\Desktop\HijackThis.exe C:\WINDOWS\system32\rundll32.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System32\TrayIcon.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.exe O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ? O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Research (HKLM) O9 - Extra button: @btrez.dll,-4015 (HKLM) O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08ca7f4b031b5abb2d20/netzip/RdxIE601.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Your HJT Log is out of date you need version 1.98 available here: http://www.majorgeeks.com/download3155.html I have posted your log at: http://www.hijackthis.de/index.php?langselect=english and it reports nothing to lose sleep over however you might try again with v 1.98. Apparently Pest Patrol can remove version c of your downloader: http://www.pestpatrol.com/PestInfo/t/trojandownloader_win32_rameh_c.asp you can get at online scan at the same address. Hope this helps. M

Thanks very much for all the help. I've re-scanned with AVG, Housecall, PestPatrol, Ad-aware, Spybot and various trojan destroyers and none of them can find it, so I presume all is now well. Laura.