Jump to content


Photo

Downloader.Rameh.E


  • Please log in to reply
6 replies to this topic

#1 Mudvayne

Mudvayne

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 July 2004 - 03:29 PM

I have been getting a windows pop up error stating that I have a Trojan.Downloader.Rameh.E located in my C:/System Volume Information/_restore and that I should run my AVG to repair. I have run my AVG a million times and it could not locate this problem. I have run Spybot and Adware6.0 Pro with no indication this trojan exsists. Today (7-25-04) I was advised by a friend to install a different anti-virus program, so I installed NOD32. I did a complete scan and produced 0 infections. Approx. 20mins later, NOD came up stating the Trojan was there giving me the option to quarantine or delete. It could not fix. I quarantined the trojan and then about 20 mins later it came up once again.
7/25/2004 16:01:42 PM AMON file
C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP431\A0045168.dll Win32/TrojanDownloader.Rameh.C trojan quarantined NT AUTHORITY\SYSTEM

7/25/2004 15:39:56 PM AMON file
C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP431\A0045168.dll Win32/TrojanDownloader.Rameh.C trojan quarantined NT AUTHORITY\SYSTEM

I am at a complete loss on how to remove or even fix this problem. I have read FAQs and below is my HijackThis Log.

Logfile of HijackThis v1.97.7
Scan saved at 4:14:41 PM, on 7/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\Hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v5.cab


Any assistance would be greatly appreciated.
~Muddy :scratchhead:

Edited by Mudvayne, 25 July 2004 - 03:32 PM.


#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 25 July 2004 - 04:28 PM

First, your log is clean. No running trojans/malware. Good!

The critical point in your post is that the file is in System Volume Information..... This means that it is the archived system restore files. While it presents no dnager at the moment, using system restore would mean you are reinfected.

To remove it, right-click on "my computer", and select Properties.
Select the system restore tab, and put a checkmark in the box "turn off system restore". Click OK, and reboot.
That will purge all the infected restore points, and associated files.
To turn on system restore, repeat the above procedure, this time removing the checkmark.
Then set a clean restore point, by going to Start>Help & Support, and selecting "undo changes to my computer using system restore. Choose the option to set a new restore point, and follow the prompts.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 Mudvayne

Mudvayne

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 July 2004 - 08:51 PM

Thank you so much Dave for your assistance on this trojan removal. I have done as you stated and purged my restore , so far so good. But before I go ahead and save a restore point, would it be best to delete the files NOD32 was catching or leave them quarantined?

Once again, Thank you kindly for your help!!!!!!! :bounce:

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 26 July 2004 - 03:41 PM

Is NOD32 still detecting them? They should be gone!
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 Mudvayne

Mudvayne

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 July 2004 - 04:25 PM

NOD is no longer detecting the Trojan, no. However I did quarantine what it was detecting before following your procedure on removing the trojan. I'm just curious if I can delete what is in quarantine or if I should just leave it be?

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 26 July 2004 - 07:31 PM

The quarantine items can be cleared out anytime there is something there, but make certain that it is not a false positive, and a needed file has been put there.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#7 Mudvayne

Mudvayne

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 July 2004 - 09:50 PM

RGR, Thanks alot Dave!!!!!!!!!!!!! :wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button