Hi I have a pretty bad Trojan I cannot get rid of. I have used everything, AVG, Adaware, Spybot, and even Hijack this for the entries I knew. I even used Spy Sweeper which found the root sources, but won't get rid of them unless I buy the full version, so I am just stuck! Anyway, here is my problem: AVG keeps finding this Trojan: Dialer.BTG that generates different variants of files in the format "win***.tmp.exe" and even when AVG deletes it, more variants keep getting created somehow and I keep getting AVG popping up to notify me of the constant finds. This is really annoying...someone please help me on how to remove this thing from the root??? Also, I have tried a housecall online scan which did not get rid of the virus, it is still on my system. Also, another thing I just noticed is that It starts to create more files as soon as I connect to the internet. If this helps, the result that Spy Sweeper found was "trojan agent winlogonhook" & "trojan-downloader-zlob". Please help...I cannot be the only one with this messed up virus, there has to be a way to get it out! Thanks!

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop. Doubleclick on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This. Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue. Put a check by "Create a desktop icon" then click "Next" again. Continue to follow the rest of the prompts from there. At the final dialogue box click "Finish" and it will launch Hijack This. Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly. Please download SmitRemFix from this link http://siri.geekstogo.com/SmitfraudFix.php Then extract the contents to your desktop. Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd" Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. You should get a list similar to this, could be only one or two files found and they may not be these. C:\WINDOWS\system32\atmclk.exe FOUND ! C:\WINDOWS\system32\dcomcfg.exe FOUND ! C:\WINDOWS\system32\hp?.tmp FOUND ! C:\WINDOWS\system32\ld?.tmp FOUND ! C:\WINDOWS\system32\ot.ico FOUND ! C:\WINDOWS\system32\regperf.exe FOUND ! C:\WINDOWS\system32\simpole.tlb FOUND ! C:\WINDOWS\system32\stdole3.tlb FOUND ! C:\WINDOWS\system32\ts.ico FOUND ! C:\WINDOWS\system32\1024\ FOUND ! If these files or similar ones are found go aheard and run option #2 as instructed in the next paragraph, if no files are found do not run option #2 as it will remove the desktop of an un infected computer. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the "SmitfraudFix" folder again and double-click "smitfraudfix.cmd" Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing " Y " and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if "wininet.dll " is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing "Y" and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Please download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ Don't run it yet Download Ewido Security Suite then set it up this way Ewido Setup Instructions Don't run it yetReboot into safe mode. Run Ewido from safe mode and let it delete all that it finds. Run ATF-Cleaner from safe mode. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Run this free online scan from Panda When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it and a new Hijack This log please..

Hi WOW...thanks for the very detailed instructions. Coincidentally, I actually downloaded Ewido yesterday and did a safe mode scan before I even got to read this post...but Ewido seems to have gotten rid of the culprit. I don't want to get too excited, but since yesterday, I haven't seen traces of the virus...I hope it is gone. If it comes back, I'll definately let you know. If all is well, I might actually buy this Ewido app, cos it seems to be the only one that eradicated this bloody thing!

I would still run option #1 of smitfruadfix to double check. No need to buy Ewido yet there are some preventitve measure that will help. The Hijack This log, if you post it, may will give us an idea of what you need to do to be better protected.

Here is my HijackThis Log: Logfile of HijackThis v1.99.1 Scan saved at 11:05:10 AM, on 6/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\pctspk.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Bell\Access Manager\app\TangoService.exe C:\PROGRA~1\Bell\ACCESS~1\app\TangoManager.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\MSN Messenger\msnmsgr.exe E:\Utilities\Hijack This\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{36EECA85-D9AF-41CD-91B7-BFFB43631F76}: NameServer = 67.69.184.211 67.69.184.147 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: wintkh32 - wintkh32.dll (file missing) O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe I guess I'll still run option 1 later to make sure it is gone 100%. And yes pls, any other insight or helo you have to help me protect agaisnt this thing is well appreciated

To clean-up the leftovers run HT again,close all browsers and windows except HT, place a check to the left of this item and press:fix checked": O20 - Winlogon Notify: wintkh32 - wintkh32.dll (file missing) O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)(spysweeper, free trial must have run out, if so remove it) You should run Ewido and ATF-Cleaner from safe mode if you have not done so. I can't tell if you have a firewall other than the windows one, if you don't "sygate " is what I use and is free. If you do have a third party firewall be sure that you turn off the windows ore wall so they don't conflict. You java appears to be up-to-date which is very good. At one time you had spysweeper install,if the free trial run out you should go to add/remove programs and uninstall it if found. Most important, if you don't have "spywareblaster" installed do a google search for it, download, install and update it. It runs in the background and re-writes spyware script before it can install on your computer and it is free. The free version has to be updated manually. Look for updates bi-weekly.

This is the result of the SmitfraudFix scan: C:\WINDOWS\system32\ld????.tmp FOUND ! C:\WINDOWS\system32\simpole.tlb FOUND ! C:\DOCUME~1\Wale\FAVORI~1\Antivirus Test Online.url FOUND !