I am the unlucky recipient of the trojan "Downloader GK" which installs the spyware "BetterInet." I found this after running the Panda online scanner. My AVG doesn't show it, as well as Adaware or Spybot. I can't find on Google that a removal tool for this exists. Some sites do show a registry entry that this makes but the explanation or example shown is too vague to me. Certainly would appreciate any input on this. My o/s is W98FE (old machine) Thanks

Bearer of bad news Bill Did some investigating: ownloader.GK Name: Downloader.GK Aliases: Trj/Downloader.GK, Trojan.Downloader.GK Type: Trojan Size: - First appeared on: 03.06.2005 Damage: Medium Brief Description: Downloader.GK is a Trojan that downloads and installs the spyware BetterInet. In addition, BetterInet installs the adware detected by Panda Software as SearchCentrix. All these actions are carried out without users noticing. Downloader.GK creates a file with a random name in the Windows system directory. This file is a copy of the Trojan. Visible Symptoms: Downloader.GK is very easy to recognize as it displays several popup messages before installing the adware programs. This is a typical symptom of this type of programs. Technical description: Downloader.GK creates the following entry in the Windows Registry: HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ Current Version\ Run %entry% = %sysdir% \ %Trojan% where %entry% is the random name of the entry, %sysdir% is the Windows system directory, and %Trojan% is the name of the random file created by Downloader.GK. By creating this entry, Downloader.GK ensures it is run whenever Windows is started. Downloader.GK is downloaded to the computer when the user accesses certain websites and accepts to install an specific ActiveX control. Propagation: Downloader.GK is downloaded to the computer when the user accesses certain websites and accepts to install an specific ActiveX control. Removal tool and instruction: Not available

Yeah, I saw this description before. That's what I meant by the vague registry example. The thing is, basically it's telling me that although there is not specific out of the box removal tool, by going into the registry under local machine, I can delete the thing if I can figure out what the"entry, sysdir and trojan things are. . .

This suggests "BetterInet" and "ABetterInternet" are one and the same. "ABetterInternet" Alias: "Spyware/BetterInet" This was gleaned from the site below: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076992 This site listed below has a removal tool along with a lot of information: http://securityresponse.symantec.com/avcenter/venc/data/adware.betterinternet.html As you will undoubtably see there are other removal tools shown here: http://securityresponse.symantec.com/avcenter/security.risks.tools.list.html Some forum's are of the belief that Panda is showing this risk as "a false positive finding". Good luck,

You know, your reply is very interesting in that I had come across this before, downloaded the removal tool and ran it. After all the chugging along, it finally concluded that it could not detect any betterinternet spyware on the system...

billg Re post#1. You can get past the vague nature of the registry entry like this: Go to: HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ Current Version\ Run On the right pane you will see a number of entries. It should be possible to identify all of these because they are items that are ticked in msconfig (type msconfig from Run box). All are running processes. You can safely delete anything that you know is weird, or temporarily untick in msconfig StartUp tab to prove the point. Derek.W

Ok, thanks for the input. I'll be away from the machine for a few but will apply what you have advised when I get back. Thanks much.