Welcome to the Norton Community

Please advise NIS version #

Please advise Vista SP #

Hello PaoloMO

Welcome to the Norton Community Forum

Here is some information about these Gk .exe files that I found in this link. I am not suggesting that you use this program to clean it up however. This site is just for informational purposes.

http://www.prevx.com/filenames/2125804326868687741-X1/GK0.EXE.html

The .dll you mentioned is part of Trojan Fake Alert most likely from doing a Google Search.

I would recommend that you do a full scan with the free version of SuperAntiSpyware.

Here is a free on demand antimalware scanner. It is safe to use on demand with your Norton product.


http://www.superantispyware.com/

Here is another site you can use to get the program.

http://www.filehippo.com/download_superantispyware/

The download button is on the right hand side. Please be careful not to download Spyware Doctor which is on the left side. Also, please don't forget to update the program each time before use of it. In fact you can update it every day just in case some malware may prevent you from updating it.

What I don't know is if this malware wasn't downloaded by some other malware like a rootkit perhaps. Today's rootkits can be responsible for downloading programs such as these.

Please come back and let us know if SuperAntiSpyware has helped and how your computer is acting now. Thanks.

Thank You for your kind  informations :  

My   NIS   is   17.7.0.12

Windows Vista  Service Pack  2

Thank  You for  informations about  SuperAntiSpywere.    I installed it, updated and run a scan,   it showed  these  items:

Adware.MyWebSearch/FunWebProducts

Adware.Tracking Cookies

Malware.Trace

Rogue.Agent/Gen-Nullo[DLL]

Trojan.Agent/Gen-Cryptor[Virut]

My  Laptop  is a Toshiba Satellite  so  I have programs from Toshiba installed.

Today  appened another problems intercepted by Norton.(Before installing and scanning with SuperAntiSpywere)

Trojan.Bamital   in file    \users\public\documents\windows\winhelp.exe

This  was blocked many times by Norton, let's say every 10 minutes, but I could not see the file in the directory, only suspect was from the date-time of the directory , the same  as of the other files Gk1.exe,...., I suspect that  there is a kind of connection between these.

Then  I  removed all restriction to see inside the directory. But only once I could see winhelp that desappear immediately.     Only way to stop it  was   modifying  the permission  of the directory to   NONE(no permits) for EVERYBODY for all the activities(read,modify,....).  Giving  again  all the permittions to that directory the messagges of Norton blocking the Trojan.Bamital started again.   

At the end  ,   I   erased  the directory  hoping  to have not damaged the system. No more messages. May be is a patch but I don't know if the problem was solved.

I  am  asking  myself,  as  you said in the message,  with which  mechanism the files are downloaded and started.  I looked at the scheduler of Vista in (c:\windows\system32\tasks)  and I found  a  file that  started the Gk5.exe  already  deleted but I have no idea about winhelp.exe

I do not know  anything   about  rootkit   virus,  do you have advise about some tools?

Thank You again.  

Hello PaoloMO

I would suggest a visit to one of the free malware removal sites and register with one of them. Please put Trojan Barmital in the subject and tell them what has been happening.

Please go to one of these free Forums for help in removing your bad malware or rootkits.


http://www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

(Thanks to Delph for providing the list of sites)

The first one will be very busy,  and the other ones not as busy, but still good.

Please come back and tell us which one you have picked.  Any of these sites will tell you what tools to run and will request the proper scans to post and will work with you on a 1 to 1 basis to get your computer cleaned up and to keep your files safe also if at all possible. Good luck and please come back and give us status reports. Thanks.