I cant remove trojan "backdoor.generic2.wtw" help please

Status
Not open for further replies.
L

loser

Posts: 9   +0
My first post. Sorry to join this forum in such a desperate state. Anyhow, Hi everyone.

History-
My AVG virus scanner keeps telling me I have the following trojan horse "backdoor.generic2.WTW". If I select the AVG utility to remove the virus it tells me "access to the file has been denied" and it does nothing.
I ran the folowing utilites all with no result -

Updated my AVG software to current and ran it again
CWShredder (www.trandmicro.com)
Ad-Aware (www.lavasoftusa.com)
SpyBot (www.spybot.com)
Antimalware (www.ewido.net)
loaded the latest Microsoft malicious software upgrade
ran the windows disk cleanup utility
Tried to boot in windows safe mode and ran AVG virus check again.

I disabled my system restore before doing any of these.
I am now running out of ideas an hence my posting of my problem here.
I also keep getting pop-ups that keep telling me that I have 55 critical windows process corrupt and I need to logon to website "www.regfixit.com" or "www.fix-ms.com" to repair it. I refuse to do it but the box keeps coming up.

If anyone can help I'd really appreciate it. I have seen mention of a HJT log. I have no idea what this is. If I must do this please give directions of where to find this program.
Thanks again.
 
Hello and welcome to Techspot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

Run your antivirus scanner again. The reason your scanner probably isn`t killing the infection, is because it will be hiding in one of your restore points. No antivirus scanner can remove anything from inside a system restore point. Turning off system restore will delete all your restore points and anything nasty that`s in them.

Once you`ve done that, follow the instructions Peddant gave you.

Then, Post a fresh HJT log into this thread.

Regards Howard :wave: :wave:
 
One of the first things I did was turn off the system restore. I actually ran all of the utility programs above with the restore off.
I did boot once into safe mode and ran the AVG utility but it didnt make a difference.
I am currently in the process of folloowing the instructions that Peddant has posted.
I should be able to report back soon.

Thanks all for your help so far....
 
You're infected with a nasty root kit. Use HJT and you'll see that the file avpe32.dll is listed. Remove any references to it and reboot.
 
Tedster said:
You're infected with a nasty root kit. Use HJT and you'll see that the file avpe32.dll is listed. Remove any references to it and reboot.
Click to expand...

Thanks for the info Tedster.

Can you please tell me how you ascertained that? Any info you can give, will be appreciated.

Even if that .dll is present in his HJT log. It is not advisable to simply have HJT fix the entry, as it will probably need to be unregistered first.

loser`s problems sound more like a spyware/trojan infection.

Regards Howard :)
 
you should get kaspersky ive seen this on a friends system and it got rid of it..if u need help just message me if you got aim msn or yahoo let me know.
 
RUDEBWOY said:
you should get kaspersky ive seen this on a friends system and it got rid of it..if u need help just message me if you got aim msn or yahoo let me know.
Click to expand...

I'm going to give your advice a go.
I've just finished running anti-malware as was instructed and it only found an infected cookie. The system still has the same bug.
I'll try kaspersky and report back on what happens.

Thanks all.
 
Tedster said:
You're infected with a nasty root kit. Use HJT and you'll see that the file avpe32.dll is listed. Remove any references to it and reboot.
Click to expand...

I downloaded HJT and ran it. I could not find any references to a avpe32.dll file anywhere?
 
Ok, I got system restore off, complete pc reboot and started in safe mode. Have not run Kaspersky yet.
Let pc boot up then started HJT and ran a check. See attached log report. I did not start or run any other programs prior to running HJT.
 

Attachments

  • HJT_safemode.txt
    3.6 KB · Views: 5
howard_hopkinso said:
Thanks for the info Tedster.

Can you please tell me how you ascertained that? Any info you can give, will be appreciated.

Even if that .dll is present in his HJT log. It is not advisable to simply have HJT fix the entry, as it will probably need to be unregistered first.

loser`s problems sound more like a spyware/trojan infection.

Regards Howard :)
Click to expand...
was surfing the web.... I can't remember the url, but If I find it, I'll post it.
 
Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

swchost.exe

Close task manager.

Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\pptp16.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [Online Special] C:\WINDOWS\swchost.exe

O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32\pptp16.dll


Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\SYSTEM32\pptp16.dll
C:\WINDOWS\swchost.exe


Reboot into normal mode and turn system restore back on.


Regards Howard :)
 
Ok, guys in regard to the directions above.
When I tries to enter the run command regsvr32....... the system tells me file regsvr32 not found. Could it be missing from my system?

I proceeded after that point following instructions but I'm not sure if it works without that command. System has not changed.

Could not find the two files listed at the bottom either.

Downloaded and ran Kaspersky anti-virus software but that found nothing.

Still getting the same problems as before?
 
Ok, rather than using the regsvr command, do the following.

Run HJT and click on the config button, then the misc tools button. Click on the delete file on reboot button and browse to C:\WINDOWS\SYSTEM32\pptp16.dll. Click on the pptp16.dll file and click open. You will be prompted to reboot your system, click yes.

Once your system has rebooted, the pptp16.dll should have been deleted.

Please post fresh HJT log.

Regards Howard :)
 
I found a download for the regsvr program and executed the instructions given in full.
When doing the final step of locating the two files (pptp.dll & swchost.exe), I could not find either.

I am still getting the same "firus found" messages and pop-ups.

Here is my latest HJT file. This was run with auto-restore off and a normal XP boot-up.
After running several different virus/spyware/adware etc programs from a number of manufacturers I am starting to question my AVG virus alert software. Is there any other way to confirm I have this trojan/virus/whatever?

Howard I very much appreciate your continuing help on this.
 
Have HJT fix the following.

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O9 - Extra button: OzEmail - {031437CC-9765-4F27-8ABF-99F42C8D462D} - http://www.ozemail.com.au (file missing) (HKCU)

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150333873978
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150334651246
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: Winklts - Unknown owner - C:\WINDOWS\System32\Winklts.exe (file missing)

I can find no evidence of anything really nasty in your HJT log.

It is possible that AVG is giving a false positive.

Can you tell me the name/s of the files that AVG is flagging?

Regards Howard :)
 
I'll do your latest recommendation after this posting.

The exact message from the AVG popup is-

Virus detected!
While opening file: C:\WINDOWS\SYSTEM32\pptp.dll
trojan horse Backdoor.Generic2.WPW

It then has the default buttons at the base of the pop-up to "heal" or "send to vault" neither of these do anything as it comes up with message that access is denied to the file.
 
Ok, download the pocket killbox programme from HERE.

Download the file, extract it, and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X).

The full path to the file is: C:\WINDOWS\SYSTEM32\pptp.dll

It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

This is indeed a nasty file.

Hopefully this should work(fingers crossed).

Regards Howard :)
 
It appears at this stage that I have finally won!.

I updated my kaspersky virus software and set all settings to highest level of protection and did a full scan of everything. It came up with 29 infected files!. I was shocked to see this especially after running all the other virus programs. I have stopped getting pop-ups and it all appears to be working normally.
I am quite impressed with the kaspersky software. I think I will have to commit to purchasing a full virus protection software package. Needless to say I will look into the kaspersky package.
Any feedback on this from anyone ? (I may start another thread on this very subject).

Finally I must express my upmost gratitude to member Howard Hopkinson for his continual support during this issue. I think it is a credit to him and also this forum to have people willing to help others as he did.
Thankyou.
If I dont post back to this thread I have a clean system.
 
Status
Not open for further replies.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
802
losdavos
losdavos
M
Virus warning popup
Replies
1
Views
530
Mark Fuller
M
A
Please help: Intel Core i9-11900KF with a H510M H V2 motherboard
Replies
2
Views
275
HardReset
H

Latest posts

Back