I cant remove trojan "backdoor.generic2.wtw" help please

By loser ยท 19 replies
Jun 13, 2006
  1. My first post. Sorry to join this forum in such a desperate state. Anyhow, Hi everyone.

    My AVG virus scanner keeps telling me I have the following trojan horse "backdoor.generic2.WTW". If I select the AVG utility to remove the virus it tells me "access to the file has been denied" and it does nothing.
    I ran the folowing utilites all with no result -

    Updated my AVG software to current and ran it again
    CWShredder (www.trandmicro.com)
    Ad-Aware (www.lavasoftusa.com)
    SpyBot (www.spybot.com)
    Antimalware (www.ewido.net)
    loaded the latest Microsoft malicious software upgrade
    ran the windows disk cleanup utility
    Tried to boot in windows safe mode and ran AVG virus check again.

    I disabled my system restore before doing any of these.
    I am now running out of ideas an hence my posting of my problem here.
    I also keep getting pop-ups that keep telling me that I have 55 critical windows process corrupt and I need to logon to website "www.regfixit.com" or "www.fix-ms.com" to repair it. I refuse to do it but the box keeps coming up.

    If anyone can help I'd really appreciate it. I have seen mention of a HJT log. I have no idea what this is. If I must do this please give directions of where to find this program.
    Thanks again.
  2. Peddant

    Peddant TS Rookie Posts: 1,446

    Hi loser(great name).:) Welcome to Techspot.

    Go HERE and follow the instructions.Then post an HJT log.
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    Run your antivirus scanner again. The reason your scanner probably isn`t killing the infection, is because it will be hiding in one of your restore points. No antivirus scanner can remove anything from inside a system restore point. Turning off system restore will delete all your restore points and anything nasty that`s in them.

    Once you`ve done that, follow the instructions Peddant gave you.

    Then, Post a fresh HJT log into this thread.

    Regards Howard :wave: :wave:
  4. loser

    loser TS Rookie Topic Starter

    One of the first things I did was turn off the system restore. I actually ran all of the utility programs above with the restore off.
    I did boot once into safe mode and ran the AVG utility but it didnt make a difference.
    I am currently in the process of folloowing the instructions that Peddant has posted.
    I should be able to report back soon.

    Thanks all for your help so far....
  5. Tedster

    Tedster Techspot old timer..... Posts: 6,002   +15

    You're infected with a nasty root kit. Use HJT and you'll see that the file avpe32.dll is listed. Remove any references to it and reboot.
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Thanks for the info Tedster.

    Can you please tell me how you ascertained that? Any info you can give, will be appreciated.

    Even if that .dll is present in his HJT log. It is not advisable to simply have HJT fix the entry, as it will probably need to be unregistered first.

    loser`s problems sound more like a spyware/trojan infection.

    Regards Howard :)

    RUDEBWOY TS Rookie Posts: 160

    you should get kaspersky ive seen this on a friends system and it got rid of it..if u need help just message me if you got aim msn or yahoo let me know.
  8. loser

    loser TS Rookie Topic Starter

    I'm going to give your advice a go.
    I've just finished running anti-malware as was instructed and it only found an infected cookie. The system still has the same bug.
    I'll try kaspersky and report back on what happens.

    Thanks all.
  9. loser

    loser TS Rookie Topic Starter

    I downloaded HJT and ran it. I could not find any references to a avpe32.dll file anywhere?
  10. loser

    loser TS Rookie Topic Starter

    Ok, I got system restore off, complete pc reboot and started in safe mode. Have not run Kaspersky yet.
    Let pc boot up then started HJT and ran a check. See attached log report. I did not start or run any other programs prior to running HJT.

    Attached Files:

  11. Tedster

    Tedster Techspot old timer..... Posts: 6,002   +15

    was surfing the web.... I can't remember the url, but If I find it, I'll post it.
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).


    Close task manager.

    Click start/run and type regsvr32 /u C:\WINDOWS\SYSTEM32\pptp16.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Online Special] C:\WINDOWS\swchost.exe

    O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32\pptp16.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).


    Reboot into normal mode and turn system restore back on.

    Regards Howard :)
  13. loser

    loser TS Rookie Topic Starter

    Ok, guys in regard to the directions above.
    When I tries to enter the run command regsvr32....... the system tells me file regsvr32 not found. Could it be missing from my system?

    I proceeded after that point following instructions but I'm not sure if it works without that command. System has not changed.

    Could not find the two files listed at the bottom either.

    Downloaded and ran Kaspersky anti-virus software but that found nothing.

    Still getting the same problems as before?
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, rather than using the regsvr command, do the following.

    Run HJT and click on the config button, then the misc tools button. Click on the delete file on reboot button and browse to C:\WINDOWS\SYSTEM32\pptp16.dll. Click on the pptp16.dll file and click open. You will be prompted to reboot your system, click yes.

    Once your system has rebooted, the pptp16.dll should have been deleted.

    Please post fresh HJT log.

    Regards Howard :)
  15. loser

    loser TS Rookie Topic Starter

    I found a download for the regsvr program and executed the instructions given in full.
    When doing the final step of locating the two files (pptp.dll & swchost.exe), I could not find either.

    I am still getting the same "firus found" messages and pop-ups.

    Here is my latest HJT file. This was run with auto-restore off and a normal XP boot-up.
    After running several different virus/spyware/adware etc programs from a number of manufacturers I am starting to question my AVG virus alert software. Is there any other way to confirm I have this trojan/virus/whatever?

    Howard I very much appreciate your continuing help on this.
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix the following.

    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

    O9 - Extra button: OzEmail - {031437CC-9765-4F27-8ABF-99F42C8D462D} - http://www.ozemail.com.au (file missing) (HKCU)

    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150333873978
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150334651246
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    O23 - Service: Winklts - Unknown owner - C:\WINDOWS\System32\Winklts.exe (file missing)

    I can find no evidence of anything really nasty in your HJT log.

    It is possible that AVG is giving a false positive.

    Can you tell me the name/s of the files that AVG is flagging?

    Regards Howard :)
  17. loser

    loser TS Rookie Topic Starter

    I'll do your latest recommendation after this posting.

    The exact message from the AVG popup is-

    Virus detected!
    While opening file: C:\WINDOWS\SYSTEM32\pptp.dll
    trojan horse Backdoor.Generic2.WPW

    It then has the default buttons at the base of the pop-up to "heal" or "send to vault" neither of these do anything as it comes up with message that access is denied to the file.
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, download the pocket killbox programme from HERE.

    Download the file, extract it, and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X).

    The full path to the file is: C:\WINDOWS\SYSTEM32\pptp.dll

    It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

    This is indeed a nasty file.

    Hopefully this should work(fingers crossed).

    Regards Howard :)
  19. loser

    loser TS Rookie Topic Starter

    It appears at this stage that I have finally won!.

    I updated my kaspersky virus software and set all settings to highest level of protection and did a full scan of everything. It came up with 29 infected files!. I was shocked to see this especially after running all the other virus programs. I have stopped getting pop-ups and it all appears to be working normally.
    I am quite impressed with the kaspersky software. I think I will have to commit to purchasing a full virus protection software package. Needless to say I will look into the kaspersky package.
    Any feedback on this from anyone ? (I may start another thread on this very subject).

    Finally I must express my upmost gratitude to member Howard Hopkinson for his continual support during this issue. I think it is a credit to him and also this forum to have people willing to help others as he did.
    If I dont post back to this thread I have a clean system.
  20. Peddant

    Peddant TS Rookie Posts: 1,446

    There`s a thread here that needs bumping Howard tribute thread
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...