Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Phule on December 31, 2004, 06:25:17 PM

Title: Damn Trojan
Post by: Phule on December 31, 2004, 06:25:17 PM
      
     

 ??? ??? ???

help,

can anyone tell me what to do to get rid of this trojan found by avast.

Keep gettin the sirens ever time i start the comp.

Details are:-

Original File name: WTools.exe
Original Folder:       C:\Programs Files\Common      Files\WinTools\Update\WToolS.exe
Size of File: 137728
Last Modification time: 12/09/2004  05:22:28
Time of transfer to Computer: 31/12/2004 10:50:35
Category: Infected Files
Virus description: Win32:Trojan-gen. {other}
Field ID: 7

At the moment i can't udate xp with any security files or service pack 2, could this trojan be the problem.

any and all help would be greatly appricated.


regards

Phule
Title: Re:Damn Trojan
Post by: Eddy on December 31, 2004, 06:33:11 PM
1] Delete wintools, it is malware.
2] Clean the registry
3] Run a boottime scan

What happens if you try to install SP2?
Getting an error? If so which one?
Title: Re:Damn Trojan
Post by: Phule on December 31, 2004, 06:49:04 PM
Hi Eddy,

npt an error for SP2, it starts to download then geos to installl. Bar gets about 50% the stops and displays a fialed message.

will do as u suggest and also followed link at bottom of your reply

regards

Phule
Title: Re:Damn Trojan
Post by: Eddy on December 31, 2004, 06:55:46 PM
Downlad SP2 and install it locally. The online installation is known for problems.

http://www.microsoft.com/downloads/details.aspx?FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&displaylang=en)
Title: Re:Damn Trojan
Post by: Phule on December 31, 2004, 07:19:49 PM
Cheers eddy,

Tried safe mode, can't delete wintools (message 'in use')

Its not just SP2 i can't download its any security udates, i'm not really up on the regestry etc.., but i can re-format the drive and take the computer back to original install from master CD's.

At the momnet i can't even get into the dsl modem to set up the firewall as the browser looks for a web site!!

thanks

Phule( and i damn well feel like one)

HAPPY NEW YEAR
Title: Re:Damn Trojan
Post by: Lisandro on December 31, 2004, 07:34:50 PM
Phule, are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

Access denied means, generally, that the file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast!
Title: Re:Damn Trojan
Post by: Phule on December 31, 2004, 07:45:41 PM
Eddy,

yes it is XP and i can do as u suggest.

thanks for the help


Phule

Title: Re:Damn Trojan
Post by: Scarch on December 31, 2004, 07:52:53 PM
Delete the trojan, but do not even think in "clean" the registry using any "cleaner" program. Such cleaning is not needed in 32 bits systems and is totally useless and will only give a lot of troubles to the OS. Instead try to locate the keys that belong to that program and delete them manually
Title: Re:Damn Trojan
Post by: DavidR on December 31, 2004, 08:54:18 PM
In the hands of a novice, manually deleting registry keys can be every bit as harmful to the OS as any cleaner that you mention.

But simply leaving them there is not an option as this will simply regenerate malware. It's about using the right tools for the job and in this case it is HiJackThis to remove harmful registry entries (which may be a branch of a registry key and not necessarily the whole key).

Registry cleaners are not the correct tool for the job (malware removal), but they do - for the most part - have a backup/restore function, manual deletion may not.

Following the information on Eddy's site should make this a relatively painless journey.
Title: Re:Damn Trojan
Post by: Phule on December 31, 2004, 09:15:19 PM
Thanks all,

Just dun a boot scan as eddy suggested

Folders 8258
Tested Files 471008
infected files :0

downloaded SP2 as eddy suggested still will not install.

anyway off to the pub to see new year in.

Later Guys & thanks.
Title: Re:Damn Trojan
Post by: Eddy on January 01, 2005, 03:03:53 PM
Right click "my computer" and choose properties. You will see a number there. It looks like xxxxx-xxx-xxxxxxx-xxxxx Is the second number 640 and does the 3rd start with 00 (zero zero)?

ps: Do not post the entire number here! If it makes you feel more confortable you may send the answer in a private message.
Title: Re:Damn Trojan
Post by: Phule on January 01, 2005, 06:47:23 PM
Eddy,

Right clicked my computer>properties and checked all tabs, advanced etc no numbers anywhere.

i don't have an xp disc as all software was preloaded.

Have now got my firewall up and running so hopefully that damn trojan will not get in again.

However i downloaded SP2 as you suggested, it trys to install but after a few minutes i get the message ' could not verify integrity of file Update.inf, make sure the Cryptographic service is running on this this computer.

Checked through msconfig and it is running.

Also tried today to download directx 9c it almost installed then a message appeared stating that the file did not pass microsoft logo test and would not be installed.  

Any help with the above would be welcome.

Also how do I delete wintools if it is running?

Thanks

Phule
Title: Re:Damn Trojan
Post by: Eddy on January 01, 2005, 06:57:31 PM
For the error, look HERE (http://www.jsiinc.com/SUBM/tip6400/rh6448.htm) (this is also valid for SP2) or give THIS SCRIPT (http://www.kellys-korner-xp.com/regs_edits/xp_cryptofix.vbs) a try.

And THIS WEBSITE (http://www3.telus.net/dandemar/updatinf.htm) has some more suggestions.

For the number see the picture.
Title: Re:Damn Trojan
Post by: Phule on January 01, 2005, 08:39:34 PM
Eddy,

Thank you, thank you & thank you.

The link to telus was spot on. Used the 4th suggestion renaming catroot2 to catrootold.

SP2 installed and windows update is now working fine (downloaded everything and Installed)

Thanks again for takin the time and trouble to help.

Regards

Phule
Title: Re:Damn Trojan
Post by: Eddy on January 01, 2005, 08:45:00 PM
That's why we are here for (helping or get helped), amongst some other things ;)

Always nice to hear a problem is solved.