Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > totour.exe & friends

Reply
Thread Tools

totour.exe & friends

 
 
Jim Watt
Guest
Posts: n/a
 
      05-21-2007
I've been trying to remove this from a PC running XP/Home

AVG Free removes it, but it comes back.

AVG root kit remover found something once, and removed it
but the problem persists.

Looking at Google its a persistent pain in the arse.

There are various superantiwonderproducts that claim a
solution but without researching them they might be more
trouble than the virus. It creates something called
CPL1041.NLS which tries to set up connections on the
Internet with a variety of sites. checking with netstat.

It also buggers up IE.

Suggestions welcome, apart from flatten and rebuild which
is not really an option as they have some expensive software
that requires activation and the company wants to be be
paid the licence fee for each activation. I think that sucks
but its not my choice.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
 
Ant
Guest
Posts: n/a
 
      05-22-2007
"Jim Watt" wrote:

> I've been trying to remove this from a PC running XP/Home


What are its 'friends'? The version of totour I saw dropped
msnetax.dll in <win>\system32 and installed a bunch of layered
service provider (LSP) registry keys under
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2

They can be removed safely with Sysinternals' Autoruns (look under
the 'Winsock providers' tab). You might want to back up that portion
of the registry first.

> AVG root kit remover found something once, and removed it
> but the problem persists.


Could be other malware.

> There are various superantiwonderproducts that claim a
> solution but without researching them they might be more
> trouble than the virus.


Watch out for rogues.

> It creates something called CPL1041.NLS [...]


The version I have didn't. Once again, could be other malware or a
different variant.


 
Reply With Quote
 
 
 
 
Sebastian G.
Guest
Posts: n/a
 
      05-22-2007
Ant wrote:

> "Jim Watt" wrote:
>
>> I've been trying to remove this from a PC running XP/Home

>
> What are its 'friends'? The version of totour I saw dropped
> msnetax.dll in <win>\system32 and installed a bunch of layered
> service provider (LSP) registry keys under
> HKLM\SYSTEM\CurrentControlSet\Services\WinSock2
>
> They can be removed safely



No, they can't, because you don't know what else they've done to the system-
From what they've done, it's obvious that they had admin rights and thus
could do anything they want.

>> AVG root kit remover found something once, and removed it
>> but the problem persists.

>
> Could be other malware.



Or the same malware.

>> There are various superantiwonderproducts that claim a
>> solution but without researching them they might be more
>> trouble than the virus.

>
> Watch out for rogues.



Every solution promising a removal of malware is rogue.
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      05-22-2007
On Tue, 22 May 2007 04:33:23 +0200, "Sebastian G." <(E-Mail Removed)>
wrote:

>Every solution promising a removal of malware is rogue.


Then write one that works, come back when finished
and be useful.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      05-22-2007
On Tue, 22 May 2007 01:52:19 +0100, "Ant" <(E-Mail Removed)> wrote:

>"Jim Watt" wrote:
>
>> I've been trying to remove this from a PC running XP/Home

>
>What are its 'friends'? The version of totour I saw dropped
>msnetax.dll in <win>\system32 and installed a bunch of layered
>service provider (LSP) registry keys under
>HKLM\SYSTEM\CurrentControlSet\Services\WinSock2
>
>They can be removed safely with Sysinternals' Autoruns (look under
>the 'Winsock providers' tab). You might want to back up that portion
>of the registry first.
>
>> AVG root kit remover found something once, and removed it
>> but the problem persists.

>
>Could be other malware.
>
>> There are various superantiwonderproducts that claim a
>> solution but without researching them they might be more
>> trouble than the virus.

>
>Watch out for rogues.
>
>> It creates something called CPL1041.NLS [...]

>
>The version I have didn't. Once again, could be other malware or a
>different variant.


Thanks for the advice now got to go resolve it ...
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Ant
Guest
Posts: n/a
 
      05-22-2007
"Sebastian G." wrote:

> Ant wrote:
>> [...] The version of totour I saw dropped
>> msnetax.dll in <win>\system32 and installed a bunch of layered
>> service provider (LSP) registry keys under
>> HKLM\SYSTEM\CurrentControlSet\Services\WinSock2
>>
>> They can be removed safely

>
> No, they can't, because you don't know what else they've done to the system-


To clarify, I am talking about allowing 'Autoruns' to remove the LSP
from the registry.

> From what they've done, it's obvious that they had admin rights and thus
> could do anything they want.


Removing the malware completely, and cleaning up anything else it
might have done, may require further work.


 
Reply With Quote
 
Sebastian G.
Guest
Posts: n/a
 
      05-22-2007
Ant wrote:


> Removing the malware completely, and cleaning up anything else it
> might have done, may require further work.


Eh... like flatting and reinstalling the entire OS? So why fuddling around
with the symptoms?
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      05-22-2007
On Tue, 22 May 2007 16:35:51 +0200, "Sebastian G." <(E-Mail Removed)>
wrote:

>Ant wrote:
>
>
>> Removing the malware completely, and cleaning up anything else it
>> might have done, may require further work.

>
>Eh... like flatting and reinstalling the entire OS? So why fuddling around
>with the symptoms?


Take a moment to read the original post and you will see,
rebuild is expensive.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Friends Don’t Let Friends Do IE6 Lawrence D'Oliveiro NZ Computing 33 02-11-2010 10:14 AM
hello friends...wanna make friends visit nicki C Programming 0 10-13-2008 11:51 AM
MEET UR SCHOOL & COLLEGE FRIENDS. UR FRIENDS ARE WAITING FOR U.. sai.sri206@gmail.com C++ 0 10-28-2007 08:43 PM
Friends don't let friends drink and fly through space =?ISO-8859-1?Q?R=F4g=EAr?= Computer Support 6 07-29-2007 03:52 AM
member functions as friends - friends of each other? bipod.rafique@gmail.com C++ 2 07-16-2005 10:55 AM



Advertisments