totour.exe & friends

Discussion in 'Computer Security' started by Jim Watt, May 21, 2007.

  1. Jim Watt

    Jim Watt Guest

    I've been trying to remove this from a PC running XP/Home

    AVG Free removes it, but it comes back.

    AVG root kit remover found something once, and removed it
    but the problem persists.

    Looking at Google its a persistent pain in the arse.

    There are various superantiwonderproducts that claim a
    solution but without researching them they might be more
    trouble than the virus. It creates something called
    CPL1041.NLS which tries to set up connections on the
    Internet with a variety of sites. checking with netstat.

    It also buggers up IE.

    Suggestions welcome, apart from flatten and rebuild which
    is not really an option as they have some expensive software
    that requires activation and the company wants to be be
    paid the licence fee for each activation. I think that sucks
    but its not my choice.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, May 21, 2007
    #1
    1. Advertising

  2. Jim Watt

    Ant Guest

    "Jim Watt" wrote:

    > I've been trying to remove this from a PC running XP/Home


    What are its 'friends'? The version of totour I saw dropped
    msnetax.dll in <win>\system32 and installed a bunch of layered
    service provider (LSP) registry keys under
    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2

    They can be removed safely with Sysinternals' Autoruns (look under
    the 'Winsock providers' tab). You might want to back up that portion
    of the registry first.

    > AVG root kit remover found something once, and removed it
    > but the problem persists.


    Could be other malware.

    > There are various superantiwonderproducts that claim a
    > solution but without researching them they might be more
    > trouble than the virus.


    Watch out for rogues.

    > It creates something called CPL1041.NLS [...]


    The version I have didn't. Once again, could be other malware or a
    different variant.
     
    Ant, May 22, 2007
    #2
    1. Advertising

  3. Jim Watt

    Sebastian G. Guest

    Ant wrote:

    > "Jim Watt" wrote:
    >
    >> I've been trying to remove this from a PC running XP/Home

    >
    > What are its 'friends'? The version of totour I saw dropped
    > msnetax.dll in <win>\system32 and installed a bunch of layered
    > service provider (LSP) registry keys under
    > HKLM\SYSTEM\CurrentControlSet\Services\WinSock2
    >
    > They can be removed safely



    No, they can't, because you don't know what else they've done to the system-
    From what they've done, it's obvious that they had admin rights and thus
    could do anything they want.

    >> AVG root kit remover found something once, and removed it
    >> but the problem persists.

    >
    > Could be other malware.



    Or the same malware.

    >> There are various superantiwonderproducts that claim a
    >> solution but without researching them they might be more
    >> trouble than the virus.

    >
    > Watch out for rogues.



    Every solution promising a removal of malware is rogue.
     
    Sebastian G., May 22, 2007
    #3
  4. Jim Watt

    Jim Watt Guest

    On Tue, 22 May 2007 04:33:23 +0200, "Sebastian G." <>
    wrote:

    >Every solution promising a removal of malware is rogue.


    Then write one that works, come back when finished
    and be useful.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, May 22, 2007
    #4
  5. Jim Watt

    Jim Watt Guest

    On Tue, 22 May 2007 01:52:19 +0100, "Ant" <> wrote:

    >"Jim Watt" wrote:
    >
    >> I've been trying to remove this from a PC running XP/Home

    >
    >What are its 'friends'? The version of totour I saw dropped
    >msnetax.dll in <win>\system32 and installed a bunch of layered
    >service provider (LSP) registry keys under
    >HKLM\SYSTEM\CurrentControlSet\Services\WinSock2
    >
    >They can be removed safely with Sysinternals' Autoruns (look under
    >the 'Winsock providers' tab). You might want to back up that portion
    >of the registry first.
    >
    >> AVG root kit remover found something once, and removed it
    >> but the problem persists.

    >
    >Could be other malware.
    >
    >> There are various superantiwonderproducts that claim a
    >> solution but without researching them they might be more
    >> trouble than the virus.

    >
    >Watch out for rogues.
    >
    >> It creates something called CPL1041.NLS [...]

    >
    >The version I have didn't. Once again, could be other malware or a
    >different variant.


    Thanks for the advice now got to go resolve it ...
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, May 22, 2007
    #5
  6. Jim Watt

    Ant Guest

    "Sebastian G." wrote:

    > Ant wrote:
    >> [...] The version of totour I saw dropped
    >> msnetax.dll in <win>\system32 and installed a bunch of layered
    >> service provider (LSP) registry keys under
    >> HKLM\SYSTEM\CurrentControlSet\Services\WinSock2
    >>
    >> They can be removed safely

    >
    > No, they can't, because you don't know what else they've done to the system-


    To clarify, I am talking about allowing 'Autoruns' to remove the LSP
    from the registry.

    > From what they've done, it's obvious that they had admin rights and thus
    > could do anything they want.


    Removing the malware completely, and cleaning up anything else it
    might have done, may require further work.
     
    Ant, May 22, 2007
    #6
  7. Jim Watt

    Sebastian G. Guest

    Ant wrote:


    > Removing the malware completely, and cleaning up anything else it
    > might have done, may require further work.


    Eh... like flatting and reinstalling the entire OS? So why fuddling around
    with the symptoms?
     
    Sebastian G., May 22, 2007
    #7
  8. Jim Watt

    Jim Watt Guest

    On Tue, 22 May 2007 16:35:51 +0200, "Sebastian G." <>
    wrote:

    >Ant wrote:
    >
    >
    >> Removing the malware completely, and cleaning up anything else it
    >> might have done, may require further work.

    >
    >Eh... like flatting and reinstalling the entire OS? So why fuddling around
    >with the symptoms?


    Take a moment to read the original post and you will see,
    rebuild is expensive.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, May 22, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. \Oldschool\ Scotty Flamingo

    What are spoolsv.exe and svchost.exe?

    \Oldschool\ Scotty Flamingo, Oct 10, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    3,038
  2. gary

    QUICKEN.EXE & others with EXE

    gary, Jan 18, 2004, in forum: Computer Support
    Replies:
    12
    Views:
    996
    William Poaster
    Jan 19, 2004
  3. Mike

    ABOARD.EXE and AOSD.EXE

    Mike, Feb 22, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    3,975
    lightning_b0lt
    Feb 24, 2004
  4. =?ISO-8859-1?Q?R=F4g=EAr?=

    Friends don't let friends drink and fly through space

    =?ISO-8859-1?Q?R=F4g=EAr?=, Jul 27, 2007, in forum: Computer Support
    Replies:
    6
    Views:
    867
    =?utf-8?B?4paAU2xhY2s=?=
    Jul 29, 2007
  5. Lawrence D'Oliveiro

    Friends Don’t Let Friends Do IE6

    Lawrence D'Oliveiro, Feb 5, 2010, in forum: NZ Computing
    Replies:
    33
    Views:
    1,304
    Lawrence D'Oliveiro
    Feb 11, 2010
Loading...

Share This Page