Author Topic: Problems with Win32:Agent-HKL [Trj] (Totour.exe) (Read 4299 times)

flrobert · « **on:** July 03, 2007, 10:27:37 AM »

Hello,

I've been having problems with that Trojan that avast recognizes but can't eradicate. I've tried several ideas I found on the web but it's still there. SuperAntispyware recognizes it as Trojan.spam-Rucrzy but can't get rid of it. I've tried to boot in safe mode and erase the c:\cd1041.nls file created by the Trojan but doesn't work. I've also tried to replace the infected ndis.sys by a clean version but without any success. Any help or ideas would be welcome.

thanks!!

flrobert

FreewheelinFrank · « **Reply #1 on:** July 03, 2007, 10:49:05 AM »

Hi flrobert,

Have you tried a boot time scan with avast!? (Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.)

Have you tried AVG Anti-Spyware Free?

If still having problems, post a HijackThis! log.

FreewheelinFrank · « **Reply #2 on:** July 03, 2007, 11:26:29 AM »

According to the following page, SDFix may remove the infected ndis.sys:

http://forums.spywareinfo.com/index.php?s=cd5895e3056eb0f0a0e1f435fc1501c7&showtopic=101014&pid=557105&st=0&#entry557105

SDFix is available here:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

FreewheelinFrank · « **Reply #3 on:** July 03, 2007, 11:36:02 AM »

I suspect that it may be the ability of SDFix to deal with rootkits (hidden malware) that enables it to remove this infection, so you could also try these anti-rootkit scanners:

Panda Antirootkit
Blacklight
AVG Anti-Rootkit

flrobert · « **Reply #4 on:** July 03, 2007, 02:36:29 PM »

Avast with boot time scan didn't work, however SDFix seems to have solved the problem. Thank you very much for your help and for replying so quickly to my request. I still don't understand very well how this totour.exe manages to behave the way it does. I'd be interested to learn more about it. You guys call it a rootkit, is that right? Merci again!

Lisandro · « **Reply #5 on:** July 03, 2007, 02:44:49 PM »

Quote from: flrobert on July 03, 2007, 02:36:29 PM

Avast with boot time scan didn't work

Do you mean didn't detect or avast did not work? Do you need further help?

Quote from: flrobert on July 03, 2007, 02:36:29 PM

You guys call it a rootkit, is that right? Merci again!

Yeah.

FreewheelinFrank · « **Reply #6 on:** July 03, 2007, 03:38:11 PM »

Quote

I still don't understand very well how this totour.exe manages to behave the way it does.

There may be a clue here:

Quote

I bet there's something in the registry that instructs explorer to download totour.exe at first connection availability.

http://forums.pcpitstop.com/index.php?showtopic=137078

FreewheelinFrank · « **Reply #7 on:** July 03, 2007, 03:49:11 PM »

If you haven't got one already, a third-party firewall can help you control what has access to the internet and may prevent an infection downloading more malware onto your computer:

http://www.geocities.com/dontsurfinthenude/rec_firewalls.htm

Author Topic: Problems with Win32:Agent-HKL [Trj] (Totour.exe) (Read 4299 times)

flrobert

Problems with Win32:Agent-HKL [Trj] (Totour.exe)

FreewheelinFrank

Re: Problems with Win32:Agent-HKL [Trj] (Totour.exe)

FreewheelinFrank

Re: Problems with Win32:Agent-HKL [Trj] (Totour.exe)

FreewheelinFrank

Re: Problems with Win32:Agent-HKL [Trj] (Totour.exe)

flrobert

Re: Problems with Win32:Agent-HKL [Trj] (Totour.exe)

Lisandro

Re: Problems with Win32:Agent-HKL [Trj] (Totour.exe)

FreewheelinFrank

Re: Problems with Win32:Agent-HKL [Trj] (Totour.exe)

FreewheelinFrank

Re: Problems with Win32:Agent-HKL [Trj] (Totour.exe)