Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tagasaurus Icon Won't Leave!


  • Please log in to reply
1 reply to this topic

#1 PAJJ

PAJJ

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 24 February 2006 - 10:34 PM

A lone computer at work running WinNT was loaded with bad stuff. I did everything and it's clean now except for one minor(?) thing.
There's a DOS-like icon on the desktop named TagASaurus.exe that will not let me delete or rename it. It's not listed in my hijackthis log nor is it running. Is this still a threat? If so, how do I remove it via WinNT?
:thumbsup:
Here's the log file...

Logfile of HijackThis v1.99.1
Scan saved at 9:55:35 AM, on 2/24/06
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\WINNT\system32\pssvc.exe
C:\DMI\bin\dmisrv.exe
C:\WINNT\system32\RpcSs.exe
C:\DMI\bin\win32sl.exe
C:\WINNT\System32\WBEM\winmgmt.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\DMI\bin\nic.exe
C:\DMI\bin\coo.exe
C:\DMI\bin\dnar.exe
C:\DMI\bin\nodemngr.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\explorer.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\OfficeScan NT\pccntmon.exe
C:\WINNT\System32\MSWHEEL.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\ofcdog.exe
C:\VSPC\VSPC32.EXE
C:\WINNT\SYSTEM32\calc.exe
C:\netterm\netterm.exe
C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = private
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = private
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O3 - Toolbar: Search - {1335D50E-EF50-71F9-86AF-506E2DA56AC2} - C:\WINNT\Qpjaufto.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O13 - WWW. Prefix: http://
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: AutoShutdown - Dell Computer Corporation - C:\WINNT\system32\pssvc.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:15 PM

Posted 27 February 2006 - 06:38 PM

Hello PAJJ and welcome to the BC HijackThis forum. I see 1 item we need to take care of so let's do that first.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O3 - Toolbar: Search - {1335D50E-EF50-71F9-86AF-506E2DA56AC2} - C:\WINNT\Qpjaufto.dll (file missing)
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Now, tell me a little more about this TagASaurus file.
  • Is the file on the desktop the actual executable or is it a shortcut?
  • If a shortcut then where does the shortcut point to?
  • What happens when you try to delete it (what is the exact error message)?
  • When attempting to delete is the user logged on with Administrator privaleges?
Post back with a little more information and we'll see what we have.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users