|
Posted by =?Utf-8?B?RGlzY2lwbGU=?= on July 11, 2006, 2:52 pm
If you were Registered and logged in, you could reply and use other advanced thread options
but couldn't find any mention of tag.sys (or tag"anything".sys) other than a
value called "tag" which appears repeatedly in
HKLM\SYSTEM\CurrentControlSet\Services in items like abiosdsk, acpi,
adpu160m, etc etc.
I also ran F-Secure Blacklight scan, as well as gmer.exe rootkit scan (only
works on XP) with no results.
I know whatever this is must still be active, because it eventually appears
on new machines as I load them, and has even jumped from our NT domain to our
new AD domain machines; the file dates keep incrementing as well.
I've run Stinger, Trend and LavaSoft on suspect machines -- all negative.
Thanks
"David H. Lipman" wrote:
>
> | On our lan, all our XP machines and even the server have a tiny file in the
> | root of c: called tag<computername>.sys, which increments every few days and
> | contains a single line: the date in yyyy-mm-dd format (ie, 2006-06-19). I
> | can't find any viruses or spyware on any of the machines, and they are
> | patched and scanned regularly. Anyone have any thoughts or ideas?
> | Thanks.
>
> Many *.SYS files are part of RootKits or Trojans employing RootKit Techniques.
Albeit, they
> aren't usually in the root "C:".
>
> Search the registry for TAG.SYS and report back your findings. Wheere it was
found, etc.
>
> You may want to Export that branch (or branches) of the Registry where it is
found for
> easier documentation.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
| 
XML site map