Re: Startup File "tnotyoc.dll
From: Steve (sbrooks_at_netretro.com)
Date: 02/05/04
- Next message: billyzoellers: "Roaming Profile"
- Previous message: Estella Lu [MSFT]: "Re: ActiveX"
- In reply to: Wesley Vogel: "Re: Startup File "tnotyoc.dll"
- Next in thread: Wesley Vogel: "Re: Startup File "tnotyoc.dll"
- Reply: Wesley Vogel: "Re: Startup File "tnotyoc.dll"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 5 Feb 2004 14:53:34 -0800
Wesley,
Well, after many suffering hours, I have found the problem
(with a lot of help) and made the repairs. It turns out
that the tnotyoc is an advanced variant of the AF virus.
It is not being detected by symantec, mcafee or trendmicro
at this point. I did submit the information I could find
to Symantec earlier today and they called and worked with
me to discover how it is structured to run. (I ahve a new
appreciation for those guys) Once we isolated the dll and
process, we were able to get it zipped and sent to
Symantec. I assume they will be including what they
discover in an update and suspect the others will follow
suit.
I appreciate all your help, I think we have been on the
same page since I posted here. If I can be of any help for
you, let me know.
thanks again.
>-----Original Message-----
>Steve;
>
>Try starting in Safe Mode with Command Prompt.
>
>================
>To start your computer at a command prompt
>[[Print these instructions before continuing. They will
not be available
>after you shut your computer down in step 2.
>Click Start, click Shut Down, and then, in the drop-down
list, click Shut
>down.
>In the Shut Down Windows dialog box, click Restart, and
then click OK.
>When you see the message Please select the operating
system to start, press
>F8.
>Use the arrow keys to highlight Safe Mode with Command
Prompt, and then
>press ENTER.
>If you have a dual-boot or multiple-boot system, choose
the installation
>that you need to access using the arrow keys, and then
press ENTER.
> Notes
>NUM LOCK must be off before the arrow keys on the numeric
keypad will
>function.]]
>================
>
>Delete tnotyoc.dll there.
>
>--
>Hope this helps. Let us know.
>Wes
>
>In news:b30301c3ec17$ab5fa180$a601280a@phx.gbl,
>Steve <anonymous@discussions.microsoft.com> hunted and
pecked:
>> Wesley,
>>
>> Ahead of ya on that one. It will not remove the item.
>> System states it is in use by another program or user.
>> (yes, I have disconnectd internet use, rebooted in safe
>> mode and tried it all, in case a remote machine was
>> controlling, but no luck) It can only be copied to a new
>> location, at which time I can open and view the in
wordpad
>> and see the data it has logged.
>>
>> All system hidden files are available to me, but still
no
>> tnotyoc.dll to be found. What I think is weird is the
>> structure of the call in the
>> registry "c:\windows\system32:tnotyoc.dll init 1" I have
>> started looking for this type of structure and have not
>> been successful. Do you know where I can discover how
this
>> call works and what the Init 1 would be defining?
>>
>> Thanks for your help, sure can't seem to get any from
>> Norton, McAfee or Microsoft without a bill attached!
>>
>>
>>
>> > -----Original Message-----
>> > Steve;
>> > Empty your temp folder.
>> >
>> > Start | Run | Type: cleanmgr | OK |
>> > OK | Yes
>> >
>> > Or
>> >
>> > Start | Run | Type: %TEMP% | OK |
>> > Find: tnotyoc | Delete
>> >
>> > ====================
>> > To display hidden files and folders
>> > [[Open Folder Options in Control Panel.
>> > Click Start, point to Settings, and then click
Control Panel.
>> > Double-click Folder Options
>> > On the View tab, under Hidden files and folders,
click Show hidden
>> > files and folders.
>> > Notes
>> > Hidden files and folders will appear dimmed to
indicate they are not
>> > typical items. Usually, hidden files are program or
system files that
>> > should not be deleted or changed. To display other
hidden files, clear
>> > the Hide protected operating system files
(Recommended) check box.
>> > If you know the name of a hidden file
>> > or folder, you can search for it. <<====
>> > If you want to see all file name
>> > extensions, clear the Hide file extensions
>> > for known file types check box.]] <<====
>> > ======================
>> > Is it C:\WINDOWS\System32:tnotyoc.dll
>> > Or
>> > C:\WINDOWS\System32\tnotyoc.dll ??
>> >
>> > --
>> > Hope this helps. Let us know.
>> > Wes
>> >
>> > In news:a14801c3ebf8$2edda400$a101280a@phx.gbl,
>> > Steve <anonymous@discussions.microsoft.com> hunted and
>> pecked:
>> > > No, the file tnotyoc.dll can not be found on the
computer.
>> > > only a file named "tnotyoc" stored in %temp% folder
>> > > (regardless of which user logs on, of which I can
not get
>> > > a file extension.
>> > >
>> > > The only references I can find other than the file
is in
>> > > regedit, two location
>> > >
>> > >
>>
HKEY_local_Machine/software/microsoft/windows/currentversio
>> > > n/run ---> rundll32
>> C:\WINDOWS\System32:tnotyoc.dll,Init 1
>> > > &
>> > >
>>
HKEY_local_Machine/software/microsoft/windows/currentversio
>> > > n/runonce ---> rundll32
>> > > C:\WINDOWS\System32:tnotyoc.dll,Init 1
>> > >
>> > > Now here is whats interesting! I boot in safe mode,
it
>> > > runs. I edit the registry while in safe mode
removing the
>> > > registry references, they come back - realtime -
just
>> > > magically appear. I have repeated this process while
>> > > stopping processes in SAFE MODE??!! and the keys
keep
>> > > coming back.
>> > >
>> > > Since, I have installed and run: Hijack this, Spy
Sweeper,
>> > > Adaware, Norton AV, McAfee Av, Norton Corp Edition
AV,
>> > > Zone Alarm, Black Ice, Spybot and sheesh, more that
I
>> > > can't recall ... noth8ing detects it as a virus,
spyware
>> > > or adware. On top of that, I hav esearched
newsgroups for
>> > > spyware and adware and read about 400 security
alerts from
>> > > Symantec and Network Associates
>> > >
>> > > I have now disabled system restore until I can find
and
>> > > fix this problem
>> > >
>> > > Any other suggestions?
>> > >
>> > > Thx
>> > >
>> > > > -----Original Message-----
>> > > > Can you locate the tnotyoc.dll and right click it
|
>> > > > Properties???
>> > > >
>> > > > --
>> > > > Hope this helps. Let us know.
>> > > > Wes
>> > > >
>> > > > In news:a6a801c3eb7d$71cc0020$a401280a@phx.gbl,
>> > > > anonymous@discussions.microsoft.com
>> > > <anonymous@discussions.microsoft.com>
>> > > > hunted and pecked:
>> > > > > Well, I appreciate the suggestion, but after
trying 4
>> > > > > different spyware and adaware, nothing is
identifying the
>> > > > > file or dll file.
>> > > > >
>> > > > > More suggestions?
>> > > > >
>> > > > >
>> > > > > > -----Original Message-----
>> > > > > > Steve;
>> > > > > > It's not an XP file.
>> > > > > >
>> > > > > > I suggest you run a full Virus scan.
>> > > > > >
>> > > > > > And.........
>> > > > > >
>> > > > > > Visit these sites. Download, install, run,
update and
>> > > > > > run again; one or all. They are all good,
FREE utilities.
>> > > > > > The first site gives some recommendations.
>> > > > > > http://www.spywareinfo.com/downloads.php?
cat=all#s-p
>> > > > > > 1) Spybot S & D
>> > > > > > http://www.safer-networking.org/index.php?
lang=en&page=download
>> > > > > > 2) SpywareBlaster
>> > > > > >
>> http://www.javacoolsoftware.com/spywareblaster.html
>> > > > > > 3) HijackThis (some other stuff that may be
of interest also)
>> > > > > > http://www.spywareinfo.com/~merijn/index.html
>> > > > > > 4) AdAware
>> > > > > > http://www.lavasoft.de/support/download/
>> > > > > >
>> > > > > > --
>> > > > > > Hope this helps. Let us know.
>> > > > > > Wes
>> > > > > >
>> > > > > > In news:a53b01c3eb4e$47a4e070
$a601280a@phx.gbl,
>> > > > > > Steve <anonymous@discussions.microsoft.com>
>> hunted and
>> > > > > pecked:
>> > > > > > > I have this dll file on machine and it loas
at every boot.
>> > > > > > > I have removed it from everything and
everywhere I could
>> > > > > > > find, it just keeps coming back. I have
searched the web,
>> > > > > > > MS.com and can find nothing relating to
this file.
>> > > > > > >
>> > > > > > > Has anyone ever hear of or seen this file
before? It
>> > > > > > > greates a files that appears to log pc
usage or something
>> > > > > > > similar.
>> > > > > > >
>> > > > > > > thanks
>> > > > > > .
>> > > >
>> > > > .
>> >
>> > .
>
>.
>
- Next message: billyzoellers: "Roaming Profile"
- Previous message: Estella Lu [MSFT]: "Re: ActiveX"
- In reply to: Wesley Vogel: "Re: Startup File "tnotyoc.dll"
- Next in thread: Wesley Vogel: "Re: Startup File "tnotyoc.dll"
- Reply: Wesley Vogel: "Re: Startup File "tnotyoc.dll"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
