Startup File "tnotyoc.dll

[Steve]

I have this dll file on machine and it loas at every boot.
I have removed it from everything and everywhere I could
find, it just keeps coming back. I have searched the web,
MS.com and can find nothing relating to this file.

Has anyone ever hear of or seen this file before? It
greates a files that appears to log pc usage or something
similar.

thanks

 

[Wesley Vogel]

Steve;
It's not an XP file.

I suggest you run a full Virus scan.

And.........

Visit these sites. Download, install, run, update and
run again; one or all. They are all good, FREE utilities.
The first site gives some recommendations.
http://www.spywareinfo.com/downloads.php?cat=all#s-p
1) Spybot S & D
http://www.safer-networking.org/index.php?lang=en&page=download
2) SpywareBlaster
http://www.javacoolsoftware.com/spywareblaster.html
3) HijackThis (some other stuff that may be of interest also)
http://www.spywareinfo.com/~merijn/index.html
4) AdAware
http://www.lavasoft.de/support/download/

 

[Guest]

Well, I appreciate the suggestion, but after trying 4
different spyware and adaware, nothing is identifying the
file or dll file.

More suggestions?

 

[Wesley Vogel]

Can you locate the tnotyoc.dll and right click it |
Properties???

 

[Steve]

No, the file tnotyoc.dll can not be found on the computer.
only a file named "tnotyoc" stored in %temp% folder
(regardless of which user logs on, of which I can not get
a file extension.

The only references I can find other than the file is in
regedit, two location

HKEY_local_Machine/software/microsoft/windows/currentversio
n/run ---> rundll32 C:\WINDOWS\System32:tnotyoc.dll,Init 1
&
HKEY_local_Machine/software/microsoft/windows/currentversio
n/runonce ---> rundll32
C:\WINDOWS\System32:tnotyoc.dll,Init 1

Now here is whats interesting! I boot in safe mode, it
runs. I edit the registry while in safe mode removing the
registry references, they come back - realtime - just
magically appear. I have repeated this process while
stopping processes in SAFE MODE??!! and the keys keep
coming back.

Since, I have installed and run: Hijack this, Spy Sweeper,
Adaware, Norton AV, McAfee Av, Norton Corp Edition AV,
Zone Alarm, Black Ice, Spybot and sheesh, more that I
can't recall ... noth8ing detects it as a virus, spyware
or adware. On top of that, I hav esearched newsgroups for
spyware and adware and read about 400 security alerts from
Symantec and Network Associates

I have now disabled system restore until I can find and
fix this problem

Any other suggestions?

Thx

 

[Wesley Vogel]

Steve;
Empty your temp folder.

Start | Run | Type: cleanmgr | OK |
OK | Yes

Or

Start | Run | Type: %TEMP% | OK |
Find: tnotyoc | Delete

====================
To display hidden files and folders
[[Open Folder Options in Control Panel.
Click Start, point to Settings, and then click Control Panel.
Double-click Folder Options
On the View tab, under Hidden files and folders, click Show hidden files and
folders.
Notes
Hidden files and folders will appear dimmed to indicate they are not typical
items. Usually, hidden files are program or system files that should not be
deleted or changed. To display other hidden files, clear the Hide protected
operating system files (Recommended) check box.
If you know the name of a hidden file
or folder, you can search for it. <<====
If you want to see all file name
extensions, clear the Hide file extensions
for known file types check box.]] <<====
======================
Is it C:\WINDOWS\System32:tnotyoc.dll
Or
C:\WINDOWS\System32\tnotyoc.dll ??

 

[Steve]

Wesley,

Ahead of ya on that one. It will not remove the item.
System states it is in use by another program or user.
(yes, I have disconnectd internet use, rebooted in safe
mode and tried it all, in case a remote machine was
controlling, but no luck) It can only be copied to a new
location, at which time I can open and view the in wordpad
and see the data it has logged.

All system hidden files are available to me, but still no
tnotyoc.dll to be found. What I think is weird is the
structure of the call in the
registry "c:\windows\system32:tnotyoc.dll init 1" I have
started looking for this type of structure and have not
been successful. Do you know where I can discover how this
call works and what the Init 1 would be defining?

Thanks for your help, sure can't seem to get any from
Norton, McAfee or Microsoft without a bill attached!

-----Original Message-----
Steve;
Empty your temp folder.

Start | Run | Type: cleanmgr | OK |
OK | Yes

Or

Start | Run | Type: %TEMP% | OK |
Find: tnotyoc | Delete

====================
To display hidden files and folders
[[Open Folder Options in Control Panel.
Click Start, point to Settings, and then click Control Panel.
Double-click Folder Options
On the View tab, under Hidden files and folders, click Show hidden files and
folders.
Notes
Hidden files and folders will appear dimmed to indicate they are not typical
items. Usually, hidden files are program or system files that should not be
deleted or changed. To display other hidden files, clear the Hide protected
operating system files (Recommended) check box.
If you know the name of a hidden file
or folder, you can search for it. <<====
If you want to see all file name
extensions, clear the Hide file extensions
for known file types check box.]] <<====
======================
Is it C:\WINDOWS\System32:tnotyoc.dll
Or
C:\WINDOWS\System32\tnotyoc.dll ??

--
Hope this helps. Let us know.
Wes

In Steve <[email protected]> hunted and pecked:

No, the file tnotyoc.dll can not be found on the computer.
only a file named "tnotyoc" stored in %temp% folder
(regardless of which user logs on, of which I can not get
a file extension.

The only references I can find other than the file is in
regedit, two location

HKEY_local_Machine/software/microsoft/windows/currentversio
n/run ---> rundll32 C:\WINDOWS\System32:tnotyoc.dll,Init 1
&
HKEY_local_Machine/software/microsoft/windows/currentversio
n/runonce ---> rundll32
C:\WINDOWS\System32:tnotyoc.dll,Init 1

Now here is whats interesting! I boot in safe mode, it
runs. I edit the registry while in safe mode removing the
registry references, they come back - realtime - just
magically appear. I have repeated this process while
stopping processes in SAFE MODE??!! and the keys keep
coming back.

Since, I have installed and run: Hijack this, Spy Sweeper,
Adaware, Norton AV, McAfee Av, Norton Corp Edition AV,
Zone Alarm, Black Ice, Spybot and sheesh, more that I
can't recall ... noth8ing detects it as a virus, spyware
or adware. On top of that, I hav esearched newsgroups for
spyware and adware and read about 400 security alerts from
Symantec and Network Associates

I have now disabled system restore until I can find and
fix this problem

Any other suggestions?

Thx

.

 

[Wesley Vogel]

Steve;

Try starting in Safe Mode with Command Prompt.

================
To start your computer at a command prompt
[[Print these instructions before continuing. They will not be available
after you shut your computer down in step 2.
Click Start, click Shut Down, and then, in the drop-down list, click Shut
down.
In the Shut Down Windows dialog box, click Restart, and then click OK.
When you see the message Please select the operating system to start, press
F8.
Use the arrow keys to highlight Safe Mode with Command Prompt, and then
press ENTER.
If you have a dual-boot or multiple-boot system, choose the installation
that you need to access using the arrow keys, and then press ENTER.
Notes
NUM LOCK must be off before the arrow keys on the numeric keypad will
function.]]
================

Delete tnotyoc.dll there.

--
Hope this helps. Let us know.
Wes

In

Wesley,

Ahead of ya on that one. It will not remove the item.
System states it is in use by another program or user.
(yes, I have disconnectd internet use, rebooted in safe
mode and tried it all, in case a remote machine was
controlling, but no luck) It can only be copied to a new
location, at which time I can open and view the in wordpad
and see the data it has logged.

All system hidden files are available to me, but still no
tnotyoc.dll to be found. What I think is weird is the
structure of the call in the
registry "c:\windows\system32:tnotyoc.dll init 1" I have
started looking for this type of structure and have not
been successful. Do you know where I can discover how this
call works and what the Init 1 would be defining?

Thanks for your help, sure can't seem to get any from
Norton, McAfee or Microsoft without a bill attached!

-----Original Message-----
Steve;
Empty your temp folder.

Start | Run | Type: cleanmgr | OK |
OK | Yes

Or

Start | Run | Type: %TEMP% | OK |
Find: tnotyoc | Delete

====================
To display hidden files and folders
[[Open Folder Options in Control Panel.
Click Start, point to Settings, and then click Control Panel.
Double-click Folder Options
On the View tab, under Hidden files and folders, click Show hidden
files and folders.
Notes
Hidden files and folders will appear dimmed to indicate they are not
typical items. Usually, hidden files are program or system files that
should not be deleted or changed. To display other hidden files, clear
the Hide protected operating system files (Recommended) check box.
If you know the name of a hidden file
or folder, you can search for it. <<====
If you want to see all file name
extensions, clear the Hide file extensions
for known file types check box.]] <<====
======================
Is it C:\WINDOWS\System32:tnotyoc.dll
Or
C:\WINDOWS\System32\tnotyoc.dll ??

--
Hope this helps. Let us know.
Wes

In Steve <[email protected]> hunted and pecked:

No, the file tnotyoc.dll can not be found on the computer.
only a file named "tnotyoc" stored in %temp% folder
(regardless of which user logs on, of which I can not get
a file extension.

The only references I can find other than the file is in
regedit, two location

HKEY_local_Machine/software/microsoft/windows/currentversio
n/run ---> rundll32 C:\WINDOWS\System32:tnotyoc.dll,Init 1
&
HKEY_local_Machine/software/microsoft/windows/currentversio
n/runonce ---> rundll32
C:\WINDOWS\System32:tnotyoc.dll,Init 1

Now here is whats interesting! I boot in safe mode, it
runs. I edit the registry while in safe mode removing the
registry references, they come back - realtime - just
magically appear. I have repeated this process while
stopping processes in SAFE MODE??!! and the keys keep
coming back.

Since, I have installed and run: Hijack this, Spy Sweeper,
Adaware, Norton AV, McAfee Av, Norton Corp Edition AV,
Zone Alarm, Black Ice, Spybot and sheesh, more that I
can't recall ... noth8ing detects it as a virus, spyware
or adware. On top of that, I hav esearched newsgroups for
spyware and adware and read about 400 security alerts from
Symantec and Network Associates

I have now disabled system restore until I can find and
fix this problem

Any other suggestions?

Thx

-----Original Message-----
Can you locate the tnotyoc.dll and right click it |
Properties???

--
Hope this helps. Let us know.
Wes

In (e-mail address removed)
<[email protected]>
hunted and pecked:
Well, I appreciate the suggestion, but after trying 4
different spyware and adaware, nothing is identifying the
file or dll file.

More suggestions?


-----Original Message-----
Steve;
It's not an XP file.

I suggest you run a full Virus scan.

And.........

Visit these sites. Download, install, run, update and
run again; one or all. They are all good, FREE utilities.
The first site gives some recommendations.
http://www.spywareinfo.com/downloads.php? cat=all#s-p
1) Spybot S & D
http://www.safer-networking.org/index.php? lang=en&page=download
2) SpywareBlaster
http://www.javacoolsoftware.com/spywareblaster.html
3) HijackThis (some other stuff that may be of interest also)
http://www.spywareinfo.com/~merijn/index.html
4) AdAware
http://www.lavasoft.de/support/download/

--
Hope this helps. Let us know.
Wes

In Steve <[email protected]> hunted and
pecked:
I have this dll file on machine and it loas at every boot.
I have removed it from everything and everywhere I could
find, it just keeps coming back. I have searched the web,
MS.com and can find nothing relating to this file.

Has anyone ever hear of or seen this file before? It
greates a files that appears to log pc usage or something
similar.

thanks
.

.

.

 

[Steve]

Wesley,

Well, after many suffering hours, I have found the problem
(with a lot of help) and made the repairs. It turns out
that the tnotyoc is an advanced variant of the AF virus.
It is not being detected by symantec, mcafee or trendmicro
at this point. I did submit the information I could find
to Symantec earlier today and they called and worked with
me to discover how it is structured to run. (I ahve a new
appreciation for those guys) Once we isolated the dll and
process, we were able to get it zipped and sent to
Symantec. I assume they will be including what they
discover in an update and suspect the others will follow
suit.

I appreciate all your help, I think we have been on the
same page since I posted here. If I can be of any help for
you, let me know.

thanks again.

-----Original Message-----
Steve;

Try starting in Safe Mode with Command Prompt.

================
To start your computer at a command prompt
[[Print these instructions before continuing. They will not be available
after you shut your computer down in step 2.
Click Start, click Shut Down, and then, in the drop-down list, click Shut
down.
In the Shut Down Windows dialog box, click Restart, and then click OK.
When you see the message Please select the operating system to start, press
F8.
Use the arrow keys to highlight Safe Mode with Command Prompt, and then
press ENTER.
If you have a dual-boot or multiple-boot system, choose the installation
that you need to access using the arrow keys, and then press ENTER.
Notes
NUM LOCK must be off before the arrow keys on the numeric keypad will
function.]]
================

Delete tnotyoc.dll there.

--
Hope this helps. Let us know.
Wes

In Steve <[email protected]> hunted and pecked:

Wesley,

Ahead of ya on that one. It will not remove the item.
System states it is in use by another program or user.
(yes, I have disconnectd internet use, rebooted in safe
mode and tried it all, in case a remote machine was
controlling, but no luck) It can only be copied to a new
location, at which time I can open and view the in wordpad
and see the data it has logged.

All system hidden files are available to me, but still no
tnotyoc.dll to be found. What I think is weird is the
structure of the call in the
registry "c:\windows\system32:tnotyoc.dll init 1" I have
started looking for this type of structure and have not
been successful. Do you know where I can discover how this
call works and what the Init 1 would be defining?

Thanks for your help, sure can't seem to get any from
Norton, McAfee or Microsoft without a bill attached!

-----Original Message-----
Steve;
Empty your temp folder.

Start | Run | Type: cleanmgr | OK |
OK | Yes

Or

Start | Run | Type: %TEMP% | OK |
Find: tnotyoc | Delete

====================
To display hidden files and folders
[[Open Folder Options in Control Panel.
Click Start, point to Settings, and then click Control Panel.
Double-click Folder Options
On the View tab, under Hidden files and folders, click Show hidden
files and folders.
Notes
Hidden files and folders will appear dimmed to indicate they are not
typical items. Usually, hidden files are program or system files that
should not be deleted or changed. To display other hidden files, clear
the Hide protected operating system files (Recommended) check box.
If you know the name of a hidden file
or folder, you can search for it. <<====
If you want to see all file name
extensions, clear the Hide file extensions
for known file types check box.]] <<====
======================
Is it C:\WINDOWS\System32:tnotyoc.dll
Or
C:\WINDOWS\System32\tnotyoc.dll ??

--
Hope this helps. Let us know.
Wes

In Steve <[email protected]> hunted and pecked:
No, the file tnotyoc.dll can not be found on the computer.
only a file named "tnotyoc" stored in %temp% folder
(regardless of which user logs on, of which I can not get
a file extension.

The only references I can find other than the file is in
regedit, two location

HKEY_local_Machine/software/microsoft/windows/currentversio

n/run ---> rundll32

C:\WINDOWS\System32:tnotyoc.dll,Init 1

&

HKEY_local_Machine/software/microsoft/windows/currentversio

n/runonce ---> rundll32
C:\WINDOWS\System32:tnotyoc.dll,Init 1

Now here is whats interesting! I boot in safe mode, it
runs. I edit the registry while in safe mode removing the
registry references, they come back - realtime - just
magically appear. I have repeated this process while
stopping processes in SAFE MODE??!! and the keys keep
coming back.

Since, I have installed and run: Hijack this, Spy Sweeper,
Adaware, Norton AV, McAfee Av, Norton Corp Edition AV,
Zone Alarm, Black Ice, Spybot and sheesh, more that I
can't recall ... noth8ing detects it as a virus, spyware
or adware. On top of that, I hav esearched newsgroups for
spyware and adware and read about 400 security alerts from
Symantec and Network Associates

I have now disabled system restore until I can find and
fix this problem

Any other suggestions?

Thx

-----Original Message-----
Can you locate the tnotyoc.dll and right click it |
Properties???

--
Hope this helps. Let us know.
Wes

In (e-mail address removed)
<[email protected]>
hunted and pecked:
Well, I appreciate the suggestion, but after trying 4
different spyware and adaware, nothing is identifying the
file or dll file.

More suggestions?


-----Original Message-----
Steve;
It's not an XP file.

I suggest you run a full Virus scan.

And.........

Visit these sites. Download, install, run, update and
run again; one or all. They are all good, FREE utilities.
The first site gives some recommendations.
http://www.spywareinfo.com/downloads.php? cat=all#s-p
1) Spybot S & D
http://www.safer-networking.org/index.php? lang=en&page=download
2) SpywareBlaster
http://www.javacoolsoftware.com/spywareblaster.html
3) HijackThis (some other stuff that may be of interest also)
http://www.spywareinfo.com/~merijn/index.html
4) AdAware
http://www.lavasoft.de/support/download/

--
Hope this helps. Let us know.
Wes

In [email protected],
Steve <[email protected]> hunted and
pecked:
I have this dll file on machine and it loas at every boot.
I have removed it from everything and everywhere I could
find, it just keeps coming back. I have searched the web,
MS.com and can find nothing relating to this file.

Has anyone ever hear of or seen this file before? It
greates a files that appears to log pc usage or something
similar.

thanks
.

.

.

.

 

[Wesley Vogel]

Steve;

How's it feel to be the guiea pig? )

You're welcome.
Glad you have it sorted out.
--
Hope this helps. Let us know.
Wes

In

Wesley,

Well, after many suffering hours, I have found the problem
(with a lot of help) and made the repairs. It turns out
that the tnotyoc is an advanced variant of the AF virus.
It is not being detected by symantec, mcafee or trendmicro
at this point. I did submit the information I could find
to Symantec earlier today and they called and worked with
me to discover how it is structured to run. (I ahve a new
appreciation for those guys) Once we isolated the dll and
process, we were able to get it zipped and sent to
Symantec. I assume they will be including what they
discover in an update and suspect the others will follow
suit.

I appreciate all your help, I think we have been on the
same page since I posted here. If I can be of any help for
you, let me know.

thanks again.

-----Original Message-----
Steve;

Try starting in Safe Mode with Command Prompt.

================
To start your computer at a command prompt
[[Print these instructions before continuing. They will not be available
after you shut your computer down in step 2.
Click Start, click Shut Down, and then, in the drop-down list, click
Shut down.
In the Shut Down Windows dialog box, click Restart, and then click OK.
When you see the message Please select the operating system to start,
press F8.
Use the arrow keys to highlight Safe Mode with Command Prompt, and then
press ENTER.
If you have a dual-boot or multiple-boot system, choose the installation
that you need to access using the arrow keys, and then press ENTER.
Notes
NUM LOCK must be off before the arrow keys on the numeric keypad will
function.]]
================

Delete tnotyoc.dll there.

--
Hope this helps. Let us know.
Wes

In Steve <[email protected]> hunted and pecked:

Wesley,

Ahead of ya on that one. It will not remove the item.
System states it is in use by another program or user.
(yes, I have disconnectd internet use, rebooted in safe
mode and tried it all, in case a remote machine was
controlling, but no luck) It can only be copied to a new
location, at which time I can open and view the in wordpad
and see the data it has logged.

All system hidden files are available to me, but still no
tnotyoc.dll to be found. What I think is weird is the
structure of the call in the
registry "c:\windows\system32:tnotyoc.dll init 1" I have
started looking for this type of structure and have not
been successful. Do you know where I can discover how this
call works and what the Init 1 would be defining?

Thanks for your help, sure can't seem to get any from
Norton, McAfee or Microsoft without a bill attached!



-----Original Message-----
Steve;
Empty your temp folder.

Start | Run | Type: cleanmgr | OK |
OK | Yes

Or

Start | Run | Type: %TEMP% | OK |
Find: tnotyoc | Delete

====================
To display hidden files and folders
[[Open Folder Options in Control Panel.
Click Start, point to Settings, and then click Control Panel.
Double-click Folder Options
On the View tab, under Hidden files and folders, click Show hidden
files and folders.
Notes
Hidden files and folders will appear dimmed to indicate they are not
typical items. Usually, hidden files are program or system files
that should not be deleted or changed. To display other hidden
files, clear the Hide protected operating system files
(Recommended) check box. If you know the name of a hidden file
or folder, you can search for it. <<====
If you want to see all file name
extensions, clear the Hide file extensions
for known file types check box.]] <<====
======================
Is it C:\WINDOWS\System32:tnotyoc.dll
Or
C:\WINDOWS\System32\tnotyoc.dll ??

--
Hope this helps. Let us know.
Wes

In Steve <[email protected]> hunted and
pecked:
No, the file tnotyoc.dll can not be found on the computer.
only a file named "tnotyoc" stored in %temp% folder
(regardless of which user logs on, of which I can not get
a file extension.

The only references I can find other than the file is in
regedit, two location


HKEY_local_Machine/software/microsoft/windows/currentversio
n/run ---> rundll32
C:\WINDOWS\System32:tnotyoc.dll,Init 1
&

HKEY_local_Machine/software/microsoft/windows/currentversio
n/runonce ---> rundll32
C:\WINDOWS\System32:tnotyoc.dll,Init 1

Now here is whats interesting! I boot in safe mode, it
runs. I edit the registry while in safe mode removing the
registry references, they come back - realtime - just
magically appear. I have repeated this process while
stopping processes in SAFE MODE??!! and the keys keep
coming back.

Since, I have installed and run: Hijack this, Spy Sweeper,
Adaware, Norton AV, McAfee Av, Norton Corp Edition AV,
Zone Alarm, Black Ice, Spybot and sheesh, more that I
can't recall ... noth8ing detects it as a virus, spyware
or adware. On top of that, I hav esearched newsgroups for
spyware and adware and read about 400 security alerts from
Symantec and Network Associates

I have now disabled system restore until I can find and
fix this problem

Any other suggestions?

Thx

-----Original Message-----
Can you locate the tnotyoc.dll and right click it

Properties???

--
Hope this helps. Let us know.
Wes

In (e-mail address removed)
<[email protected]>
hunted and pecked:
Well, I appreciate the suggestion, but after trying 4
different spyware and adaware, nothing is identifying the
file or dll file.

More suggestions?


-----Original Message-----
Steve;
It's not an XP file.

I suggest you run a full Virus scan.

And.........

Visit these sites. Download, install, run, update and
run again; one or all. They are all good, FREE utilities.
The first site gives some recommendations.
http://www.spywareinfo.com/downloads.php? cat=all#s-p
1) Spybot S & D
http://www.safer-networking.org/index.php?
lang=en&page=download 2) SpywareBlaster

http://www.javacoolsoftware.com/spywareblaster.html
3) HijackThis (some other stuff that may be of interest
also) http://www.spywareinfo.com/~merijn/index.html
4) AdAware
http://www.lavasoft.de/support/download/

--
Hope this helps. Let us know.
Wes

In [email protected],
Steve <[email protected]>
hunted and
pecked:
I have this dll file on machine and it loas at every boot.
I have removed it from everything and everywhere I could
find, it just keeps coming back. I have searched the web,
MS.com and can find nothing relating to this file.

Has anyone ever hear of or seen this file before? It
greates a files that appears to log pc usage or something
similar.

thanks
.

.

.

.

 

[Rick]

"c:\windows\system32:tnotyoc.dll"

is the form or syntax for NT File Streams, a manner for embedding data in an
alternate fork or stream off another file (and folders are files too). File
streams do not show up in directory listings and I suspect this registry key
is reloading the tnotyoc.dll from the hidden stream at each startup.

There is an excellent explaination of NT File Streams at the SysInternals
site along with a free tool for viewing file streams:

http://www.sysinternals.com/ntw2k/source/misc.shtml#streams

Rick
Forgotten (K)not

 

[Wesley Vogel]

Rick;

[[It turns out
that the tnotyoc is an advanced variant of the AF virus.]]