1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[SOLVED] Tyff.exe

Discussion in 'Virus & Other Malware Removal' started by Dingus, Nov 1, 2002.

Thread Status:
Not open for further replies.
Advertisement
  1. Dingus

    Dingus Thread Starter

    Joined:
    Apr 21, 2002
    Messages:
    1,119
    Hi,
    I have zone alarm on my PC which has recently started alerting me to a program called TYFF.EXE trying to access the internet.
    When I try to delete this I get the responce 'This is part of windows'. Has anyone any knowledge of this program.

    :confused: :confused:
     
  2. Sponsor

  3. pvc9

    pvc9

    Joined:
    Jul 7, 2002
    Messages:
    6,427
    Where is the file located? When did you install ZA? Do you've Adaware and Spybot . Check with these 2 programs and if they find that file suspicious, getrid of it!

    BTW, what is the exact error message that you get when you try to delete that file?
     
  4. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    DON'T allow it access to the internet untill you know what it is

    I don't have it on my Win98 computer

    Asearch for TYFF.exe at google comes up with zero hits

    Wait untill we find out more about it before doing anything.


    steam
     
  5. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    Sorry pvc9 - you posted whilst I was still typing

    Obviously get rid of it with Ad-aware if you can


    steam
     
  6. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    There are a few trojans floating around that generate 4 character random letters as the file name.
    Update your virus defs and do a full scan.

    And, if this IS a virus, it would appear that you are not running your AV in an Always On mode. This is highly recommended in order to stop them on the way in. Not, catch them later.
     
  7. pvc9

    pvc9

    Joined:
    Jul 7, 2002
    Messages:
    6,427
    Hey np steamwiz:),
    I missed the line about google and you added it.

    No hits for me as well. So thats not a genuine windows file! Adaware/Spybot should help!
     
  8. Dingus

    Dingus Thread Starter

    Joined:
    Apr 21, 2002
    Messages:
    1,119
    Thanks guys, I was trying to get rid of it 'cos I think it is a virus.
    I do have the lates Virus stuff but it's on the blink so I uninsalled it to reinstall. I think this is how I got TYFF'ed.

    Many thanks :mad: :mad:
     
  9. pvc9

    pvc9

    Joined:
    Jul 7, 2002
    Messages:
    6,427
    So you gotrid of it?
     
  10. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
  11. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
  12. Dingus

    Dingus Thread Starter

    Joined:
    Apr 21, 2002
    Messages:
    1,119
    Thanks guys for the links and help, I did do an online check earlier but PC-cillin didn't find a virus, I'll now try for a trojan with that link.
    I do have adaware, which didn't find it either.
    It's located in C:/windows/system and it's an application size 50Kb.

    Why people make these viruses just beats me, would'nt I just love to beat them................ with a hammer.
    :mad:
     
  13. pvc9

    pvc9

    Joined:
    Jul 7, 2002
    Messages:
    6,427
    Ok! Just for a trial do this.

    Start->Shutdown->Restart in MS-DOS Mode->Ok!

    You should be at the C:\Windows> prompt, try these commands sequentially -

    cd system [enter]
    ren tyff.exe tyff.old [enter]
    exit [enter]

    Do you've any problems? If things are fine, then probably you can delete the file which now exists as a .old file!
     
  14. Dingus

    Dingus Thread Starter

    Joined:
    Apr 21, 2002
    Messages:
    1,119
    pvc9

    I have Windows ME, so to do what you said is a bit different but I did try, all I got was 'the file is in use'.
    I've since tried the trojun link also, but no luck.
    I've also updated my virus definitions but tyff.exe will not allow either Zone alarm or Norton Antivirus to run..... a clever little sod it is.
    :(
     
  15. pvc9

    pvc9

    Joined:
    Jul 7, 2002
    Messages:
    6,427
    Try the same using a bootdisk!

    Download a bootdisk from here

    Download the one for Win 98 SE and try the same. Restart the computer and boot through the floppy and once you're at the A:\> prompt do this,

    c: [enter]
    cd windows\system [enter]
    ren tyff.exe tyff.old [enter]
    exit [enter]

    Boot through the HDD this time and check again!

    Can we take a look at your startups please, check this link download Startup list and post back with the results -

    http://www.lurkhere.com/~nicefiles/
     
  16. Dingus

    Dingus Thread Starter

    Joined:
    Apr 21, 2002
    Messages:
    1,119
    YOU DID ASK, I see it's in the registry:

    StartupList report, 02/11/2002, 11:46:46
    StartupList version: 1.34.0
    Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\CPQS\BWTOOLS\SCCENTER.EXE
    C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\WINDOWS\SYSTEM\TYFF.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\AOL 7.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
    Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
    Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
    Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
    suc.exe

    Shell folders Common Startup:
    [C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
    ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    Hidserv = Hidserv.exe run
    CPQEASYACC = C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    EACLEAN = C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    CPQInet = c:\compaq\CPQInet\CpqInet.exe
    Digital Dashboard = C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    Service Connection = c:\cpqs\bwtools\sccenter.exe
    Oil Change = C:\PROGRA~1\CYBERM~2\OCTray32.exe Start
    CyberMedia Agent = "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
    LoadQM = loadqm.exe
    CleanIt = C:\Program Files\CleanIt\cleanit.exe
    Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    InCD = C:\Program Files\ahead\InCD\InCD.exe
    NAV CfgWiz = C:\PROGRA~1\NORTON~1\CFGWIZ.EXE /R
    ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    pit = tyff.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
    TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    SchedulingAgent = mstask.exe
    ccEvtMgr = C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{89820200-ECBD-11cf-8B85-00AA005B4395}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [>PerUser_MSN_Clean] *
    StubPath = C:\WINDOWS\msnmgsr1.exe

    [PerUser_LinkBar_URLs] *
    StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=HPFsched

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 2/11/2002, 10:36:18)

    [rename]
    NUL=C:\WINDOWS\SYSTEM\TYFF.EXE
    NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE
    NUL=C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\.
    NUL=C:\WINDOWS\TEMP\PFT40E3.TMP\VCSETUP.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    @C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    @ECHO OFF
    REM NOTES:
    REM DOSSTART.BAT IS RUN WHENENVER YOU CHOOSE "RESTART THE COMPUTER
    REM IN MS-DOS MODE" FROM THE SHUTDOWN MENU IN WINDOWS. IT ALLOWS
    REM YOU TO LOAD PROGRAMS THAT YOU MIGHT NOT WANT LOADED IN WINDOWS,
    REM (BECAUSE THEY HAVE FUNCTIONAL EQUIVALENTS) BUT THAT YOU DO
    REM WANT LOADED UNDER MS-DOS. THE TWO PRIMARY CANDIDATES FOR
    REM THIS ARE MSCDEX AND A REAL MODE DRIVER FOR THE MOUSE YOU SHIP
    REM WITH YOUR SYSTEM. COMMANDS THAT YOU WANT PRESENT IN BOTH WINDOWS
    REM AND MS-DOS SHOULD BE PLACED IN THE AUTOEXEC.BAT IN THE
    REM \IMAGE DIRECTORY OF YOUR REFERENCE SERVER. PLEASE NOTE THAT FOR
    REM MSCDEX YOU WILL NEED TO LOAD THE CORRESPONDING REAL-MODE CD
    REM DRIVER IN CONFIG.SYS. THIS DRIVER WON'T BE USED BY WINDOWS 98
    REM BUT WILL BE AVAILABLE PRIOR TO AND AFTER WINDOWS 98 EXITS.
    REM
    REM THIS FILE IS ALSO HELPFUL IF YOU WANT TO F8 BOOT INTO MS-DOS 7.0
    REM BEFORE WINDOWS LOADS AND ACCESS THE CD-ROM. ALL YOU HAVE TO DO
    REM IS PRESS F8 AND THEN RUN DOSSTART TO LOAD MSCDEX AND YOUR REAL
    REM MODE MOUSE DRIVER (NO NEED TO REMEMBER THE COMMAND LINE PARAMETERS
    REM FOR THESE TWO FILES.
    REM
    REM - YOU MUST EXPLICITLY SPECIFY THE CD ROM DRIVE LETTER FOR MSCDEX.
    REM - THE STRING FOLLOWING THE /D: STATEMENT MUST EXPLICITLY MATCH
    REM THE STRING IN CONFIG.SYS FOLLOWING YOUR CD-ROM DEVICE DRIVER.
    REM MSCDEX.EXE /D:OEMCD001 /L:D
    REM MOUSE.EXE

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Symantec NetDetect.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job
    Synchronize Time.job
    Check E-mail.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [ActiveDataObj Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
    CODEBASE = http://security3.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
    CODEBASE = http://security3.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [AccountTracking Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACCOUNTTRACKING.DLL
    CODEBASE = http://moneymanager.egg.com/customer/accounttracking.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab

    --------------------------------------------------
    End of report, 10,803 bytes
    Report generated in 0.463 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/102140