Spyware, Browser Hijacks, or other Yuckware? Check here 1st

thatfsw,

Welcome to A2K!

It's usually best to post your request on a new thread, posting it to an old thread makes life harder for the techies as it means it's harder to keep up with the resolved/unresolved requests.

But here's a lead:

http://www.microsoft.com/security/protect/cd/order.asp

There you can order a free CD with many of the updates you need. That will lessen your download time by a lot.

this thread helped me out greatly, thanks. this entire forum seems like a very cool place.

Hello

My name is Jason and im new here! This topic is something very important for my computer's problem with twaintec.dll. I did followed your step by step closely. I did removed the file "twaintec.dll at the safe mode with sucessful, but when I restart and still come back with the same thing with twaintec.dll......maybe I was seem missing something or forgotten to do to removed the bad files.

should I paste the hijack this here?


Thanks

Jason

THANK YOU
Thank you so much for helping me with this problem! I regularly use Adaware, Spybot and Norton. All noticed the problem, but none could give it a permanent "fix." I even (FOOLISHLY) bought a copy of Pestpatrol to see if maybe a program I actually paid for would work. I wish I had saved my money (or, more appropriately, donated it to the Spybot site).

Thanks for the excellent directions, and the fix that stayed fixed.

And NEVER buy Pestpatrol. It is USELESS and costs too much and has crap tech support.

Oh yes -- and I should also mention that I, too, got the message that said "access denied" when I tried to delete the twain-tec.dll. Try changing the file name, reboot and then get rid of it. I changed it to "stupiedcrapthingthatwontgoaway"

But you MUST get rid of that equally stupid preloader thing that keeps reinstalling it on reboot. That's where the Spybot Immunization came in (I think -- maybe -- who knows?)

Glad it worked out for ya, riverturn, and thanks for the feedback.

Jason, start a fresh thread with your HJT log if you want it looked at ... don't tack it onto an existing thread.

already getting popups again. time to try this process again. i think in this day and age it's nearly impossible not to get popups.

Alright, I'm having one hell of a time with this. I've followed to my best all the instructions here, and I still have this parasitic Twain-Tech on my computer:

Now I have done the following:
--Downloaded Ad-Aware and No-Adware onto my computer, which has Windows XP
--Tried to run Twain-Tech through Run, but found nothing.
--Have searched for xtarget.dll and twaintec.dll and did find them, and proceeded to delete them
--Disabled System Restore

Yet every time I run either Ad-Aware and NoAdware, I still find Twain-Tech, despite the fact that I deleted them when I ran Search and deleted the twaintec.dll (!) Also, everytime I start to my default web page after rebooting, it runs through the same ads. I correct this by going to my original default page, yet if I reboot, it goes back to the same ad-clustered page.

Someone earlier said that they were ready to throw the towel in, and I think I'm ready too. This is getting so annoying, and I would really appreciate any help for a non-computer person like myself.

Thanks

DVHookster, please refer to the following, quoted from the topic opening post in this thread:

Bumping, so I don't have to go through 2 pages to find it when I freeze up again. Beginning the steps...

Hijackthis report
I followed all the steps you suggested but I was unable to get into safe mode so I went on with the rest of the steps. Anyway here is my Hijackthis report, I hope someone can help me out with it.
Thanks a lot! ~Kenny

Logfile of HijackThis v1.97.7
Scan saved at 12:05:42 PM, on 7/26/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kenny Bowen\Local Settings\Temp\Temporary Directory 1 for hijackthis1977[1].zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ncrylcl] C:\WINDOWS\ncrylcl.exe
O4 - HKLM\..\Run: [npyzqlibor] C:\WINDOWS\System32\rfbnsu.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

if i cant find the twaintech in my add or remove programs wh
if i cant find the twaintech in my add or remove programs where mite it be?

I found a twain.dll and a twain_32.dll. Everytime I delete them, they come back. Any suggestions? TY

Yes. Reread the first post in this thread. Those files are for your camera and scanner.

I have a problem. Each time i start up my internet, my homepage turns to "c:\spe\start.chm::/start.html#". I'm not able to change it with extra internet options. Who can help me to get my homepage 'back to normal'???
Please mail me at [email protected]

Many thanks

I tried it, but was stymied
I tried this, but was stymied on the third thing on the list, namely, clicking on start and run, then typing in regsvr32 C:\windows\twaintec.dll.
I typed in regsvr32 c:\windows\twaintech.dll also, and no good. Then I clicked on Start, Run, C:\windows, which brought up the windows folder, and no file name exists like the ones above.


But when I click on Pest Patrol, which finds this file and deletes it, this computer is ok for a mini-second. Then when I cose Pest Patrol, and start it again, twain tech is back again.

So what do I do now?

neiltone and soluod ... open a new thread detailing your problems, and somebody will be along to help.

I picked up a browser hijacker about a week ago. I tried all the obvious stuff - deleted the replaced browser pages, changed the start page back. Obviously it wasn't going to be that simple so I did a full virus and ad-aware scan. Ad-aware detected it and seemingly cleaned it. I started up my browser and it was back to normal but the next time I started it, the hijack was back and I wasn't even connected to the internet.

After running out of ideas I eventually used system restore to return my system to the previous day. This worked fine.

The reason why I have posted in this thread is because timberlandko suggests disabling system restore. It's true that 'system restore' does archive viruses but the virus code that they MAY contain cannot be manifested unless restored.

Let me paint a picture. Youre surfing the internet... up til now you computer has been completely free of viruses (including your system restoration archives). Then you get a virus which your antivirus cannot handle. Your system restore archives may now be infected, but only at the point at which you got the virus. If you restored before that point, it wouldn't matter. But wait, you took timberlandko's advice and disabled system restoration. Now youre stuck with an unfixable virus and you've disabled the one, most powerful tool available to cure it.

If you know when you got a virus and you knew your restoration files were clean before, then you know what date to choose, to avoid restoring a virus.

Infected restoration files are harmless as long as you are aware that they are infected. DO NOT disable them until AFTER you have fixed the problem and NOT before.

There are a few threads open on this board who seem to have the same problem as I had. System Restore is THE best tool to fix this as it seems no antivirus/anti-spyware utility knows what to do with it. no doubt most of the people who have this problem have already tried timber's advice and now haven't got the option to use system restore.

Very useful

The purpose of disabling system restore is to prevent reinfection of your machine due to a cached example of the highjacker. And, in point of fact, using system restore very often will not solve a highjack problem, whether or not the highjacker was cached in a restore point. The trigger files for reinfestation quite commonly are found outside of files affected by system restore. Make sure your system is otherwise operating satisfactorily, have your emergency boot disk and your OS Install discs handy, back up all important personal files ... as is standard good, common-sense practice whenever prowlin' around in the innards of Windows.

Just another bit of advice, many of the procedures listed for removal should be done while off-line and in safe mode, and should be followed by cache and recycle-bin emptying.

And its not "My" advice, its standard practice among yuckware removal specialists ... determined over lotsa time and trials to be the most efficacious method of dealing with the nasties.

And finally, since the advice here all is free, and provided by volunteers, anyone would be well advised to consider the advice, and the apparent qualifications/track record of the advisor, before heedin' any of it.

Its your machine, your yuckware problem, and your call.