Reply
Wed 21 Apr, 2004 07:56 am
I am very thnakful to have found this site and I hope someone here can help me.
I tried following the instructions for yuckware removal above and have run into problems....I have ME running, but twaintec is in the Windows directory and I don't see anything named Winnt. I ran the registry command and received the following response: DLLRegisterServer in c:\windows\twaintec.dll succeeded. That doesn't sound right to me, it sounds like the reverse of what I wanted, but what do I know? Then I deleted a zipped twaintec file and a few other twaintec files, but when I tried to delete twaintec.dll I got the following message: Cannot delete twaintec.dll; specified file is in use by Windows.
I tried running in "safemode" but I can't get that to work at all. I have bootmagic on this machine and it comes up first. Then I get some interim screen that flashes by too fast for me to read and I tried F8 during this entire process but nothing happened. The ME screen just came up as usual.
I do have the restore feature disabled and I have verified that it is still disabled.
This morning when I launced the browser I got a message with IE at the top stating that it had detected a virus and wanted to know if I wanted to remove it. Since this message was not from my antiviral software, Norton, I cancelled it without doing anything.
I tried following the steps in the instructions here with a freshly rebooted machine before launching a browser and it still would not allow me to remove this dll.
In the immortal words of the Beatles: Won't you please, please help me!
Have you downloaded and run
CoolWWWSearch.SmartKiller removal tool and
CWSHREDDER yet? If not, give that a try. Create folders for them directly on your C: drive; don't run them from your desktop. Also, get, update, configure, and run
AdAware.
Before opening and installing AdAware, see: How to update AdAware and
AdAware Full Scan Instructions.. Be sure to configure for full scan. Additionally, under "General" im Configuration, select "Run at Windows startup". Once AdAware has been set up to thoroughly scour your system and to run on boot, reboot, then have AdAware fix whatever it found and reboot one more time and let it run again, and fix whatever, if anything, it found on the second pass. Deslect "Run on Windows startup", then download
HijackThis, again to its own folder on your C: drive. When it has been installed and opened, select "Scan" only, and when the scan has finished, select "Save Log". The log will appear as a Notepad dicument; cut-and-paste that in a reply to this thread and we'll go from there.
Twaintec.dll
This dll simply will not be removed. Nobody has the answer. I have it on many customer machines. All supposed removal tools, manual removals, and hints fail on all machine's and OS's. The fix on the twaintech website is ******* useless. If a group of people can get together maybe some legal action can be taken. This is destroying the industry because people who were excited about computers have had enough. Hello Microsoft, Intel, etc.!
I THINK I am able to finally get rid of TWAINTEC.DLL
For Windows XP users
Go to Start Button then Navigate Up to Run and cut and paste this command in the dialog box
regsvr32 c:\windows\twaintec.dll
Then Go back to Run and type regedit and delete these Keys along with their subkeys
Delete registry values:
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID {000020DD-C72E-4113-AF77-DD56626C6C42}', if it exists.
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects {000020DD-C72E-4113-AF77-DD56626C6C42}', if it exists.
Then Go to the Windows Folder and look for twaintec.dll
Rename this file to DELETE_ME.dll exit from Windows folder and re-start. The old twaintec.dll should be gone, and DELETE_ME.dll should be in the folder and Windows XP should have "unlocked" it now. You should be able to delete it. Then empty the re-cycle bin, and I think it will be gone for good -But then again it may come back !!!
More on the subject of TWAINTEC
I have checked and double checked this is the RIGHT KEY for both locations, the location below probaly being the more critical one of the two locations because this is where the pop-ups are coming from
Click Start, Navigate Up to Run, type "regedit" then navigate to:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects
Then look for BHO-{000020DD-C72E-4113-AF77-DD56626C6C42}-C:|WINDOWS\twaintec.dll, if it exists, delete it, exit from regedit.
Also I found these instructions below posted elsewhere on the web, but they are too advanced for me, Has anyone tried this?
=============================================
BELOW ---ARE THE INSTRUCTIONS I SAW--I DIDN'T TRY THEM
=============================================
Start your computer in safe mode.
Turn off system restore. Right click on My Computer, select Properties, select the System Restore tab, and check Turn Off system restore.
Empty your Temporary Internet Files by clicking Start, click Run then type %temp% and hit enter. Delete all the items in that folder.
Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Delete
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ comms', if it exists.
Delete
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ pup', if it exists.
'HKEY_LOCAL_MACHINE \ software \ microsoft \ windows \ currentversion \ unasauthr' if it exists.
'HKEY_LOCAL_MACHINE \ software \ microsoft \ windows \ currentversion \ undhcpv' if it exists.
'HKEY_LOCAL_MACHINE \ software \ microsoft \ windows \ currentversion \ unsvidc32m' if it exists.
Exit the registry editor.
Start Windows Explorer and delete:
C:\WINDOWS\ACTULICE.EXE
C:\WINDOWS\System32\uadficna.exe
%SystemDir%\pup.exe, if it exists.
%WinDir%\pup.exe, if it exists.
%WinDir%\telnat.exe, if it exists. Note: %WinDir%\telnet.exe is a legitimate file, do not delete it.
C:\WINDOWS\twaintec.dll
C:\PROGRAM Files\MOVEFI~1\Hope Test
Online.exe
C:\PROGRAM Files\SURFGP~1\List Iso.dll
C:\WINDOWS\System32\DBCCP32O.exe
Note: %WinDir% is a variable (?). By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Run HJT and delete:
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O3 - Toolbar: Deaf memo - {FF198BC5-6909-77C2-8E56-C3633E2ADE8C} - C:\PROGRA~1\SURFGP~1\List Iso.dll
O4 - HKLM\..\Run: [BagsHelp] C:\PROGRA~1\MOVEFI~1\Hope Test
Online.exe
O4 - HKLM\..\Run: [uadficna] C:\WINDOWS\System32\uadficna.exe
O4 - HKLM\..\Run: [DBCCP32O] C:\WINDOWS\System32\DBCCP32O.exe
Reboot back in to safe mode, Run your AV Live Update, (restart into safe mode again if necessary after update) then run your AV scan, delete any files that come up as viruses. Reboot into regular mode, re-enable system restore, and post your HJT log. Also, let me know if the pop-ups have stopped/decreased.If you dont have Hijackthis you can download it from the web ,and place it in its own folder by #1) Open Windows Explorer by double-clicking on its icon on the desktop (or click on Start->Programs->Windows Explorer).
2) Click on the folder on the level above where you wish to create a new folder. For example, to create a new folder on the same level as the first-level folders under the C: drive folder-i.e., on the same level as the "AOL30", "My Documents", "MSOffice", "Program Files" folders, and so on-click on the C: drive folder to highlight it.
3) Click on File, then on New, then on Folder.
4) Type in a name for your folder whatever you choose. "HIJACKTHIS"
==============================================
END EXCERPT - DOES ANYONE HAVE ANY EXPERIENCE WITH THIS?
==============================================
More on the subject of TWAINTEC
I noticed that C:\WINDOWS\SETUPAPI has details about Twaintec
In C:\WINDOWS\SETUPAPI a windows log details how twaintec keeps coming from C:\WINDOWS\INF\TWAINTEC - I went ahead and deleted "twaintec" out of the C:\WINDOWS\INF directory. It also keeps re-appearing in Documents and settings in a TEMP folder- In a directory called
C:\DocumentsandSettings\default\LocalSettings\Temp\THI73D7.tmp
I do NOT understand how these processes occur and then re-occur. I keep deleting the contents of this TEMP folder which are:
DOS Application (preInsTT)
WinZip File (twaintec)
Setup Information (twaintec)
0.1.4.19 (twaintec.dll)
but twaintec keeps coming back. I do know one thing (for sure) when I delete twaintec the POP-UPS are stopped cold in their tracks. If someone out ther knows how to poison this worm then we can all kill twaintec off for good.
I tried yet one more thing -ad-aware let's you clean upon reboot
I ran ad-aware then set ad-aware to remove infected files upon re-boot. It seems like that (knock on wood) it got rid of twaintec.dll In other words it has vanished for now at least. I hate twain-tec.
UPDATE
I given it 24 hours and TWAINTEC.dll still seems to be gone. Very Very Few Pop-Ups Now that it is gone By the way- as an extra pre-caution I also went into the java stored cache folder (located in the DOCUMENTS AND SETTINGS FOLDER) and I deleted all of the java cache. As far as I know it's not good for anything. Then I deleted my idex.dat files using this following method:
==============================================
EXCERPT FROM ANOTHER WEBSITE ABOUT INDEX.DAT
==============================================
Even if you regularly clear your Internet History, Temp files, and cookies to keep ordinary snoops at bay, you're overlooking a very important detail: index.dat files. These hidden files contain information about your IE surfing history and your Outlook activity. On tonight's 'Savers, I'll tell you a simple way to uncover and clear 'em out manually. Microsoft claims index.dat files cache webpages you visit to help speed up the loading time in Internet Explorer. A lot of folks disagree, and there are a few conspiracy theories floating around about what index.dat files are really for. I'm not really worried because I know an easy way to get rid of them. Come out, come out wherever you are! Index.dat files aren't only hidden, they're system files. Even if you select to show hidden files in your folder options, they remain unseen. To track down index.dat files, you need to know where to look. File names and locations depend on which version of Internet Explorer you have. Assuming you run IE 4.0 or above, the file names will be "index.dat." In WinXP, here's where you'll usually find them.
C:\Documents and Settings\username\cookies
C:\Documents and Settings\username\Local Settings\History
C:\Documents and Settings\username\Local Settings\Temporary Internet Files
Clean house I like to think we all learn more about Windows each time we get our hands dirty, and you'll have an easier time clearing out index.dat files manually than downloading a third-party program to do it for you.
Restart your computer in Safe Mode with Command Prompt. (Press F8 on startup and choose Safe Mode With Command Prompt.)
Log on as administrator. Enter your password.
Once you reach the command prompt, type "CD\" (no quotes) and hit Enter to get to your root directory.
Type "del index.dat /s" (no quotes) and hit Enter to erase all files named index.dat on your computer.
Type "shutdown -r" (no quotes) to restart your computer normally.
Your index.dat files will return once Windows boots up normally again, but they'll be empty! Have fun hiding your dirty little secrets.
===============================================
END OF EXCERPT - I HAVE TRIED THIS AND I THINK ITS SAFE
===============================================
Stumble It!
Tweet This
Bookmark on Delicious
Share on Facebook
Share on MySpace