Check box undone

Discussion in 'SpywareBlaster & Other Forum' started by Rico, Aug 19, 2004.

Thread Status:
Not open for further replies.
  1. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Hi, When I block using a CLSID in spyblaster often times the check mark is removed & the CLSID is replaced. the bug is twain-tec. Tried removing with AdAware SE, SpyBot 1.3 no luck. PestPatrol finds but cannot remove the active x compatibility CLSID.
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
  3. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Twain-tec

    Hi I posted the "check box undone" I visited the site you listed twain-tec has never shown up in add/remove programs. So I guess its the second one. When I search for twain*.*, mxtarget.dll, pre*nsTT.* all are no shows. I am searching hidden files. Occasionally twaintec.* shows up & deleting it has no effect. What PestPatrol ID's (but cannot delete) is: hklm/software/microsoft/internet explorer/ active x compatibility {0000dd-c723-4113-af77-dd56626c6c42} delete this key & perhaps 10 - 15 min later & its back. I've seen this key on other web sites listed in differnt portions of the registry. Mine is only where I noted. Because of this key I thought custom blocking in spyblaster might work, but often times the box becomes un-checked. I've tried cwschredder 1.591, AdAware SE, SpyBot 1.3 all up to date, no luck PestPatrol can flag it but not remove. HELP
     
  4. kenmac

    kenmac Guest

    Re: Twain-tec

    your problem was my problem, almost to the letter. Sometime ago when I opened spywareblaster to check for updates a box appeared claiming that my internet browser was at risk as it claimed I needed spyware updates, to which I complied...............then all the problems you have, I had. My solution, after a long long think was to uninstall spywareblaster, remove that reg key, delete pestpatrol logs, and pest patrol quarantined zips, re boot, ran pest patrol and hey presto twaintec was gone. So the crunch is I guess, that somehow its using spywareblaster to get in and re install itself everytime you open spywareblaster..............hope this is some help
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: Twain-tec

    its using spywareblaster to get in and re install itself everytime you open spywareblaster

    That....I can assure you is not even remotely possible and I will challenge you to provide just a little more info that what you have before making that kind of acussation.
     
  6. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Re: Twain-tec

    Hi Bubba & KenMac! I was feeling pretty good having found 3 twain-tec files so, I deleted same. Then I removed the Hklm....active x compatibility/{0000dd...} Well twain-tec was gone for quite awhile. Feeling good ok! Open spyblaster, found my active x unchecked again. Then used spyblasters help to find Kens posting. I deleted spyblaster removed the reg entry, ran pest patrol no twain tec, reboot run pestpatrol no twain-tec. I think Ken might have a point about spyblaster/twain-tec connection. Bubba why does the box become unchecked for that clsid? Spyblaster does not block that clsid from entering the registry! Ok, to be fair I'll run awhile like this without spyblaster & see if twain-tec comes back. If it does its back to the drawing board.
     
  7. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Re: Twain-tec

    Chill Bubba noone is making accusations about SpyBlaster. Everyone is very frustrated at trying to remove "twain-tec". And myself & I'll assume KenMac also, are novices at this. Perhaps removing SpyBlaster now both of, and twain-tec has not reappeared is just coincidence. Jeez If someone said hold down the alt key & reboot, this will get rid of twain-tec. I'd try it. Anyway I'm very intrested to as why the check mark, became unchecked so many times in spyblaster/tools/blocking the clsid that became unchecked is {0000dd-c72e-4113-af77-dd56626c6c42} located at hklm/software/microsoft/internet explorer/active x compatibility. Should PestPatrol find twain-tec again, I'll let you know. Thanks Rico
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Rico,

    I have merged your thread from the "Trojans & Backdoors" forum into your current thread here in the Javacool forum to keep it all in one place and avoid confusion.

    One thought as to why the CLSID you are entering manually into SpywareBlaster to block twaintec is being unchecked, may be caused from another program you are using, removing it, possibily PestPatrol as it has been known to do this before with the killbits that SpywareBlaster enters into the registry for protection.

    Twaintec can be difficult to remove, and if you do not remove all the infected files associated with it, you can again become reinfected. To safely remove it at this point, and to ensure all of it is removed, I would suggest you try one of the Spyware Removal forums where you can post a hijackthis log and have one of the Spyware Experts analyse it and give you instructions on what files to look for and correctly remove. You can find a list of trusted spyware removal forums here: http://a-sap.org/

    Let us know how you do.

    Regards,

    snap
     
    Last edited: Aug 21, 2004
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I can see what is happening now

    Pest Patrol is seeing twaintech as a false positive in your case

    It is recognizing Spyware Blaster or Spywareguard having set that clsid as a killbit to prevent the download of the active X component of twaintech

    without that clsid being listed in that particular section of the registry, Ie would allow twaintech to download, with it there it won't

    Pest patrol is well known for false positives and I'm afraid that finding killbit clsids is one of them

    PP works by comparing a list of known names and clsids and if it finds them it doesn't always check where it is just that the reference exists and tells you it exists
     
  10. kenmac

    kenmac Registered Member

    Joined:
    Aug 20, 2004
    Posts:
    3
    Hey bubba, kenmac here, sorry if you got the immpression that I was accusing spywareblaster of being the cause of twain tec. I posted an idea of how it appears to have got on board my machine. When I opened spywareb' ready to check for updates, a warning message with the name spywareblaster on it, saying that my browser was not secure, appeared. Not being the worlds smartest on these things I just accepted the fact. My point was that twaintec appeared to be using spywareblaster users, like myself's fears to just accept and ok the warning, thus letting it in. I have had spywareblaster on my machine for a long while now and its one that I wouldn't be without.............sorry again if you took this the wrong way.
     
  11. kenmac

    kenmac Registered Member

    Joined:
    Aug 20, 2004
    Posts:
    3
    To dvk01, your explanation puts my mind at ease, now that I finally know whats been happening.
    I absolutely hate spyware and like most novices will try almost anything to rid our selves of things like twain tec. And once again, aplogogies, to those that thought I was implying the fault was spywareblater..........the old saying is true " A little knowledge is a dangerous thing "
     
  12. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Hello Again, Rico here. I tried the kenmac thing removed spywareb' removed the nasty clsid. Reboot & ran PP all was well. Periodic checking of registry, under hklm/software/microsoft/internet explorer/active x compat... {0000dd-c72e-4113-af77-dd56626c6c42} was missing Great. Ok now back to this forum & read all the new stuff. Well spywareb' must be innocent. Download a fresh copy of same, install. Install says (previously used add/remove progs to elminate spyware'b) install said the folder already exsists, do you want top install there anyway? Yes! Updated! To my surprise at tools (fresh copy og spywareb') block the above clsid was already there. Close spywareb', check the registry and that clsid is now present. Somebody mentioned trying Adaware SE vx2 plug in, this does not work. Nor does the latest download from SpyBot hell they can't get rid of the 5 dso exploits. So now I have uninstalled spywareb' again, removed the clsid. Question Does that clsid have to be present for hijack to find the problem? Question Any thoughts or comments on software similar to spywareb' called "IE Spayed" I think i saw that on doxdesk.com. Thanks!!!
     
  13. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Hi Gang! Ok I used add/remove to uninstall Spywareb' (see previous post). Next manually removed all references to Spywareb' in registry. Download a new copy of Spywareb' updated same. Checked tools/blocking & the clsid was empty. Close Spywareb' immediately open registry & the clsid is back. hklm/software/microsoft/internet explorer/active x compat. {000020dd-c72e-4113-af77-dd56626c6c42}
    Perhaps this clsid belongs to Spywareb' anybody running Spywareb' have this clsido_O? Could PestPatrol be mis id'ing clsid as twain-teco_O

    To Bubba On your postings you have a link: prevent spyware #3 says internet options/security/internet
    have the first two options set to "prompt" & initialize and script activex.... safe. to "disable" Your settings do not jive with Spywareb's advice? You then say to follow the recommendations, who's Spywareb or yours? Or your recomendations: prompt. prompt, disable, spywareb' prompt, disable, disable.
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Rico

    as I said in post 9

    spywareblaster puts that clsid in that specific location to tell IE block any downloads of twaintech (or at anyrate the version of twaintech that uses that clsid)

    Pest patrol finds the clsid and sees that it corresponds to twaintech and doesn't realise that it is in the block downloads part of registry and offers to fix it or tells you to fix it

    That is why we don't recommend pest patrol unless you really know what you are doing

    it is really intended for systems analysts to work with as it finds everything in it's databse and a lot of the entries are genuine and good entries


    all keys and subkeys in hklm/software/microsoft/internet explorer/active x compat are telling IE NOT to download or run ANY active X component with the clsid listed
     
    Last edited: Aug 22, 2004
  15. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey Rico,

    That link you refer to....is not my page. That page belongs to Pieter Arntz aka Metallica.

    If your wanting my personal preferrence....I have the Internet Zone set to High setting. While this does take some getting used to and further learning of the Secure capabilities provided by IE....it's worth the effort for me.

    As for the differences in Pieter's settings versus Javacool's settings....in a way there aren't any differences. The important thing they both agree on is do NOT have Active script, ActiveX controls(Signed or Un-signed) or Initialize and Script ActiveX controls not marked as safe set to Enable. It is inmaterial whether you have them all set to prompt, all set to disable or a mix and match....as long they are NOT set to Enable.
     

    Attached Files:

  16. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Hi dVKO1 & Bubba, Well I think I finally understand your message from post #9. So did Spywareb' place the clsid from an "update" or my typing it in tools/block? At some point in this I did find 3 twaintec files (search twaintec.*) and deleted them. I never did find any other files associated with twain-tec. eg mxtarget.dll, preinstt.dll. At some point perhaps I did have twain-tec - then deleted the 3 files - then entered the clsid in Spywareb' - then PP found it. Or something like that. I've copied your message & will email it to PP tech. I also will assume thats why so many other spy progs could not find what PP found. Wow! Ive learned alot.

    Thank You Very Much
    rico
     
  17. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Reco,

    In your earlier posts you had listed the CLSID for Twaintech like this:
    {0000dd-c723-4113-af77-dd56626c6c42}
    and like this:
    {0000dd-c72e-4113-af77-dd56626c6c42}

    Then in your post #13, you listed the CLSID as:
    {000020dd-c72e-4113-af77-dd56626c6c42}

    That was what was confusing me since the earlier CLSID's you posted did not have the number "20" after the 0000's, and one had c723 rather than the c72e. These were possibly typos then?

    The correct CLSID for Twaintec that is in SpywareBlaster's database and is set as the killbit in the registry is:
    {000020dd-c72e-4113-af77-dd56626c6c42} (See pic below).

    So if PestPatrol is detecting that CLSID in the registry, and you are allowing it to fix and remove that CLSID, then you are indeed removing the protection that SpywareBlaster put there to prevent Twaintec from being installed. After you have either let PestPatrol remove it (or if you manually removed it yourself), then yes, the next time you open up SpywareBlaster you will see the entry for "Twaintec Adware" in the Block List, now showing red and unchecked, and you would then have to again re-check that entry in SpywareBlaster, hit the "Protect Against Checked Items" button or "Enable All Protection" button, which will make SpywareBlaster put the CLSID back into the registry for protection.

    I understand it can be quite confusing at first, and that it can end up in this 'loop' of installing the protection with one program, and uninstalling the protection with another program, until you know what each program you use actually does, and how they protect you. So the next time you scan with PestPatrol, just ignore that particular CLSID since you know it is being put there by SpywareBlaster to protect you. :)

    Regards,

    snap
     

    Attached Files:

    Last edited: Aug 22, 2004
  18. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,702
    Location:
    Texas
    Hello Everybody, Yes I did make some errors in the clsid for twain-tec. I'll be more careful next time. Some of the replies to this issue, I copied & pasted into an email & sent it to PP. The last communication from PP tech. confirmed the false positive Id of twain-tec by PP. I told them to get Spywareblaster 3.2 and place the correct clsid in the tools/custom blocking section of Spywareb' & the run PP. Hence there test machine proved the false positive. I have excluded twain-tec from PP for the time being, they promise to fix. Thanks everybody, what a learning experience in more ways than one. For example two trial spyware programs would not uinstall & I figured out how to permanentley remove same. Plus a real education in the registry. Thanks Again!!!! CASE CLOSED
     
  19. MAF

    MAF Registered Member

    Joined:
    Sep 11, 2004
    Posts:
    3
    Location:
    Formerly part of Gondwanaland
    Thank you so much. I've been searching all afternoon for info on Twain-Tech. I'd trusted PestPatrol too much, and kept removing the reference it found.

    I trust and respect SpywareBlaster even more than before! Thanks :)
     
Thread Status:
Not open for further replies.