Hope one of you can clear this problem for me. I regularly run all spyware applications. Recently have installed pestpatrol. Pest patrol finds twaintec spyware and in my system, when i delete it, it comes right back. It also finds recently trojan.downloader.win32.lic in one of my good files.

I was told in a major spyware forum to uninstal pestpatrol when i posted this question.

Is pest patrol is useless? How can i delete the twaintec spyware and how to make sure my good file is not a trojan as informed by pestpatrol.I have not opened the file after found by pestpatrol

This is a major irritation, please post help. Thanks.

First things first.

Here is the removal instructions for twaintec.
http://www.pchell.com/support/twaintec.shtml

Welcome to http://www.pcguide.com/ubb/pcgubb.gif

Pest Patrol has a problem with identifying false positives (apparently part of their marketing practices), so it is hard to know what is really going on with your PC... I suggest that you download, update and run Spybot and Ad-Aware SE... In Spybot, fix the items it lists in red... In Ad-Aware SE run the deepest scan and fix what it finds (uncheck to scan MRUs)....

Also download HijackThis and run it after you finish the other scans, then post a log here... To run HJT, extract it to a permanent folder such as one you create like C:\HJT. Close all open windows and browsers and make sure that all programs are enabled if you use msconfig. Run it and Scan, then Save the log. When the log window appears, Right click to Copy it, open your browser and come here to Paste the log. Do not make any changes until it is checked since most items are either benign or essential to the computer.

ErnieK grandmaster, i tried your link, but alas i was not bale to find any files mentioned there

budfred ameature master, i have run all tests with all syware programes, but i will run again and post and i have them all.

thank you both

Mastegeek Budfred, I downloaded adaware se and run as per your instructions, it found only some cookies. Run spybot again, what now :o , it finds AI roboform which i have been using for years. It's not a spyware or is it ? i am confused and i have not deleted it, again i have run pest patrol it finds twintec again and the trojamn downloader. Somebody please help me to get rid of this, i am really fed up with this for nearly a month.(:(:(:(:(:(:(:(:(:(

here is hijakthis log

Logfile of HijackThis v1.98.1
Scan saved at 05:20:52 PM, on 21-Aug-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
D:\WINDOWS\System32\devldr32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\CursorXP New\CursorXP.exe
D:\Program Files\DScaler4.19\DScaler.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:4001
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CursorXP] D:\Program Files\CursorXP New\CursorXP.exe
O8 - Extra context menu item: &Copy Location - D:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Z WebNuke - D:\WINDOWS\wwwNuke.htm
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Save F&lash with FlashCapture - res://D:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - (no file)
O9 - Extra button: (no name) - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - (no file)
O9 - Extra button: (no name) - {724d43aa-0d85-11d4-9908-00400523e39a} - (no file)
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - D:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - D:\WINDOWS\System32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - D:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - D:\WINDOWS\System32\webzone.dll
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - D:\WINDOWS\System32\oline.dll

Do i have to delete pestpatrol, suggested already at spyware.info, it is not free, i paid $$ for that

You do not seem to have all of your log here and you are using an older version of HJT... Did you just download it or is this from before??

You do not seem to have Twaintec in the log... Try a search on your hard drive for twaintec.dll with all hidden and system files visible... If you still don't find it, it is probably a false alarm...

You do not have to remove Pest Patrol, but I would certainly consider asking them for a refund if I were you... They were just purchased by a bigger company, so it is possible they will clean up their act in the future...

You do have a couple of thing that you need to fix with HJT... Please mark these items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)

Close all open windows and browsers except HJT and click on FIX...

You seem to have disabled your SpywareGuard and you may need to either reenable in the program or reinstall it...

I am not aware of a problem with AI roboform so I would leave it alone...

Please download the latest HJT and use it to run a fresh log after rebooting first so we can see if you are clean...

If you want to doublecheck for the trojan, download and run the trial version of TrojanHunter....

Master geek Budfred, thanks for your reply. That is my ful log. it is a new install so it is small, may be. I downloaded hijackthis new version, here is the report after following your advice.

Logfile of HijackThis v1.98.2
Scan saved at 06:46:54 AM, on 22-Aug-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
D:\WINDOWS\System32\devldr32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\CursorXP New\CursorXP.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Leechget 2004\Leechget.exe
D:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:4001
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CursorXP] D:\Program Files\CursorXP New\CursorXP.exe
O8 - Extra context menu item: &Copy Location - D:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Z WebNuke - D:\WINDOWS\wwwNuke.htm
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Save F&lash with FlashCapture - res://D:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - (no file)
O9 - Extra button: (no name) - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - (no file)
O9 - Extra button: (no name) - {724d43aa-0d85-11d4-9908-00400523e39a} - (no file)
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - D:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - D:\WINDOWS\System32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - D:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - D:\WINDOWS\System32\webzone.dll
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - D:\WINDOWS\System32\oline.dll

There is no twaintec.dll after full search, also trojan hunter did not find trojan. Is my system clean. I again ran pestpatrol with same result it finds twaintec and trojan. I searched spywareinfo, this is not like other programs like spyware killer spywarenuker ?

I will ask them for refund. :mad: :mad:

Yes you are correct, i have instaled spyware guard, but i am not able to run it on startup. Where is the settign anyway? Thanks for all help.

Where exactly does PestPatrol finds Twaintec in your system?

Your log does appear to be clean... If TwainTec is in a Restore Point, it is possible that Pest Patrol is picking up on it there... Otherwise, it is probably a false positive....

Pest Patrol is not a total scam like SpyHunter or SpyKiller, but it does tend to come up with false positives and that does tend to increase sales... I wouldn't recommend it... ;)

Thank you mastergeek Budfred for saying my log is looking clean. Twaintec cannot be in systemrestore as i have flushed it many times. I am confused, thought i could stop that nagging from pestpatrol with your help.

welcome to the party indian master shanmuga I think you are late. Pestpatrol didnt say where, it just says it found twaintec in my system. you have any more ideas.

Messiah, I have used Pestpatrol for a short period and found it to be an aggressive scanner unsuitable IMO for most users, in the sense it finds false positives now and then. Like a registry cleaner one needs to be selective in choosing entries to be fixed which is beyond most Windows users. It's much better to stick with Adaware for regular scanning of your system for spyware/adware.

Having said that, I believe that pestpatrol will show the location of malware found, if it's a file it will show the full path to the file, if it's a registry entry it will show the full path to the key. Please run a scan again with PP, find and post the location in full given for both twaintec and the trojan file.

indianmaster shanmuga, your reply is astute but looks angry. :( A scan with pestpatrl takes about 90 mintues to complete. I will find and post the loaction then. Hope atleast you can help me.

are you here indiamaster shanmuga , this is what i can see in pestpatrol, 1 is twintec 2 is trojan file. I can see them only partly, if its not any help is therer any way of seeing them fully.
hkey_local_machine/software/microsoft/microsoft/internt explorer\activex compati....
d:\documents and settings\xx\desktop\clean\cl

are you here, indiamastergeek shanmuga.:cool: can you help me please

Try moving the column dividers to the right after 'activex compati...' to see the full registry key. Do you have a file named 'cl' in folder 'clean' in your desktop ?

Otherwise......look for the log file in PestPatrol, if I remember correctly it's called 'Master Log', may be the full path to the files/reg key are available there.

PS: your reply is astute but looks angry.Why should I be angry messiah?, If my earlier reply sounded rude/angry to you, I apologize :).

Edit: I am here, but not for very long, my local time is GMT + 6 hours.

Indianmaster shanmuga, you sound like a learned one. please forgive me if i told anything wrongly , i am only a unlearned old man of 78 years, SORRY. please do not apologise,my mistake :( :(.

the masterlog idea is a masterstoke, i got the details now

twintec in
hkey_local_machine\software\microsoft\internet eixplorer\activex compatibiliy\[0000020dd-c72e-4113-af77-dd56626c6c42]\compatibity flags

(please excuse my typing, its too mcuh trouble at this age.

trojan in
d:\documents and settings\xx\desktop\clean\clean\

GMT + 6 hours, have you gone to bed indiangeek shanmua. Good night. I hopt you can solve it tommorow. here the time is nearing 9 in the night. good night to you and amateurmaster Budfred please help tomorow.

No problem:). That looks like the Twaintec clsid, please proceed as follows:

1. Backup the registry following instructions here How to back up (and restore) the entire registry (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&ExpandSection=2&Src=sec_ doc_nam#_Section2)

2. Open registry editor, Click start > Run > type "regedit" in the space provided, click OK.

3. Once the registry editor is open, open the 'Edit' menu, click 'find' and copy & paste the following line in the space provided and click ok.

{000020DD-C72E-4113-AF77-DD56626C6C42}

4. When the registry editor finds the particular key, it will be highlighted in the left pane, Right click on the highlighted key and select 'copy key name', now check the right pane, Is the name of the key "compatibility flags", if yes, note down the value under "Data" column

5. Paste the copied key name and the data value in your reply. Also confirm whether you have Spywareblaster installed.

Now to the Trojan part,

It looks like you have missed the actual file name inside the "Clean" folder, Go to Kaspersky Single file Scanner (http://www.kaspersky.com/remoteviruschk.html), browse to the file found by Pestpatrol - let KAV check it for you.

Please copy the results of the report at the end of the scan and paste the contents back here.

hi, shanmuga, i have done what you told

copied key name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{000020DD-C72E-4113-AF77-DD56626C6C42}

the data entry is
0x00000400(1024)
i confirm i have instaled spywareblaster
----------------------------------------------
the trojan scanr eport kasperky

Scanned file: crack.exe

crack.exe - packed with UPX
crack.exe - infected by TrojanDownloader.Win32.Small.ic
-----------------------------------------------
i am now waiting for your reply.

mastergeek shanmuga, please help.

The registry value of 400 indicates that the particular clsid is blocked from installing/running in the PC, the 'kill bit' most probably set by Spywareblaster. It won't harm your system. Looks like a clear case of false positive, scan again with PestPatrol and place it in the ignore/exclude list so that you will not be annoyed during the future scans.

The Trojan file is really a Trojan file as confirmed by KAV. I wonder what made you call it a 'good file' with such a dubious name.:) Get rid of it immediately.

Perform a full online scan at housecall.trendmicro.com (http://housecall.trendmicro.com/) to make sure that you are clean.

Once the scan is complete, reboot into safemode and clear out the temp folders and reset the system restore.

The following DIRECTORY CONTENTS need to be deleted while in safe mode.
* d:\Windows\Temp\
* d:\Documents and Settings\Your Profile\Local Settings\Temporary Internet Files\
* d:\Documents and Settings\Your Profile\Local Settings\Temp\
* d:\Documents and Settings\Any other users Profile\Local Settings\Temporary Internet Files\
* d:\Documents and Settings\Any other users Profile\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot into normal mode enable System Restore and post a fresh HijackThis log for a final check.

i bow before you indian mastergeek shanmuga, you are the man.I followed all instructions. Like you said i put twintec in exclude list. i have deleted trojan file. I have run trendmicro, nothein found. cleaned temporary files and system restore. I will post the hijackthis log later. Somewhere in this logn post, i mentioned spybot finding roboform as spyware, and also i am not able to run spywareguard at startup.
would you be kind enough to seth these right.
i am in your debt

thankyou
messaiah

AI Robform looks like a FP in beta definition rules using Spybot beta version 1.3.1, official word is still awaited. For now you can ignore the find.

Spywareguard usually starts with Windows, please check whether you have disabled it in Msconfig.

I ignored roboform, can't find spywareguard in msconfig, do i have reinstal, or you have any other idea. Thanks for your continuous help.

Thats strange, did you delete the registry key somehow? Where is Spywareguard installed, Program Files ?

Try this only if you have Spywareguard installed in Program Files folder, otherwise please post back with exact path.

Run regedit and browse to the following key on the left pane,

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

On the right pane, click anywhere in the vacant area, select new > Stringvalue > name it 'Spywareguard'. Rightclick on the newly created stringvalue > click modify and copy and paste the following in the value data

D:\Program Files\SpywareGuard\sgmain.exe

Close regedit and reboot, Spywareguard should have started with Windows this time.

thank you indian master shanmuga, i got back spywareguard following your instuctions. you have done great help. my system is now running very somothly. thanks for all your help. thanks also to mastergeek Budfred.

You are welcome, Messiah. Glad to help you. :)