Twain-Tech Variant
From abetterinternet.com Date: 1/10/2004 Updated:11 January 2004
Overview: At the moment the abetterinternet twaintech.dll transponder variant is installed by one of the transponder gangs thin installer prototypes that will drop into a users computer if the win32 bi transponder variant is already present. The file bi_pro.exe will automatically transmit a signal to the abetterinternet server and drop two cab files into the active temp folder and immediatelly extract and install the associated files and register the twaintech.dll. Another file is also created in the windows or winnt(windows2000) folder called wininit.ini. Any of the thin installers that install the twaintech.dll variant is deleted upon rebooting of the computer per the code in the wininit.ini file. REMOVAL: Using Add/Remove Programs in the Control Panel will remove all registry entries but you must reboot the computer and remove the twaintech.dll and all other files listed below manually to insure you are not re-infested by the transponder.
Hijackthis will only remove the twaintech.dll. You would need to manually delete all the registry entries and files listed below. (Not for the those who do not know how to edit the registery) Files: bi_prob.exe - thin installer prototype from abetterinternet dummy.htm - 0kb file created in the active temp folder twaintec.cab - Cab file containing the first of the files to install preInsTT.exe - Prepares and installs the transponder variant files twaintec.dll - The transponder file that does the transmissions twaintec.inf - This contains the install and uninstall code and is used when uninstalling using the Add/Remove Programs in the control Panel. Note: This does not get rid of the twaintech.dll. After rebooting the computer you must delete the file from the windows or winnt folder or it will reactivate itself and can reinstall all the other components that were removed from the registery. Rebooting the Computer: twtini.cab - installed in the active temp folder and has the following files: twaintec.ini - enrypted code that is probably used by the twaintech.dll. twtini.inf - Creates a registry entry Typical Install of Bi_Pro.exe When the bi_pro.exe is run the following happens: A 0 kb dummy.htm is created in the active temp folder (I will be using the Windows2000 Documents and Settings\Local Settings\Temp) C:\winnt\wininit.ini is created with the following code: [Rename] NUL=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bi_prob.exe Information is transmitted to the abetterinternet server and the following happens: hxxp://thinstall.abetterinternet.com/bi/servlet/ThinstallPre hxxp://download2.abetterinternet.com/download/cabs/TWTDLL/twaintec.cab hxxp://thinstall.abetterinternet.com/bi/servlet/ThinstallPost A folder in the Temp is created: THI4192.tmp and the twaintec.cab is then dropped the following files are extracted: twaintec.cab preInsTT.exe - This is the pre installation file that prepares for the installation. Code found in it: Found and deleted 6939 GUID {000006B1-19B5-414A-849F-2A3C64AE6939} Found and deleted DBiMS key Dbi (CLSID for bi.dll)copied BI InstId data SoftWare\twaintec TTI4d5OfSInst {00000273-8230-4DD4-BE4F-6889D1E74167} DHost SoftWare\DBi BII1d2OfSInst Found and deleted 0580 GUID {00000580-C637-11D5-831C-00105AD6ACF0} Found and deleted MSView key MSView copied MSView InstId data SoftWare\MSView MidofSInst
Found and deleted 5eb9 GUID {00000000-5eb9-11d5-9d45-009027c14662} Found and deleted RespondMiter key RespondMiter SOFTWARE copied RespondMiter InstId data SoftWare\RespondMiter InstID (VX2.dll)
Found and deleted 0000026A GUID {0000026A-8230-4DD4-BE4F-6889D1E74167} SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Found and deleted TPS108 key TPS108 copied TPS108 InstId data Info SoftWare\TPS108 IdOfInst SoftWare\DHost HI1d2OfSInst yes log SOFTWARE\Microsoft\Windows\CurrentVersion\stbdbg
twaintec.inf - The inf is dropped into the windows or winnt\inf folder and contains the install and uninstall code: [version] signature="$CHICAGO$" AdvancedINF=2.0
[DefaultInstall] CopyFiles=CopySystemFiles,INFFile RegisterOCXs=RegisterOCXSection AddReg=RegUninstall RunPostSetupCommands=RunPostInstall
[CopySystemFiles] twaintec.dll,,,34 preInsTT.exe,,,34
[INFFile] twaintec.inf,,,34
[DestinationDirs] CopySystemFiles=10 INFFile=17
[RegisterOCXSection] "%10%\twaintec.dll"
[DelRegEntries] HKLM,Software\twaintec HKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall\twaintec
[RegUninstall] HKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall\ twaintec,"DisplayName",,"twain-tech" HKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall \twaintec,"UninstallString",,"RunDll32 advpack.dll,LaunchINFSection %17%\ twaintec.inf, Uninstall"
[SourceDisksNames] 1="CAB File",,,
[RunPostInstall] "%10%\preInsTT.exe"
; the following two sections are called during the uninstallation process [Uninstall] BeginPrompt=UninstBeginPromptSection EndPrompt=UninstEndPromptSection UnRegisterOCXs=RegisterOCXSection DelReg=DelRegEntries DelFiles=CopySystemFiles,INFFile
[UninstBeginPromptSection] Prompt="Are you sure you want to remove this program?" ButtonType=YESNO Title="Uninstall"
[UninstEndPromptSection] Prompt="Successfully Uninstalled" twaintec.dll - This is installed into the C:\windows or winnt folder and is loaded into memory and immediatlly transmitts information about the computer and user.
twaintech.dll - This contains the code to gather and transmit the user data to the controlling ad servers. Code found inside links both VX2 and Stop-popup-ads-now.com transponders: h t t p : / / w w w . s t o p - p o p u p - a d s - n o w . c o m " HKCR TwaintecDll.TwaintecDllObj.1 = s 'twaintecObj Class' CLSID = s '{000020DD-C72E-4113-AF77-DD56626C6C42}' VX2.VX2Obj = s 'twaintec Functional Class' CLSID = s '{000020DD-C72E-4113-AF77-DD56626C6C42}' CurVer = s 'TwaintecDll.TwaintecDllObj.1' NoRemove CLSID ForceRemove {000020DD-C72E-4113-AF77-DD56626C6C42} = s 'TwaintecObj Class'{ ProgID = s 'Twaintec.TwaintecObj.1' VersionIndependentProgID = s 'twaintec.twaintecObj' ForceRemove 'Programmable' InprocServer32 = s '%MODULE%' val ThreadingModel = s 'Apartment' 'TypeLib' = s '{11CC62B2-65F2-4A82-B332-5DE4E8384422}' HKLM SOFTWARE Microsoft Windows CurrentVersion Explorer 'Browser Helper Objects' {000020DD-C72E-4113-AF77-DD56626C6C42}
This is the data transmitted to the Server: URL:hxxp://ctl.twain-tech.com/twain/servlet/Twain? adcontext=MOTS_CHECKIN&contextpeak=0 &contextcount=0 &countrycodein=US This sends what the country code is &cookie1=lflshdt%3D1073835803%26lstlogdt%3D20040111%26cntp%3Dcable%26 &cookie2=lastlstdt%3D1073835803618%26fstcidt%3D1073832796602%26 &InstID={4D1213D7-AF31-4ABC-9CF3-597B10F70CB6}This is the unique ID assigned &DistID=BADBI4101 &status=1 &smode=7 &bho=twaintec.dll &NumWindows=7 Data: {4D1213D7-AF31-4ABC-9CF3-597B10F70CB6}|0.1.4.19 Next data is then transmitted to the offeroptimizer ad server that generates the targeted popup ads: hxxp://xlime.offeroptimizer.com/creat/tds/anti-inc2.html? distID=BADBI4101 &country=US After Rebooting the Computer: After rebooting the computer if the twaintech.dll transponder variant is not removed the second install phase takes place: The following is installed from: hxxp://download.abetterinternet.com/download/cabs/TWTINI1/twtini.cab The twtini.cab is dropped into the active temp folder and extracted. The following are the files and where they are installed to: twaintec.ini - windows or winnt folder twtini.inf - windows or winnt\INF folder. Its code is as follows: [version] signature="$CHICAGO$" AdvancedINF=2.0
[DefaultInstall] CopyFiles=CopySystemFiles,INFFile AddReg=RegistryEntries
[CopySystemFiles] twaintec.ini,,,34
[INFFile] twtini.inf,,,34
[DestinationDirs] CopySystemFiles=10 INFFile=17
[RegistryEntries] HKLM,Software\twaintec,"TTT4o5pListSPos",,"11648"
[SourceDisksNames] 1="CAB File",,, General Information: Web Site: Twain-Tech.com (Just a front to advertise and post its privacy policies) About Info: Twain-Tech is a software development company. We have developed a series of ad targeting applications such as Twain-Tech.dll that help advertisers deliver targeted ads. In addition to our software development, we also provide certain support services to the distributors of our software.
Third party companies license and distribute our software, typically as part of their sponsorship of free software or free content. As part of any licensing of our software, Twain-Tech contractually requires all distributors to give notice concerning the presence of our software and to provide consumers access to a Twain-Tech supplied Whois Information: Twain-Tech LLC Jessie Dayan 1347 3rd avenue, #22a new york, ny 10021 US Phone: 646-213-4415 Email: jessie@twain-tech.com
Registrar Name....: Register.com Registrar Whois...: whois.register.com Registrar Homepage: hxxp://www.register.com
Domain Name: TWAIN-TECH.COM
Created on..............: Fri, Sep 05, 2003 Expires on..............: Sun, Sep 05, 2004 Record last updated on..: Mon, Dec 01, 2003
Administrative Contact: Twain-Tech LLC Jessie Dayan 1347 3rd avenue, #22a new york, ny 10021 US Phone: 646-213-4415 Email: jessie@twain-tech.com
Technical Contact: Twain-Tech LLC Jessie Dayan 1347 3rd avenue, #22a new york, ny 10021 US Phone: 646-213-4415 Email: jessie@twain-tech.com
Zone Contact: Twain-Tech LLC Jessie Dayan 1347 3rd avenue, #22a new york, ny 10021 US Phone: 646-213-4415 Email: jessie@twain-tech.com
Domain servers in listed order:
NS5.READYHOSTING.COM 63.99.209.103 NS6.READYHOSTING.COM 63.99.209.104 Registry Entries: [HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}] @="TwaintecObj Class"
[HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\InprocServer32] @="C:\\WINDOWS\\twaintec.dll" "ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\ProgID] @="Twaintec.TwaintecObj.1"
[HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\Programmable]
[HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\TypeLib] @="{11CC62B2-65F2-4A82-B332-5DE4E8384422}"
[HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\VersionIndependentProgID] @="twaintec.twaintecObj"
[HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1] @="twaintecObj Class"
[HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1\CLSID] @="{000020DD-C72E-4113-AF77-DD56626C6C42}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}] @="TwaintecObj Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\InprocServer32] @="C:\\WINDOWS\\twaintec.dll" "ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\ProgID] @="Twaintec.TwaintecObj.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\Programmable]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\TypeLib] @="{11CC62B2-65F2-4A82-B332-5DE4E8384422}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\VersionIndependentProgID] @="twaintec.twaintecObj"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1] @="twaintecObj Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1\ CLSID] @="{000020DD-C72E-4113-AF77-DD56626C6C42}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ App Management\ARPCache\twaintec] "SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,\ 00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00 "Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall\twaintec]"DisplayName"="twain-tech" "UninstallString"="RunDll32 advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\twaintec.inf, Uninstall"
[HKEY_LOCAL_MACHINE\SOFTWARE\twaintec] "TTI4d5OfSInst"="{38E3D641-0593-4630-8262-964D08CE983D}" "TTI4d5OfSDist"="BADBI4101" "TTT4o5pListSPos"=dword:00002d80 "TTI4n5ProgSCab"=dword:00000000 "TTI4n5ProgSEx"=dword:00000000 "TTI4n5ProgSLstest"=dword:00000000 "TTC4n5trSEvnt"=dword:00000048 "TTC4n5trMsgSDisp"=dword:000003de "TTC4S5Insur"=dword:00000000 "TTT4h5rshSCheckSIn"=dword:00000001 "TT4C5ntrSTransac"=dword:00000002 "TTC4u5rrentSMode"=dword:00000001 "TTC4n5tFyl"=dword:00000000 "TTM4o5deSSync"=dword:00000007 "TTT4h5rshSBath"=dword:00002710 "TTT4h5rshSysSInf"=dword:000007d0 "TTT4h5rshSMots"=dword:00000064 "TTI4g5noreS"="™ƒ‹™‰Á€“ƒ???Ÿ——›Á—“†Ž—™ ƒ‹‘‘ÁŒ—ޓޛ”???‘š›‡Ü™€Ž™€Ÿ“œ‹”…—œ™›‹”Á— ???žƒŒƒŽÁ—“”ŠÈÁ‘†•‡–•Á—“ƒ–ŒŠ†“œ‹œÁ— “˜ÔŒŸ†€???”Ÿ???ކ›€ŠÜŒŸ" "TTs4t5i6cky1S"="lflshdt%3D1073153434% 26lupgid%3D114%26lstlogdt%3D20040103%26capcntdy%3D1%26lupgdt %3D1073169398433%26cntp%3D%26lupgtry%3D1%26capcnt%3D1%26" "TTs4t5icky2S"="lastlstdt%3D1073169398434%26fstcidt%3D1073153434873%26" "TT4N5a6tionSCode"="US" "TTD4s5tSSEnd"="’›–???ÀÀÍ‘ŽƒÌ†Ž‹œ×›‡‘’Á—À–…›†ŒÝ‰Š???–Š–Ý®˜ƒ›œ" "TTD4s5tSCHost"="‰Ÿ—†”†‰ÜŒ—ÐÜ‘" "TTD4s5tSCPath"="Õ™šÀÕœ‡€Œƒ‡†Õª”—”›ª“”‹Ž—€" "TTS4t5atusOfSInst"="roger" "TTL3a4stMotsSDay"=dword:00000003 "TTL3a4stSSChckin"=dword:00000141 "TTC1o4d5eOfSFinalAd"="5" "TTT4i5m6eOfSFinalAd"="0|0|0|0|1073169398|0|"
[HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood] "INF/oem26.inf"=dword:00000001 "INF/oem26.PNF"=dword:00000001 "INF/twaintec.inf"=dword:00000001 "INF/twaintec.PNF"=dword:00000001 "INF/twtini.inf"=dword:00000001 "INF/twtini.PNF"=dword:00000001 |