#######################################################
TWAIN-TEC Spyware Terrorists
#######################################################
twain tec crap:
http://www.pcsympathy.com/ftopic211.html
Twain-Tech LLC
Jessie Dayan
1347 3rd avenue, #22a
new york, ny 10021
US
Phone: 646-213-4415
Email: jessie@twain-tech.com
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: hxxp://www.register.com
Domain Name: TWAIN-TECH.COM
Created on..............: Fri, Sep 05, 2003
Expires on..............: Sun, Sep 05, 2004
Record last updated on..: Mon, Dec 01, 2003
Administrative Contact:
Twain-Tech LLC
Jessie Dayan
1347 3rd avenue, #22a
new york, ny 10021
US
Phone: 646-213-4415
Email: jessie@twain-tech.com
Technical Contact:
Twain-Tech LLC
Jessie Dayan
1347 3rd avenue, #22a
new york, ny 10021
US
Phone: 646-213-4415
Email: jessie@twain-tech.com
Zone Contact:
Twain-Tech LLC
Jessie Dayan
1347 3rd avenue, #22a
new york, ny 10021
US
Phone: 646-213-4415
Email: jessie@twain-tech.com
Domain servers in listed order:
NS5.READYHOSTING.COM 63.99.209.103
NS6.READYHOSTING.COM 63.99.209.104
ABETTERINTERNET.COM
Server Type: Microsoft-IIS/5.0
Website Status: Active
Reverse IP: Web server hosts 626 websites
IP Address: 63.99.224.43
IP Location: United States - Texas - Houston - Ready Hosting
Record Type: Domain Name
Name Server: NS1.HOSTPOOL.NET NS2.HOSTPOOL.NET
ICANN Registrar: REGISTER.COM, INC.
Created: 27-may-2003
Expires: 27-may-2005
Status: ACTIVE
Organization:
BetterInternet
Reg Services
PO Box 50729
Henderson, NV 89016
US
Phone: 888-813-1230
Email:
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com
Domain Name: ABETTERINTERNET.COM
Created on..............: Tue, May 27, 2003
Expires on..............: Fri, May 27, 2005
Record last updated on..: Thu, Mar 04, 2004
Administrative Contact:
BetterInternet
Reg Services
PO Box 50729
Henderson, NV 89016
US
Phone: 888-813-1230
Technical Contact:
BetterInternet
Reg Services
PO Box 50729
Henderson, NV 89016
US
Phone: 888-813-1230
Zone Contact:
BetterInternet
Reg Services
PO Box 50729
Henderson, NV 89016
US
Phone: 888-813-1230
Domain servers in listed order:
NS1.HOSTPOOL.NET 64.191.159.6
NS2.HOSTPOOL.NET 64.191.159.7
Terrorists Hosts:
64.191.159.6
[Server: whois.arin.net]
OrgName: QX.Net
Address: 333 West Vine Street Suite 210
City: Lexington
StateProv: KY
PostalCode: 40507
Country: US
Comment:
RegDate: 1999-08-16
Updated: 2003-06-22
AdminHandle: JB13105-ARIN
AdminName: Barker, Jonathan
AdminPhone: +1-606-312-5241
AdminEmail: jonathan@qx.net
NOCHandle: KPS-ARIN
NOCName: STOLTZ, Kenny P
NOCPhone: +1-859-255-1928
NOCEmail: kstoltz@qx.net
TechHandle: BKN-ARIN
TechName: Nichols, Brian K
TechPhone: +1-859-255-1928
TechEmail: bnichols@qx.net
# ARIN WHOIS database, last updated 2004-04-11 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
OrgID: QXNET
Address: 333 West Vine Street Suite 210
City: Lexington
StateProv: KY
PostalCode: 40507
Country: US
NetRange: 64.191.128.0 - 64.191.159.255
CIDR: 64.191.128.0/19
NetName: QX-NET
NetHandle: NET-64-191-128-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS.QX.NET
NameServer: NS2.QX.NET
Comment:
RegDate: 2003-06-27
Updated: 2003-06-27
OrgNOCHandle: KPS-ARIN
OrgNOCName: STOLTZ, Kenny P
OrgNOCPhone: +1-859-255-1928
OrgNOCEmail: kstoltz@qx.net
OrgTechHandle: BKN-ARIN
OrgTechName: Nichols, Brian K
OrgTechPhone: +1-859-255-1928
OrgTechEmail: bnichols@qx.net
Full Version: Twain-tec Terrorists
| QUOTE |
| Twain-Tech is a software development company. We have developed a series of ad targeting applications such as Twain-Tech.dll that help advertisers deliver targeted ads. In addition to our software development, we also provide certain support services to the distributors of our software. Third party companies license and distribute our software, typically as part of their sponsorship of free software or free content. As part of any licensing of our software, Twain-Tech contractually requires all distributors to give notice concerning the presence of our software and to provide consumers access to a Twain-Tech supplied |
| QUOTE |
| If the twaintech.dll is detected in a hijackthis log DO NOT FIX IT! Do the following: This is the manual way to remove the twaintech.dll transponder variant manually when detected in a hijackthis log Using their removal instructions: http://www.twain-tech.com/uninstall.htm After getting the twaintech.dll installed, hijackthis will detect it as a BHO but must not be removed using hijackthis because of the registery entries and files left over. Instead use the following method: 1. Add/Remove Programs 2. Uninstall Twain-Tech 3. Reboot the computer 4. in windows explorer 5. winnt or windows 6. Delete twaintech.dll and twaintec.ini If twaintech.dll is in use, then you would need to rename it and reboot the computer, then delete it. This will remove all 9 registry entries (3 which is detected by AAW scan) |
| QUOTE |
Using Add/Remove for the Twaintech.dll If not removed immediately when the twaintech.dll transmits its check to the ad sever, it can create multiple folders that will drop the twain twaintec.cab into. Files before Add/Remove: Temp Folder: dummy.htm twaintec.ini twtini.cab Temp\ THI23C8.tmp (files removed using Add/Remove) preInsTT.exe (This prepares and installs the Twaintech.dll) twaintec.cab ( contains: preInsTT.exe, twaintech.dll, twaintech.inf) twaintec.dll twaintec.inf Temp\THI75A1.tmp (Files not removed) preInsTT.exe (This prepares and installs the Twaintech.dll) twaintec.cab ( contains: preInsTT.exe, twaintech.dll, twaintech.inf) twaintec.dll twaintec.inf Last night I had 2 temp folders for the Twain that came down during their ad sever checks. One was emptied with the add/remove but the other was left intact. Remaining files: Temp\THI75A1.tmp preInsTT.exe (This prepares and installs the Twaintech.dll) twaintec.cab ( contains: preInsTT.exe, twaintech.dll, twaintech.inf) twaintec.dll twaintec.inf winnt\ twaintec.dll (This is what transmits the data to the ad server) twaintec.ini winnt\inf twtini.inf Registry Entries: [HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}] @="TwaintecObj Class" [HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\InprocServer32] @="C:\\WINDOWS\\twaintec.dll" "ThreadingModel"="Apartment" [HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\ProgID] @="Twaintec.TwaintecObj.1" [HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\Programmable] [HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\TypeLib] @="{11CC62B2-65F2-4A82-B332-5DE4E8384422}" [HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\VersionIndependentProgID] @="twaintec.twaintecObj" [HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1] @="twaintecObj Class" [HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1\CLSID] @="{000020DD-C72E-4113-AF77-DD56626C6C42}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}] @="TwaintecObj Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\InprocServer32] @="C:\\WINDOWS\\twaintec.dll" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\ProgID] @="Twaintec.TwaintecObj.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\TypeLib] @="{11CC62B2-65F2-4A82-B332-5DE4E8384422}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\VersionIndependentProgID] @="twaintec.twaintecObj" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1] @="twaintecObj Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1\CLSID] @="{000020DD-C72E-4113-AF77-DD56626C6C42}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\twaintec] "SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,\ 00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00 "Changed"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\twaintec] "DisplayName"="twain-tech" "UninstallString"="RunDll32 advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\twaintec.inf, Uninstall [HKEY_LOCAL_MACHINE\SOFTWARE\twaintec] "TTI4d5OfSInst"="{38E3D641-0593-4630-8262-964D08CE983D}" "TTI4d5OfSDist"="BADBI4101" "TTT4o5pListSPos"=dword:00002d80 "TTI4n5ProgSCab"=dword:00000000 "TTI4n5ProgSEx"=dword:00000000 "TTI4n5ProgSLstest"=dword:00000000 "TTC4n5trSEvnt"=dword:00000048 "TTC4n5trMsgSDisp"=dword:000003de "TTC4S5Insur"=dword:00000000 "TTT4h5rshSCheckSIn"=dword:00000001 "TT4C5ntrSTransac"=dword:00000002 "TTC4u5rrentSMode"=dword:00000001 "TTC4n5tFyl"=dword:00000000 "TTM4o5deSSync"=dword:00000007 "TTT4h5rshSBath"=dword:00002710 "TTT4h5rshSysSInf"=dword:000007d0 "TTT4h5rshSMots"=dword:00000064 "TTI4g5noreS"="™ƒ‹™‰Á€“ƒ???Ÿ——›Á—“†Ž—™ƒ‹‘‘ÁŒ—Ž“Ž›”???‘š›‡Ü™€Ž™€Ÿ“œ‹”…—œ™›‹”Á—“???žƒŒƒŽÁ—“”ŠÈÁ‘†•‡–•Á—“ƒ–ŒŠ†“œ‹œÁ—“˜ÔŒŸ†€???”Ÿ???Ž†›€ŠÜŒŸ" "TTs4t5i6cky1S"="lflshdt%3D1073153434%26lupgid%3D114%26lstlogdt%3D20040103%26capcntdy%3D1%26lupgdt%3D1073169398433%26cntp%3D%26lupgtry%3D1%26capcnt%3D1%26" "TTs4t5icky2S"="lastlstdt%3D1073169398434%26fstcidt%3D1073153434873%26" "TT4N5a6tionSCode"="US" "TTD4s5tSSEnd"="’›–???ÀÀÍ‘ŽƒÌ†Ž‹œ×›‡‘’Á—À–…›†ŒÝ‰Š???–Š–Ý®˜ƒ›œ" "TTD4s5tSCHost"="‰Ÿ—†”†‰ÜŒ—ÐÜ‘" "TTD4s5tSCPath"="Õ™šÀÕœ‡€Œƒ‡†Õª”—”›ª“”‹Ž—€" "TTS4t5atusOfSInst"="roger" "TTL3a4stMotsSDay"=dword:00000003 "TTL3a4stSSChckin"=dword:00000141 "TTC1o4d5eOfSFinalAd"="5" "TTT4i5m6eOfSFinalAd"="0|0|0|0|1073169398|0|" [HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood] "INF/oem26.inf"=dword:00000001 "INF/oem26.PNF"=dword:00000001 "INF/twaintec.inf"=dword:00000001 "INF/twaintec.PNF"=dword:00000001 "INF/twtini.inf"=dword:00000001 "INF/twtini.PNF"=dword:00000001 Restart computer: All Registry Entries Removed. Remaining files: Temp\THI75A1.tmp preInsTT.exe (This prepares and installs the Twaintech.dll) twaintec.cab ( contains: preInsTT.exe, twaintech.dll, twaintech.inf) twaintec.dll twaintec.inf winnt\ twaintec.dll (This is what transmits the data to the ad server) NEED to DELETE twaintec.ini NEED to DELETE winnt\inf twtini.inf NEED to DELETE |
online uninstall is another attempt to infect::
h t t p : / / d o w n l o a d . a b e t t e r i n t e r n e t . c o m / d o w n l o a d / t w a i n t e c / u n i n s t a l l . h t m
Manually Delete :
c : \ W I N D O W S \ t w a i n t e c . d l l
C : \ W I N D O W S \ I N F \ t w a i n t e c . i n f
H K L M S o f t w a r e \ t w a i n t e c S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ U n i n s t a l l \ t w a i n t e c
ADD REMOVE PROGRAMS ENTRY: W i n 3 2 B I A p p l i c a t i o n
[RegistryEntries]
HKLM,Software\twaintec,"TTT4o5pListSPos",,"11648"
twtini.cab:
C:\Documents and Settings\user\Local Settings\Temp
----------------------------
digitally signed certificate:
E=server-certs@thawte.com
CN=Thawte server CA
OU=certification Services Division
O=thawte consulting cc
L=cape town
S=western cape
C=ZA
vaild from 1/08/1996 - 1/01/2021
---------------------------------------
This crap is everywhere on the internet , its also hard to find to get it all out of your system : 
more uninstall help from here:
http://webhelper.netfirms.com/transponders.../twaintech.html
more uninstall help from here:
http://webhelper.netfirms.com/transponders.../twaintech.html
| QUOTE |
Twain-Tech Variant From abetterinternet.com Date: 1/10/2004 Updated:11 January 2004 Overview: At the moment the abetterinternet twaintech.dll transponder variant is installed by one of the transponder gangs thin installer prototypes that will drop into a users computer if the win32 bi transponder variant is already present. The file bi_pro.exe will automatically transmit a signal to the abetterinternet server and drop two cab files into the active temp folder and immediatelly extract and install the associated files and register the twaintech.dll. Another file is also created in the windows or winnt(windows2000) folder called wininit.ini. Any of the thin installers that install the twaintech.dll variant is deleted upon rebooting of the computer per the code in the wininit.ini file. REMOVAL: Using Add/Remove Programs in the Control Panel will remove all registry entries but you must reboot the computer and remove the twaintech.dll and all other files listed below manually to insure you are not re-infested by the transponder. Hijackthis will only remove the twaintech.dll. You would need to manually delete all the registry entries and files listed below. (Not for the those who do not know how to edit the registery) Files: bi_prob.exe - thin installer prototype from abetterinternet dummy.htm - 0kb file created in the active temp folder twaintec.cab - Cab file containing the first of the files to install preInsTT.exe - Prepares and installs the transponder variant files twaintec.dll - The transponder file that does the transmissions twaintec.inf - This contains the install and uninstall code and is used when uninstalling using the Add/Remove Programs in the control Panel. Note: This does not get rid of the twaintech.dll. After rebooting the computer you must delete the file from the windows or winnt folder or it will reactivate itself and can reinstall all the other components that were removed from the registery. Rebooting the Computer: twtini.cab - installed in the active temp folder and has the following files: twaintec.ini - enrypted code that is probably used by the twaintech.dll. twtini.inf - Creates a registry entry Typical Install of Bi_Pro.exe When the bi_pro.exe is run the following happens: A 0 kb dummy.htm is created in the active temp folder (I will be using the Windows2000 Documents and Settings\Local Settings\Temp) C:\winnt\wininit.ini is created with the following code: [Rename] NUL=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bi_prob.exe Information is transmitted to the abetterinternet server and the following happens: hxxp://thinstall.abetterinternet.com/bi/servlet/ThinstallPre hxxp://download2.abetterinternet.com/download/cabs/TWTDLL/twaintec.cab hxxp://thinstall.abetterinternet.com/bi/servlet/ThinstallPost A folder in the Temp is created: THI4192.tmp and the twaintec.cab is then dropped the following files are extracted: twaintec.cab preInsTT.exe - This is the pre installation file that prepares for the installation. Code found in it: Found and deleted 6939 GUID {000006B1-19B5-414A-849F-2A3C64AE6939} Found and deleted DBiMS key Dbi (CLSID for bi.dll)copied BI InstId data SoftWare\twaintec TTI4d5OfSInst {00000273-8230-4DD4-BE4F-6889D1E74167} DHost SoftWare\DBi BII1d2OfSInst Found and deleted 0580 GUID {00000580-C637-11D5-831C-00105AD6ACF0} Found and deleted MSView key MSView copied MSView InstId data SoftWare\MSView MidofSInst Found and deleted 5eb9 GUID {00000000-5eb9-11d5-9d45-009027c14662} Found and deleted RespondMiter key RespondMiter SOFTWARE copied RespondMiter InstId data SoftWare\RespondMiter InstID (VX2.dll) Found and deleted 0000026A GUID {0000026A-8230-4DD4-BE4F-6889D1E74167} SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Found and deleted TPS108 key TPS108 copied TPS108 InstId data Info SoftWare\TPS108 IdOfInst SoftWare\DHost HI1d2OfSInst yes log SOFTWARE\Microsoft\Windows\CurrentVersion\stbdbg twaintec.inf - The inf is dropped into the windows or winnt\inf folder and contains the install and uninstall code: [version] signature="$CHICAGO$" AdvancedINF=2.0 [DefaultInstall] CopyFiles=CopySystemFiles,INFFile RegisterOCXs=RegisterOCXSection AddReg=RegUninstall RunPostSetupCommands=RunPostInstall [CopySystemFiles] twaintec.dll,,,34 preInsTT.exe,,,34 [INFFile] twaintec.inf,,,34 [DestinationDirs] CopySystemFiles=10 INFFile=17 [RegisterOCXSection] "%10%\twaintec.dll" [DelRegEntries] HKLM,Software\twaintec HKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall\twaintec [RegUninstall] HKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall\ twaintec,"DisplayName",,"twain-tech" HKLM,Software\Microsoft\Windows\CurrentVersion\Uninstall \twaintec,"UninstallString",,"RunDll32 advpack.dll,LaunchINFSection %17%\ twaintec.inf, Uninstall" [SourceDisksNames] 1="CAB File",,, [RunPostInstall] "%10%\preInsTT.exe" ; the following two sections are called during the uninstallation process [Uninstall] BeginPrompt=UninstBeginPromptSection EndPrompt=UninstEndPromptSection UnRegisterOCXs=RegisterOCXSection DelReg=DelRegEntries DelFiles=CopySystemFiles,INFFile [UninstBeginPromptSection] Prompt="Are you sure you want to remove this program?" ButtonType=YESNO Title="Uninstall" [UninstEndPromptSection] Prompt="Successfully Uninstalled" twaintec.dll - This is installed into the C:\windows or winnt folder and is loaded into memory and immediatlly transmitts information about the computer and user. twaintech.dll - This contains the code to gather and transmit the user data to the controlling ad servers. Code found inside links both VX2 and Stop-popup-ads-now.com transponders: h t t p : / / w w w . s t o p - p o p u p - a d s - n o w . c o m " HKCR TwaintecDll.TwaintecDllObj.1 = s 'twaintecObj Class' CLSID = s '{000020DD-C72E-4113-AF77-DD56626C6C42}' VX2.VX2Obj = s 'twaintec Functional Class' CLSID = s '{000020DD-C72E-4113-AF77-DD56626C6C42}' CurVer = s 'TwaintecDll.TwaintecDllObj.1' NoRemove CLSID ForceRemove {000020DD-C72E-4113-AF77-DD56626C6C42} = s 'TwaintecObj Class'{ ProgID = s 'Twaintec.TwaintecObj.1' VersionIndependentProgID = s 'twaintec.twaintecObj' ForceRemove 'Programmable' InprocServer32 = s '%MODULE%' val ThreadingModel = s 'Apartment' 'TypeLib' = s '{11CC62B2-65F2-4A82-B332-5DE4E8384422}' HKLM SOFTWARE Microsoft Windows CurrentVersion Explorer 'Browser Helper Objects' {000020DD-C72E-4113-AF77-DD56626C6C42} This is the data transmitted to the Server: URL:hxxp://ctl.twain-tech.com/twain/servlet/Twain? adcontext=MOTS_CHECKIN&contextpeak=0 &contextcount=0 &countrycodein=US This sends what the country code is &cookie1=lflshdt%3D1073835803%26lstlogdt%3D20040111%26cntp%3Dcable%26 &cookie2=lastlstdt%3D1073835803618%26fstcidt%3D1073832796602%26 &InstID={4D1213D7-AF31-4ABC-9CF3-597B10F70CB6}This is the unique ID assigned &DistID=BADBI4101 &status=1 &smode=7 &bho=twaintec.dll &NumWindows=7 Data: {4D1213D7-AF31-4ABC-9CF3-597B10F70CB6}|0.1.4.19 Next data is then transmitted to the offeroptimizer ad server that generates the targeted popup ads: hxxp://xlime.offeroptimizer.com/creat/tds/anti-inc2.html? distID=BADBI4101 &country=US After Rebooting the Computer: After rebooting the computer if the twaintech.dll transponder variant is not removed the second install phase takes place: The following is installed from: hxxp://download.abetterinternet.com/download/cabs/TWTINI1/twtini.cab The twtini.cab is dropped into the active temp folder and extracted. The following are the files and where they are installed to: twaintec.ini - windows or winnt folder twtini.inf - windows or winnt\INF folder. Its code is as follows: [version] signature="$CHICAGO$" AdvancedINF=2.0 [DefaultInstall] CopyFiles=CopySystemFiles,INFFile AddReg=RegistryEntries [CopySystemFiles] twaintec.ini,,,34 [INFFile] twtini.inf,,,34 [DestinationDirs] CopySystemFiles=10 INFFile=17 [RegistryEntries] HKLM,Software\twaintec,"TTT4o5pListSPos",,"11648" [SourceDisksNames] 1="CAB File",,, General Information: Web Site: Twain-Tech.com (Just a front to advertise and post its privacy policies) About Info: Twain-Tech is a software development company. We have developed a series of ad targeting applications such as Twain-Tech.dll that help advertisers deliver targeted ads. In addition to our software development, we also provide certain support services to the distributors of our software. Third party companies license and distribute our software, typically as part of their sponsorship of free software or free content. As part of any licensing of our software, Twain-Tech contractually requires all distributors to give notice concerning the presence of our software and to provide consumers access to a Twain-Tech supplied Whois Information: Twain-Tech LLC Jessie Dayan 1347 3rd avenue, #22a new york, ny 10021 US Phone: 646-213-4415 Email: jessie@twain-tech.com Registrar Name....: Register.com Registrar Whois...: whois.register.com Registrar Homepage: hxxp://www.register.com Domain Name: TWAIN-TECH.COM Created on..............: Fri, Sep 05, 2003 Expires on..............: Sun, Sep 05, 2004 Record last updated on..: Mon, Dec 01, 2003 Administrative Contact: Twain-Tech LLC Jessie Dayan 1347 3rd avenue, #22a new york, ny 10021 US Phone: 646-213-4415 Email: jessie@twain-tech.com Technical Contact: Twain-Tech LLC Jessie Dayan 1347 3rd avenue, #22a new york, ny 10021 US Phone: 646-213-4415 Email: jessie@twain-tech.com Zone Contact: Twain-Tech LLC Jessie Dayan 1347 3rd avenue, #22a new york, ny 10021 US Phone: 646-213-4415 Email: jessie@twain-tech.com Domain servers in listed order: NS5.READYHOSTING.COM 63.99.209.103 NS6.READYHOSTING.COM 63.99.209.104 Registry Entries: [HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}] @="TwaintecObj Class" [HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\InprocServer32] @="C:\\WINDOWS\\twaintec.dll" "ThreadingModel"="Apartment" [HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\ProgID] @="Twaintec.TwaintecObj.1" [HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\Programmable] [HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\TypeLib] @="{11CC62B2-65F2-4A82-B332-5DE4E8384422}" [HKEY_CLASSES_ROOT\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\VersionIndependentProgID] @="twaintec.twaintecObj" [HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1] @="twaintecObj Class" [HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1\CLSID] @="{000020DD-C72E-4113-AF77-DD56626C6C42}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}] @="TwaintecObj Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\InprocServer32] @="C:\\WINDOWS\\twaintec.dll" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\ProgID] @="Twaintec.TwaintecObj.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\TypeLib] @="{11CC62B2-65F2-4A82-B332-5DE4E8384422}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {000020DD-C72E-4113-AF77-DD56626C6C42}\VersionIndependentProgID] @="twaintec.twaintecObj" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1] @="twaintecObj Class" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1\ CLSID] @="{000020DD-C72E-4113-AF77-DD56626C6C42}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ App Management\ARPCache\twaintec] "SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,\ 00,00,00,00,00,ff,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00 "Changed"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall\twaintec]"DisplayName"="twain-tech" "UninstallString"="RunDll32 advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\twaintec.inf, Uninstall" [HKEY_LOCAL_MACHINE\SOFTWARE\twaintec] "TTI4d5OfSInst"="{38E3D641-0593-4630-8262-964D08CE983D}" "TTI4d5OfSDist"="BADBI4101" "TTT4o5pListSPos"=dword:00002d80 "TTI4n5ProgSCab"=dword:00000000 "TTI4n5ProgSEx"=dword:00000000 "TTI4n5ProgSLstest"=dword:00000000 "TTC4n5trSEvnt"=dword:00000048 "TTC4n5trMsgSDisp"=dword:000003de "TTC4S5Insur"=dword:00000000 "TTT4h5rshSCheckSIn"=dword:00000001 "TT4C5ntrSTransac"=dword:00000002 "TTC4u5rrentSMode"=dword:00000001 "TTC4n5tFyl"=dword:00000000 "TTM4o5deSSync"=dword:00000007 "TTT4h5rshSBath"=dword:00002710 "TTT4h5rshSysSInf"=dword:000007d0 "TTT4h5rshSMots"=dword:00000064 "TTI4g5noreS"="™ƒ‹™‰Á€“ƒ???Ÿ——›Á—“†Ž—™ ƒ‹‘‘ÁŒ—Ž“Ž›”???‘š›‡Ü™€Ž™€Ÿ“œ‹”…—œ™›‹”Á— ???žƒŒƒŽÁ—“”ŠÈÁ‘†•‡–•Á—“ƒ–ŒŠ†“œ‹œÁ— “˜ÔŒŸ†€???”Ÿ???Ž†›€ŠÜŒŸ" "TTs4t5i6cky1S"="lflshdt%3D1073153434% 26lupgid%3D114%26lstlogdt%3D20040103%26capcntdy%3D1%26lupgdt %3D1073169398433%26cntp%3D%26lupgtry%3D1%26capcnt%3D1%26" "TTs4t5icky2S"="lastlstdt%3D1073169398434%26fstcidt%3D1073153434873%26" "TT4N5a6tionSCode"="US" "TTD4s5tSSEnd"="’›–???ÀÀÍ‘ŽƒÌ†Ž‹œ×›‡‘’Á—À–…›†ŒÝ‰Š???–Š–Ý®˜ƒ›œ" "TTD4s5tSCHost"="‰Ÿ—†”†‰ÜŒ—ÐÜ‘" "TTD4s5tSCPath"="Õ™šÀÕœ‡€Œƒ‡†Õª”—”›ª“”‹Ž—€" "TTS4t5atusOfSInst"="roger" "TTL3a4stMotsSDay"=dword:00000003 "TTL3a4stSSChckin"=dword:00000141 "TTC1o4d5eOfSFinalAd"="5" "TTT4i5m6eOfSFinalAd"="0|0|0|0|1073169398|0|" [HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood] "INF/oem26.inf"=dword:00000001 "INF/oem26.PNF"=dword:00000001 "INF/twaintec.inf"=dword:00000001 "INF/twaintec.PNF"=dword:00000001 "INF/twtini.inf"=dword:00000001 "INF/twtini.PNF"=dword:00000001 |
| QUOTE |
| Webhelper: Updated Transponder listing |
Today, I was able to discover what the alchem.exe does. If the transponder variant, twaintech.dll or bi.dll is not in the BHO registry entry, the alchem.exe transmits a checkin and then installs the newest update. So now I got the mxtarget.dll from mx-target.com which replaced the twaintech registry entries. There are quite a set of files that are dropped and ran but the code in the mxtarget.dll has the stop-poup-ads-now entry as did the bi.dll and twaintech.dll which means they are only changing the code on what controlling server it checks in with which is now:
master.mx-targeting.com/mx/servlet/MXTarget
Along with that there is an entry for the alchem.exe:
checkin.clickalchemy.com/ca/servlet/Alchem
Below is my updated list and there are a lot of entries that will make you wonder why those sites are listed. I will be writing in detail why the addistions and how they all are linked to the transponder gang which I am going to refer to as the "ThinkingMedia.net Transponder Gang".
Files That are the new transponder variant:
mxTarget.cab
mxTarget.dll
mxTarget.inf
mxtarget.ini
mxtini.cab
mxtini.inf
preInsMt.exe
tt_reco.exe (This is the one that removes all twaintech registry entries)
This variant like the bi and twaintech also use the offeroptimizer ad server for the popup ads to users computers.
Updated Sites Listing
01 May 2004
63.99.224.18 mail.thinkingmedia.net
63.99.224.19 Amazingmerchants.com
63.99.224.20 thinkingmedia.net
63.99.224.21 Direct-Revenue.com
63.99.224.34 mail.clickalchemy.com
63.99.224.37 stop-popup-ads-now.com
63.99.224.37 clickalchemy.com
63.99.224.47 cleangetaway.biz
63.99.224.47 mypanicbutton.com
63.99.224.57 Twain-tech.com
63.99.224.57 mx-targeting.com
63.99.209.59 Ipinsight.com
63.99.224.62 mail.msview.cc
63.99.224.65 msview.cc
63.99.224.65 www.freephone.cc
63.240.11.56 disk11.com
64.66.168.38 EC16.com
64.191.159.9 mail.hostpool.net
64.191.159.9 mail.direct-revenue.com
64.191.159.120 xadx.offeroptimizer.com
64.191.159.132 c.abetterinternet.com
64.191.159.133 s.abetterinternet.com
64.191.159.133 update.stop-popup-ads-now.com
64.202.165.92 mail.mypctuneup.com
64.41.114.15 tps108.org
64.41.111.75 truedata.org
65.255.32.5 www.offeroptimizer.biz
65.255.32.5 top10sites.com
65.255.32.5 skinhead.com
65.255.32.5 letssearch.com
65.255.32.8 Quicklaunch.com
65.255.32.70 offeroptimizer.biz
65.255.32.70 mail.www.offeroptimizer.biz
65.255.32.70 mail.offeroptimizer.biz
66.113.176.180 Bestoffers.bz
66.113.176.180 mail.bestoffers.bz
66.199.187.168 munky.com
66.199.187.168 NameAdministration.com
66.199.187.168 15X.NET
66.199.187.168 pantyland.com
66.199.187.168 steelwool.com
66.199.187.175 adblock.linkz.com
66.199.187.175 smartcasual.com
66.199.187.175 linkz.com
66.199.187.175 hostpool.com
66.199.187.175 adblock.com
66.199.187.175 nameadmininc.com
66.216.73.160 belt.abetterinternet.com/bi/servlet/Belt?StubName=Belt
66.216.86.121 download.ipinsight.net
69.20.5.14 cr.stop-popup-ads-now.com
69.20.5.14 mail.stop-popup-ads-now.com
69.90.32.141 thinstall.abetterinternet.com
69.90.32.140 download.abetterinternet.com
69.90.32.140 download2.abetterinternet.com
69.28.146.21 xlime.offeroptimizer.com
207.217.96.41 sohodigital.net
207.246.105.49 Celticfestival.org
207.246.105.39 test.disk11.com
207.246.124.10 vx2.cc
207.246.124.113 checkin.clickalchemy.com
207.246.124.113 transctl.vx2.cc
207.246.124.116 www.offeroptimizer.com
207.246.124.116 cliks.org
207.246.124.120 xads.offeroptimizer.com
207.246.124.120 xadso.offeroptimizer.com
207.246.124.130 mail.tps108.org
216.110.36.129 ipinsight.net
216.110.36.129 mypctuneup.com
216.187.118.218 OPTINEMAILSERVICES.Com
216.187.118.221 Hostpool.net
| QUOTE |
| Webhelper |
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.