Twaintec.dll and the Transponder Gang

[groovyjoker]

Some of you may be infected with a transponder variant known as
Twaintec.dll. Associated files include mxtarget.dll, PreInsTT.exe,
alchem.exe, and a host of other files, which load toolbars, popups,
pornography links, and modify your browswer settings. You should also
know that personal information about your computer is being
transferred to an outside source through these files.

What is most important is the misleading removal information on two
notable websites: PCHell and PCPestControl. Both websites simply
followed the instructions posted on the spoof website created by the
Transponder Gang, who created the spyware in the first place. The
"uninstall" instructions on this spoof website (www.twain-tech.com)
are bogus and say:

To permanently disable the software click "Start" and then "Run" and
type the following command which unregisters the software: "regsvr32
c:\winnt\twaintec.dll "

To the untrained eye this makes sense, except for one thing - if you
want to UNREGISTER something, you must add a /u to the command line.
Otherwise you are REGISTERING the software again, and again, and
again.....

For reference, and the proper command line, see
http://www.fortinet.com/VirusEncycl...?method=viewVirusDetailsInfoDirectly&fid=1089

However, the main files that create (or spawn) the transponder files
which create all the spyware may not be removed by adaware, spybot,
norton, hijack this, cwshredder, or manual removal. They have been
configured so that they are either protected or "in use." These files
are C:WINDOWS/mxtarget.dll and C:/WINDOWS/twaintec.dll. Someone
suggested simply changing the extension of the the filename. I
attempted to do that last night and it did not work, because the file
is in use.

The last step in removal of these transponders is being able to remove
these two files from your system. I have found no one, anywhere, that
has suggested a successful way to do this. Lavasoft has nothing.

How about a Sindows XP System Restore? Any ideas?

 

[Ken]

After about three days of trial and error, editing the System
Registry, deleteing files etc., I found that I have finally cleaned my
system of all files related to the persistant TWAINTEC and now my pc
is running clean! Hopefully the below steps will help you clean your
system, but I can't guarantee that it will. The below instructions
might look a little painful, but well worth the effort if you want to
get rid of the pop-ups and the unauthorized retrieval of information
from your system caused from TWAINTEC.

If you want to read up on what TWAINTEC does, this site provides you
with the details:
http://www.fortinet.com/VirusEncycl...?method=viewVirusDetailsInfoDirectly&fid=1089

Here are the instructions that worked for me:

1. I recommend booting your system into SAFE MODE to have bare bone
minimum operating system running.

2. From a COMMAND PROMPT, unregister the "twaintec" and "mxtarget" DLL
files:
C:\regsvr32 /u twaintec.dll
C:\regsvr32 /u mxtarget.dll

3. Use the "Search for Files and Folders" feature in Windows. Make
sure you have the "Search for hidden and system files" enabled then
search for the following files (I use some wildcard characters in
order to find all variations of these files since there are .CAB,
..DLL, .INF, .EXE, .TMP):
Mxtarget*.*, thmall1m*.*, polall1m*.*, preinstt*.*, thi*.tmp

4. You should find both FILES and FOLDERS. Once you find any
variation of the above FILES, DELETE THEM.

5. One note about the FOLDERS starting with "THI" and ending in ".TMP"
that were returned in your search above. The TWAINTEC installation
process creates random folder names starting with "THI" and ending in
".TMP" and so you may find different variations of these folder names
(about two of them) I had two named "THI1C0.TMP" and "THI3ECB.TMP".
Theses are the folders where the TWAINTEC.CAB file and other
supporting files are stored. DELETE these folders and all contents in
them.

6. You will now have to clean up the System Registry. From START -
RUN, type "REGEDIT" to launch the Registry Editor. Search for the
words "twaintec", "pol" and "thnall1m" one at a time. With each
successful find, verify each Main Key listed below starting with
"HKEY" to make sure you have the right one. Then, delete the KEY.
Each KEY will have sub-keys. You should see content exactly like
shown below or similar. DELETE each of the KEYS shown below (which
should warn you about deleteing any sub-keys also) Go ahead and
acknowledge the Delete action:

HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}
(Default) = TwaintecObj Class
InprocServer32
(Default) = C:\WINNT\twaintec.dll
ThreadingModel = Apartment
ProgID
(Default) = Twaintec.TwaintecObj.1
Programmable
(Default) = (value not set)
TypeLib
(Default) = {11CC62B2-65F2-4A82-B332-5DE4E8384422}
VersionIndependentProgID
(Default) = twaintec.twaintecObj

HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}
(Default) = ItwaintecDllObj
ProxyStubClsid
(Default) = {00020424-0000-0000-C000-000000000046}
ProxyStubClsid32
(Default) = {00020424-0000-0000-C000-000000000046}
TypeLib
(Default) = {690BCCB4-6B83-4203-AE77-038C116594EC}
Version = 1.1

HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1
(Default) = twaintecObj Class
CLSID
(Default) = {000020DD-C72E-4113-AF77-DD56626C6C42}

HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}
(Default) = (value not set)
1.1
(Default) = TwaintecDll 1.1 Type Library
1.1\0\win32\
(Default) = C:\WINNT\twaintec.dll
1.1\FLAGS\
(Default) = 0
1.1\HELPDIR\
(Default) = C:\WINNT\

HKEY_CLASSES_ROOT\VX2.VX2Obj
(Default) = twaintec Functional Class
CLSID
(Default) = {000020DD-C72E-4113-AF77-DD56626C6C42}
CurVer
(Default) = TwaintecDll.TwaintecDllObj.1

NOTE: This last KEY may have a slight difference in the sub-key
content. That's ok. It's safe to DELETE it. I have shown two
variations that you might have. One may contain a reference to the
file you deleted earlier (thnall1m.exe) and one that doesn't.

HKEY_LOCAL_MACHINE\SOFTWARE\twaintec
(Default) = (value not set)
TTI4d5OfSDist = POL14100
TTI4d5OfSInst = {1F034FE6-5BCA-4D77-910C-CC26844DDE27}

Or

TTI4d5OfSDist = 1|100|0|0|thnall1m.exe
TTI4d5OfSInst = {E4732519-3865-4DF4-BDC7-21EBED1F663F}
TTI4n5ProgSCab = 0x00000000 (0)
TTI4n5ProgSEx = 0x00000000 (0)
TTI4n5ProgSLstest = 0x00000000 (0)
TTT4o5pListSPos = 0x00000000 (0)


You can close the Registry Editor at this time.

As one final precaution, RIGHT MOUSE CLICK on your Internet Explorer
browser and select PROPERTIES or you can get to the PROPERTIES dialog
box through CONTROL PANEL - Internet Options.

1. Make sure the address in the "HOME PAGE" field is an address that
looks familiar to you. If it doesn't have something clean like
"http://msnbc.com" or "http://www.aol.com", type over it with a
familiar address that you trust.

2. Delete Cookies. There are a few cookies that were installed with
TWAINTEC that track things. So, to be safe, DELETE COOKIES.

3. Click OK

That about does it. Perform a shutdown/restart and boot normally.
Once your machine is back up, perform the same search you performed at
the beginning of these instructions (step 3) just to make sure nothing
"spawned" back into your system. If nothing comes back in the search
results, your system is clean.

As safe as some of us are when surfing the web, we can still fall prey
to unwanted pushing of code to our pc's in the blink of an eye. When
in doubt, don't follow links that don't look trustworthy.

Happy Surfing!
-- Ken --