Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 8: Spyware

Advertising Spyware: Blackstone Data Transponder and its derivatives

It is hard to tell where this piece of spyware originated. It was first seen as Blackstone Data's Transponder, but repackaged versions of the same product are popping up under several different companies. It is currently distributed under these names:

According to the VX2 website:

The software goes along with the user of the software as they are surfing around the web and builds reports on the activity.
The software monitors the click stream activity of the consumer and communicates with servers.
The software monitors some activity of the PC and communicates with servers.

It is a Browser Helper Object that is distributed with unknown third-party software, including AudioGalaxy Satellite. While the user is browsing the Web, it will pop up advertisements based on what page is being visited, what's being searched for, how quickly the user is surfing, etc. Transponder's ad-displaying algorithm appears to weight the occurrence of ads in such a way that they appear to come from the page(s) being visited.   

For the remainder of this document, the terms "VX2", "Transponder", etc. will be used interchangably to refer to this class of spyware product.

... ... ...

Privacy Concerns

The software covertly collects all sorts of information about your Web surfing habits, including lists of Web sites you visit (and even sites you've visited before installing their software), any terms you enter into a search engine, and contents of online forms--including "secure" forms using SSL encryption(!). The company has the audacity to claim that this is done "in order to save you the time and trouble of submitting such information to us yourself". It also stores cookies to persistently identify you across sessions.

The software collects and transmits your full name name and e-mail address as used by the Outlook mail client. It also transmits back a laundry list of information about your system, which is described in more detail below. Finally, the software transmits details about your interaction with the software.

The software also includes an auto-update capability with the stated purpose of updating not only the VX2 spyware itself, but also installing additional third-party programs, including additional spyware.

Information Gathered by Transponder

Upon its first load, VX2.dll will look for a file in your Windows directory called oeminfo.ini. If present, this file contains information about your computer provided by the OEM--who you bought it from, serial #/etc., processor and configuration, tech support info, and maybe your name. (IIRC, this information is displayed if you go to Start > Settings > ControlPanel > System and view the first tab.) More information about the oeminfo.ini file is available here.

Transponder then connects to sputnik.vx2.cc and transmits data. The information transmitted includes, but is not limited to, the following:
 

On first connection, or when triggered remotely:

The data transmission is most likely encoded (sample). At intervals after the initial contact, the software will perform at least two types of "calling home": the ROUTINE_CHECKIN and MOTS_CHECKIN (Message Of The Session checkin) to a server starting with transctl*. (These include transctl*.blackstonedata.net, transctl*.vx2.cc, etc.) Each checkin request transmits the user's country code, a cookie data string, a tracking GUID that was created during its installation, the software that installed the spyware, and its version number. Some other checkin "modes" exist but have not been observed in action.

A stated purpose of the information Transponder gathers is to send direct mail (a.k.a. spam), possibly with the help of NetGeo (see later). I am guessing this to mean Outlook users (or former Outlook users) will get more spam thanks to this spyware.

In the Privacy Policy, VX2 asserts "We have undertaken technical measures to make sure that VX2 never collects credit card numbers, account numbers or passwords." Examining the spyware's source code (more on that later as well), the "technical measures" are the following:

In either case, the field is overwritten with X's before transmitting. Interestingly, VX2 passes the buck when the high-precision (sarcasm intended) password check fails, by stating that surfing with their spyware "may result in some personal information being included in URL data [...] Such instances are rare and are the result of poor security practices by these third party websites."  I get the feeling many third-party Web sites would beg to differ. (As if Blackstone has any right to talk about poor security practices.)

Portions from the VX2 Privacy Policy as of 10/21/01:

"VX2’s software collects and transmits to VX2’s servers the URLs of the Web pages visited on your browser. URLs are the addresses of the web pages that your browser visits (http://www.VX2.com, for example). The VX2 software collects and maintains information on both current and historical browsing. VX2 will use this information to build a summary of your interests and general web trends.

VX2’s software also collects some information from online forms that you fill out. This information is automatically sent to VX2 in order to save you the time and trouble of submitting such information to us yourself. We have undertaken technical measures to make sure that VX2 never collects credit card numbers, account numbers or passwords. If such data data were, despite VX2’s best efforts, ever inadvertently collected VX2 would immediately purge such information from its database.

VX2’s software also collects the query terms entered into search engines. VX2 uses this information to help generate a more complete summary of its users' interests and general internet trends.

When you install VX2’s software, it collects several bits of information about the configuration of your computer. This information includes information about the computer's hardware configuration, such as the amount of free space on your hard drive, and software configuration, such as the version of the operating system. These examples are representative, and the specific information collected may vary from time to time. This information is used to determine whether the VX2 software is compatible with your computer. It may also be used to help generate a more complete summary of your interests when appropriate.

It is possible that, in some instances, the operation of certain third party websites may result in some personal information being included in URL data, which can result in that data being captured in the course of the normal operation of the VX2 software. Such instances are rare and are the result of poor security practices by these third party websites. In the unlikely instance that such information is captured, it may be stored in our database, but it will not be used or disclosed in any manner inconsistent with our Privacy Policy.

Occasionally, VX2 may collect information about your interaction with the VX2 software. This may include information such as how often users use the software. This information is used to access the effectiveness of our products and services. It may be shared with VX2’s partners for the purpose of evaluating the success of marketing programs.

The VX2 software and cookies: The VX2 software uses cookies to identify itself to the VX2 server. The cookie maintains a unique anonymous id for you as a user. We  use this information to allow you to opt out of the VX2 service if you so choose. It is also used to organize the information in our database and help our artificial intelligence algorithms to discern the various preferences and interests of each user."

Some other portions are of interest:

"From time to time, VX2 may decide to update it's software in order for it to work at it's peak performance. Upgrades may include third party applications. Certain third party applications may have to be installed in order for the software to work properly. VX2 users are not responsible for these additions and/or updates, they will be done automatically in the background while you are surfing the web in order to cause the least amount of inconvenience to our users as possible."

Security Concerns

Suffice it to say that I would not trust these fools with my grocery list. Those who have already been had by this spyware should be concerned about Blackstone's security practices (or lack thereof) as they pertain to users' personal information.

Much of the information you see below was gathered thanks to bad password security and generally bumbling idiocy on the part of your friendly neighbourhood spyware company. (We did not "hack" into their systems; they gave out their (un-changed software default) admin password complete with detailed instructions online explaining how to log into the administration system :)  I stumbled on them when they came up in Google's search results. If you've ever wanted a sneak peek inside a spyware company, take the (un)Guided Tour.

For a period of a little over a week, Blackstone Data Transponder infectees may have seen this ad campaign, inserted into Blackstone's lineup by my fictional cohort, Jane Morgandorfer.. (Think it may have had something to do with Blackstone changing their passwords? :) I deactivated the ad-campaign when it caused the load on my server to suddenly quadruple, jumping from about 45k requests/day at that time to 170k. Apparently, Transponder infections are more widespread than I had previously thought.

This graphic, found on a Blackstone cohort's server, appears to give a detailed description of how Transponder works. Beware: apparently, the same idiots who run the Blackstone servers also did the graphic--much of the text is scrunched and very hard to read! The line "Periodic export to warehouse for mining & Direct mail" I found particularly unnerving.

Other in-the-clear files included keyword-hierarchy listings, code signers and what appear to be certificates and privatekeys (.spc, .pbk, .pvk).

Another anti-spyware advocate wandering Blackstone's unsecured servers obtained the complete c++ source code of the application. This has been very helpful in determining the software's capabilities and possible security concerns.

The newest incarnation, TPS108, was recently discovered in with Blackstone's files. Some mild digging leads to an interesting find :)  

The Bad Guys


Suspected Supporters  

Transponder Technology

I'm not suggesting ANY guilt on the part of the makers of these third-party tools used by AADCOM/Blackstone/etc. They are general-purpose software that has no apparent connection to these creepy scum.

Ad campaign insertion, management and billing are handled by OASIS (Open-source Ad Serving and Inventory System): http://oasis.sourceforge.net/

Communicating with Sputnik (VX2, yadayada) is done via Java servelets at transctl*.blackstonedata.net and transctl*.vx2.cc, which are for all intents and purposes the same server (e.g. accessing a bogus file on blackstonedata.net, *.vx2.cc is listed on the 404 error page). The servelets are run with Caucho Technologies' Resin 2.0.2 software: http://www.caucho.com/

The data for OASIS and other things is stored in an SQL database, periodically exported to Mindset Interactive and NetGeo.

Whois Data (further evidences that many of these companies are in fact one and the same)

blackstonedata.com
  Registrant:
  Blackstone Data Corporation (BLACKSTONEDATA-DOM)
     PO Box 27103 C/o VX2 Corporation
     Las Vegas, NV 89126
     US

VX2.cc
  Registrant:
  vx2 (VX52-DOM)
     po box 27103
     Las Vegas, NV 89126
     US

Both list a Hotmail address as their admin, tech. and billing contact.

aadcom.com
  Registrant:
  AADCOM (AADCOM2-DOM)
     34700 Pacific Coast Hwy
     Capistrano Beach, CA 92624
     US

Admin., etc. contact is at internettechcorp.com
 

Transponder Advertisers

These advertisers are currently listed as active in Blackstone's system. However, some of them are test entries and many have invalid billing addresses. A number of these are listed as having unpaid invoices. (Maybe has something to do with the invalid billing addys? :)
 

AADcom.com Ad Power Zone alinq.com alinq468 ARS
Barnes And Noble (test) Bettergolf Bid Clix Casino CasinoOnNet
Civil War Facts Inc (test) creditcardmenu CyberErotica Fast Cash Feature Price
HomeGain JDR Media kentucky Lending Universe LowerMyBills
Magellan Magellan: Team Nova & Trim Life Mindset Opt-In / Opt-Out MyInk.com New York Times (test)
NextCard No Credit Card Needed OASIS OptionHotline Orbitz
Playsys PriceQuotes Pyramid Casino Shockwave Marketing SlickStreet
Steve Smith Test Advertiser TEST PYRAMIDCASINO The Baby Outlet Traffix
TranzAct Media X10.com Zmedia
 

 

Windows Failure issue associated with Transponder
 
It has been reported to me that a number of users have experienced complete failure of MSIE and Windows Explorer as a result of infection by the Transponder parasite. The common symptoms are that Internet Explorer will not start at all (nothing happens), and trying to restart Windows Explorer only repaints the existing desktop. One such occurance is reported on a Windows 2000 system. The symptoms cleared up once Transponder/VX2 was removed.


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

Symantec Security Response - Adware.Binet

SpywareInfo Support Forums - Security Warnings

ABetterInternet.B
Overview

ABetterInternet.B shows advertisements based on the web pages you view and the web sites you visit. ABetterInternet.B may update itself without any input or user interaction, install third party software and add links to your desktop. It will also hijack the browser's error page.

From the developer:

During the process of accepting this Agreement, downloading and/or using the Software, you may be offered the opportunity by BetterInternet to download software ("Third Party Software") from third party software vendors ("Third Party Vendors") pursuant to the terms of sublicense agreements or other arrangements between BetterInternet and yourself or between the Third Party Vendors and yourself ("Third Party Software Agreements"). to enable BetterInternet to provide its Software, BetterInternet collects certain types of non-personally identifiable information about individuals who are served ads by the Software.
By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to BetterInternet; display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; automatically update the Software and install added features or functionality conveniently without your input or interaction; and install desktop icons and installation files and third-party software.
Source

Classification
Adware

Files
Belt.exe, Belt.ini

Vendor
BetterInternet Inc

Variants
ABetterInternet ABetterInternet.B ABetterInternet.C ABetterInternet.D ABetterInternet.E

End User License Agreement
2003-11-22

Privacy policy
2003-11-22

Detection
Bazooka Adware and Spyware Scanner detects ABetterInternet.B. Bazooka is freeware and detects spyware, adware, trojan horses, viruses, worms, etc. Read more »

Feedback, suggestions, support

Please let me know if you need support, have questions or would like to give me feedback. Please notice that I'm not the author and not in any way affiliated with ABetterInternet.B. This site is dedicated to help you with the detection and removal of spyware, adware, viruses, worms, trojans, keylogger, dialers, etc. Click here to contact me, the developer of Bazooka.

Manual removal

Please follow the instructions below if you would like to remove ABetterInternet.B manually.

  1. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
  2. Browse to the key:
    'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
  3. In the right pane, delete the value called 'Belt', if it exists.
  4. Exit the registry editor.
  5. Restart your computer.
  6. Delete %WinDir%\Belt.exe
    Note: %WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).
  7. Start Microsoft Internet Explorer.
  8. In Internet Explorer, click Tools -> Internet Options.
  9. Click the Programs tab -> Reset Web Settings.

Please support me
Thank you for using my site. Please help me to keep this site and software up-to-date.

WinXP belt.exe - Tech Support Guy Forums

O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

Services:
Posts: 140 HELP Download trojan virus Belt.exe

I have Norton antivirus
it has latest definitions
today it identified a virus
report says

Belt.exe within C:\Documents and settings\one of my user names\Local settings\Temp\Belt.cab is infected with the Download Trojan virus

There was 2 files
Tried to quaranteen them 1 did but no joy with the other
tried to delete that one and it says it cant

read up on their further recommendations and it says to disable restore ( on XP) and scan in safe mode have done this it detected it but was unable to fix it

Tried adaware and spybot found loads of stuff but not what i was looking for

have looked on google and am now onto my third trojan detection program

It has detected loads of stuff but still not the one im looking for

Im now stuck over to you guys any ideas

Transponder Gang Historical Timeline - VX2, Blackstonedata, Better Internet, Direct-Revenue, and NetPal

Belt.exe and Susp.exe
Belt.exe and Susp.exe is part of the Transponder Better Internet Gang
Dec 11, 2003

As of Dec 10, 2003, I now have a sample of every known transponder from the first one that appeared in 1999 (IEHelper.dll) to the two newest ones that are now being seen on the Internet which are Belt.exe and Susp.exe.

Although many think both are trojans or viruses, they are in fact programs that work in conjunction with the Bi.dll for management of the popup advertising that is foisted by offeroptimizer.com which is registered to Alan Murray.

From inside the code of the Belt.exe and Susp.exe, they both have the same coding and information which directly links Better Internet Inc. to IPInsight.com that is not accessable but its server still is and is registered to Daniel Kaufman that was the CEO of Dash.com with Joshua Abram who is linked to Direct-Revenue.com and aBetterInternet.com, and the rest of the transponder sites with Alan Murray. All of which can be linked to Blackstonedata and VX2.cc.

The Fies:
Belt.exe
Modified: Friday, August 15, 2003, 3:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.

Container Belt.cab contains Belt.exe, Belt.ini, Belt.inf

Two known paths are to the Belt.cab and the Belt.exe
hxxp://69.20.5.39/download/cabs/BI5101/Belt.cab
hxxp://69.20.5.39/download/cabs/BI5101/belt.exe


Susp.exe
Modified: Friday, August 15, 2003, 4:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.

Container Susp.cab containing Susp.exe, Susp.ini, Sups.inf

The Code I found using NotePad:

Belt.exe code

V S _ V E R S I O N _ I N F O

S t r i n g F i l e I n f o 0 4 0 9 0 4 b 0

C o m m e n t s

C o m p a n y N a m e B e t t e r I n t e r n e t I n c

F i l e D e s c r i p t i o n

w w w . a b e t t e r i n t e r n e t . c o m 6

F i l e V e r s i o n 0 , 1 , 1 , 3

I n t e r n a l N a m e F

L e g a l C o p y r i g h t C o p y r i g h t © 2 0 0 2

L e g a l T r a d e m a r k s

O r i g i n a l F i l e n a m e

P r i v a t e B u i l d

P r o d u c t N a m e :

P r o d u c t V e r s i o n 0 , 1 , 1 , 3

S p e c i a l B u i l d D

V a r F i l e I n f o $

T r a n s l a t i o n

S e n t r y S t u b . e x e i s a s t u b i n s t a l l e r

f o r t h e c o m p a n y ' s I P - S e n t r y

a p p l i c a t i o n - b o t h d i s t r i b u t e d b y

I P - I n s i g h t C o r p o r a t i o n , a D e l a w a r e

C o r p o r a t i o n .

P l e a s e s e e h t t p : / / w w w . i p i n s i g h t . c o m f o r m o r e d e t a i l s

Susp.exe code


V S _ V E R S I O N _ I N F O

S t r i n g F i l e I n f o `0 4 0 9 0 4 b 0

C o m m e n t s

C o m p a n y N a m e B e t t e r I n t e r n e t I n c .

F i l e D e s c r i p t i o n

w w w . a b e t t e r i n t e r n e t . c o m 6

F i l e V e r s i o n 0 , 1 , 1 , 3

I n t e r n a l N a m e F

L e g a l C o p y r i g h t C o p y r i g h t © 2 0 0 2

L e g a l T r a d e m a r k s

O r i g i n a l F i l e n a m e

P r i v a t e B u i l d

P r o d u c t N a m e :

P r o d u c t V e r s i o n 0 , 1 , 1 , 3

S p e c i a l B u i l d D

V a r F i l e I n f o $

T r a n s l a t i o n

S e n t r y S t u b . exe is a s t u b i n s t a l l e r f o r

the c o m p a n y ' s I P - S e n t r y a p p l i c a t i o n

- b o t h d i s t r i b u t e d b y I P - I n s i g h t C o r p o r a t i o n ,
a D e l a w a r e C o r p o r a t i o n .
P l e a s e s e e h t t p : / / w w w . i p i n s i g h t . c o m f o r m o r e d e t a i l s .

The Original Sentry.exe from IP-Insight
File Properties:

Company: IP-Insight Corporation

Sentry.exe

Size: 76.0 KB (77,824 bytes)

Version: 0, 0, 1, 3

Internal Name: SentryStub

Original Name: SentryStub.exe

Product Name: IP-Sentry Stub

Comments: SentryStub.exe is a stub installer for the company's

IP-Sentry application -both distributed by IP-Insight Corporation, a

Delaware Corporation. Please see http://www.ipinsight.com for more details.

NOTE: Ad-Aware 6.181 with current Reference file detects all 3 objects


Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended


Transponder AdWare Program (Guest)


Information about Transponder (and derivatives)


SpywareInfo: Aadcom


and.doxdesk.com Parasite Detection Script - Alerts you if you have VX2, Toptext, etc. parasites installed!


BHO Cop - Hypnos' article on thehun.net walks you through using BHO Cop to remove Transponder.
Transponder Video from Hypnos - An informative video showing the Transponder parasite in action on an infected system. Note: In the video are pictures of "adult" popup ads--as always, view at your own discretion.


VX2 Homepage - some mentions of what it does and removal info.
 

Credits

Blackstone Data Transponder was and continues to be among the most difficult pieces of spyware to research. This would not be possible without the huge amounts of help and information provided by Robert (dualsmp), Dingo (SpywareInfo), Andrew (and.doxdesk.com) and others, as well as the grc.spyware community. A big thanks to everyone!

If anyone I have forgotten, please let me know!

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)
 


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

ABetterInternet

is an adware that generates targeted popup ad windows based on the urls and web pages you visit. According to its vendor BetterInternet, the adware redirect certain URLs including your browser default 404-error page to or through the program. It will also automatically update itself and install added features or functionality without user's notice. Can slow down the browser.

Vendor

BetterInternet, LLC

Mailing Address

459 Broadway 4th Floor New York, NY 10013

Email

contact@abetterinternet.com

URL

http://www.abetterinternet.com

Date of Origin

January, 2003

Can be removed using Microsoft Windows Defender.

Overview:
VX2 is primarily a data mining form of spyware that monitors your activity and phones home. It can also install additional programs without you knowing which has a tendency to bring in pop ups and other bugs. There isn't anything good that comes from this and should be removed immediately. This can be pretty hard to completely remove from your system.

Aliases:
VX2, NetPal, Sputnik, VX2 RespondMiter, VX2.ABetterInternet, Transponder, Blackstone Data's Transponder, Blackstone Data's Transponder

End Processes (may or may not exist):
cgetwy.exe
deletelockedfiles.exe
mypbtn.exe
unins000.exe

Unregister DLLs:
Tip:
this is only a list of known files/locations. You will want to do a search by the name of the file to see if they're on your system.
A while back I wrote a guide to Register/remove DLL or AX files which you will need if you don't know how to unregister these files.

Each file is in several locations so you'll need to search for them and unregister + delete them in every location you find.

6eo4svc.dll
6fo4svc.dll
6uo4svc.dll
msview.dll
cleanhistories.dll
ehelper.dll
iehelper.dll
kernellos.dll
psapi.dll
sitehlpr.dll
vx2.dll

Remove Directories:
%program_files%\netturbotrial
%program_files%\common files\betterinternet
%programfilesdir%\clean get-away
%programfilesdir%\my panicbutton

Clean your Registry:

You should be back to normal IF this was your only problem. I suggest you post in our HJT forum since its not likely that this is your only bug. Read this first

Webhelper4u - Webhelper4u - The VX2 Direct Revenue-aBetterInternet Fifth Columnists Transponder Gang

Introduction About the Transponder Gang: What Are Transponders
The transponder adware gang is one of the oldest and possibly the most dangerous of all the groups on the Internet today because of the way they operate, the large amount of transponder variants and component files that infest users computers and transmit users computer and personal information to multiple servers around the Internet.

The transponder adware gang may be also the most complex in the partners, advertising clients, and large amounts of domains and file servers they maintain.

Just what is a transponder? According to Webster Dictionary, a Transponder is "a radio or radar set that upon receiving a designated signal emits a radio signal of its own and that is used especially for the detection, identification, and location of objects".

The same could be said of the transponder adware variants:
One of the transponder variant BHO (Browser Helper Object) dll’s that once installed transmits three types of signals to its controlling server.

The first is called a ROUTIN CHECKIN. This one transmits the users information along with a unique ID given along with the product that was installed to the controlling server, which creates or updates the users profile in their online database.

The second is called MOTTS CHECKIN which transmits the users information and checks for updates to reinstall or new objects that need to be installed. This transmission also updates the .ini files and cookies of theirs that will help the offeroptimizer.com ad server send back signals that will generate pop up ads on the users computer.

The last type is the standard transmission that sends the users data to its controlling server, and any third party ad servers, tracks the users surfing habits, and collects and transmits any information from online forms filled out by the user from any of the popup ads generated by the offeroptimizer or through their 3 rd party ad server partners and affiliates.

The transponder adware gang is one of the oldest and possibly the most dangerous of all the groups on the Internet today because of the way they operate, the large amount of transponder variants and component files that infest users computers and transmit users computer and personal information to multiple servers around the Internet.

The transponder adware gang may be also the most complex in the partners, advertising clients, and large amounts of domains and file servers they maintain.

Through the years since 1999 when their Balckstonedata transponder IEHelper.dll appeared after their partner Daniel Kaufman closed down his Dash.com thus ending the Dashbar that was one of the first to collect users information and track their surfing and online buying habits, they have and are still known by many names of which virus's and trojans are not correct as this is pure adwate and trackware.

keywords that they are known by right now are:

VX2, Bi, twaintec, mxtargeting, localnrd, multimpp, offeroptimizer,zserv,dlmax,pynix, badurl.grandstreetinteractive, BetterInternet, Direct Revenue, Conscorr.exe, Alchem.exe, Belt.exe, Susp.exe, Ipinsight, IP Sentry.exe, plus probably more.....

No matter what they are called, they all are the same adware that all have the same functions in that they collect users information, track their surfing, foist unwanted popup ads, and transmit the data to one of their many servers all belonging to the same group and their partners.

Through the years since 1999 and especially today, they are known by many names from their adware variants and sites that was used and those used today.

The major variants both past and present are:

  • Blackstonedata Transponder - IEHelper.dll (now dead)
  • VX2 RespondMiter (now dead)
  • TPS108 - TPS108.dll (porn variant) (now dead)
  • MSView - MSView.dll (porn variant) (now dead)
  • DHost - host.dll (stop-popup-ads-now.com)
  • DBi - bi.dll (abetterinternet.com)
  • Twaintec - twaintec.dll (twain-tech.com)
  • mxtarget - mxtarget.dll (mx-targeting.com)
  • VoiceIP - VoiceIP.dll (freephone.cc)
  • MultiMPP - MultiMPP.dll (MultiMPP.com)
  • LocalNrd - LocalNrd.dll (LocalNrd.com)
  • ZServ - zserv.dll ( ZServ.biz)
  • DLMax - DLMax.dll (dlmax.biz)
  • pynix - Pynix.dll (pynix.com)
  • morphacl - undiscovered variant
  • kz515.dll -

    For full details see - Transponder Files

Processes:

abiuninst[1].exe
bho_prob.exe
bih.exe
deletelockedfiles.exe
emqvdm.exe
holidaym.exe
lkmkrlj.exe
ltioc.exe
mm_reco.exe
package_adp_siac[1].exe
profilepath+\local settings\temp\alchem.exe
profilepath+\local settings\temp\banner.exe
profilepath+\local settings\temp\belt.exe
profilepath+\local settings\temp\biprep.exe
profilepath+\local settings\temp\preinsbi.exe
profilepath+\local settings\temporary internet files\content.ie5\ot2jqp0h\bi[1].exe
qbuninstaller.exe
randreco.exe
snkqzj[1].exe
systemroot+\belt.exe
systemroot+\bi.exe
systemroot+\inst\3p.exe
systemroot+\lastgood\biprep.exe
systemroot+\preinsbi.exe
systemroot+\system32\59ac6bev.exe
systemroot+\temp\biprep.exe
thin-114-1-x-x[1].exe
thin-149-1-x-x.exe
thin-8-1-x-x.exe
thin-94-2-x-x.exe
thnall2c.exe
thnall5c[1].exe
vcmnet11.exe
wupdsnff.exe

Process File: Susp or Susp.exe
Process Name: abetterinternet spyware

Description:
Susp.exe is an advertising program by abetterinternet spyware. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately. Please see additional details regarding this process

Process File: ceres.dll
Process Name: Abetterinternet Spyware Module


Description: ceres.dll is a module belonging to Ceres Abetterinternet Spyware
For More Info About ceres.dll - Get WinTasks 5 Pro Now!

DLL

banner.dll
bh.dll
cleanhistories.dll
msg{7825467c-d5db-4708-b0bf-2943792fab60}0115.dll
msg{c4079322-f5d9-45c1-aa42-8e3acbc43fd6}0112.dll
msg{c4079322-f5d9-45c1-aa42-8e3acbc43fd6}0113.dll
msg{c4079322-f5d9-45c1-aa42-8e3acbc43fd6}0115.dll
n.dll
profilepath+\local settings\temp\bi.dll
profilepath+\local settings\temp\drtemp\ceres.dll
programfilesdir+\common files\betterinternet\ssuvtmr.dll
programfilesdir+\common files\betterinternet\ssuvtmr6.dll
programfilesdir+\common files\betterinternet\utils_21.dll
programfilesdir+\common files\betterinternet\vbalicom6.dll
systemroot+\bi.dll
systemroot+\system\bi.dll
systemroot+\system\msg{10d1ea6f-2635-4aa0-9f1e-c06ab193eca0}0111.dll
systemroot+\system\msg{46a90020-f0d5-11d7-b75c-000ae6dff293}0111.dll
systemroot+\system\msg{486f2c20-e64b-11d7-aaa2-0040058246b3}0111.dll
systemroot+\system\msg{5b32dacd-56a9-4ddf-899d-f4419956f855}0112.dll
systemroot+\system\msg{67dc41a0-f3e4-11d7-8fc4-0010dcf3f9b3}0111.dll
systemroot+\system\msg{89200fed-9d24-41ca-906fa89e97cba292}0111.dll
systemroot+\system\msg{92718eea-cc55-4576-ac52-d377170d24c5}0111.dll
systemroot+\system\msg{a54e2100-e1da-11d7-b93a-00096bf2a541}0111.dll
systemroot+\system\msg{a70745d6-od8c-4a4d-b9b8-c594598d3afd}0112.dll
systemroot+\system\msg{b5211e71-7ca6-4cdd-96fc-7d30768858c3}0112.dll
systemroot+\system\msg{e85eacfd-6a79-4643-b02e-2690b134b288}0111.dll
systemroot+\system\msg{e912ec00-e76a-11d7-a9d1-0050ba0ba538}0111.dll
systemroot+\system\msg{f7c98852-ba58-4a8f-a54f-646c03042b4a}0112.dll
systemroot+\system\msg{f7c98852-ba58-4a8f-a54f-646c03042b4a}0113.dll
systemroot+\system32\apledit.cpy.dll
systemroot+\system32\bi.dll
systemroot+\system32\msg{10d1ea6f-2635-4aa0-9f1e-c06ab193eca0}0111.dll
systemroot+\system32\msg{46a90020-f0d5-11d7-b75c-000ae6dff293}0111.dll
systemroot+\system32\msg{486f2c20-e64b-11d7-aaa2-0040058246b3}0111.dll
systemroot+\system32\msg{5b32dacd-56a9-4ddf-899d-f4419956f855}0112.dll
systemroot+\system32\msg{67dc41a0-f3e4-11d7-8fc4-0010dcf3f9b3}0111.dll
systemroot+\system32\msg{89200fed-9d24-41ca-906fa89e97cba292}0111.dll
systemroot+\system32\msg{92718eea-cc55-4576-ac52-d377170d24c5}0111.dll
systemroot+\system32\msg{a54e2100-e1da-11d7-b93a-00096bf2a541}0111.dll
systemroot+\system32\msg{a70745d6-od8c-4a4d-b9b8-c594598d3afd}0112.dll
systemroot+\system32\msg{b5211e71-7ca6-4cdd-96fc-7d30768858c3}0112.dll
systemroot+\system32\msg{e85eacfd-6a79-4643-b02e-2690b134b288}0111.dll
systemroot+\system32\msg{e912ec00-e76a-11d7-a9d1-0050ba0ba538}0111.dll
systemroot+\system32\msg{f7c98852-ba58-4a8f-a54f-646c03042b4a}0112.dll
systemroot+\temp\bi.dll

Registry Keys

HKEY_CLASSES_ROOT\clsid\{00000000-59d4-4008-9058-080011001200}
HKEY_CLASSES_ROOT\clsid\{00000049-8f91-4d9c-9573-f016e7626484}
HKEY_CLASSES_ROOT\clsid\{000006b1-19b5-414a-849f-2a3c64ae6939}
HKEY_CLASSES_ROOT\clsid\{38601801-2ff5-4a62-95da-d2007161c1b4}
HKEY_CLASSES_ROOT\clsid\{79849612-a98f-45b8-95e9-4d13c7b6b35c}
HKEY_CLASSES_ROOT\clsid\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_CLASSES_ROOT\dlmaxdll.dlmaxdllobj
HKEY_CLASSES_ROOT\dlmaxdll.dlmaxdllobj.1
HKEY_CLASSES_ROOT\interface\{bb0d5adc-028d-4185-9288-722ddce2c757}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{000006b1-19b5-414a-849f-2a3c64ae6939}
HKEY_CLASSES_ROOT\tpusn
HKEY_CLASSES_ROOT\tpusn tpusn_once 1
HKEY_CLASSES_ROOT\typelib\{230c3786-1c2c-45bd-9d2d-9d277fce6289}
HKEY_CLASSES_ROOT\typelib\{92daf5c1-2135-4e0c-b7a0-259abfcd3904}
HKEY_CURRENT_USER\software\dlmax
HKEY_LOCAL_MACHINE\software\classes\clsid\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_LOCAL_MACHINE\software\dbi
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{30000273-8230-4dd4-be4f-6889d1e74167}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{79849612-a98f-45b8-95e9-4d13c7b6b35c}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\guardian
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000049-8f91-4d9c-9573-f016e7626484}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000097-7c67-4ba6-8b42-05128941688a}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{000006b1-19b5-414a-849f-2a3c64ae6939}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/kmg14100.exe\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/kmg14100.exe\{30000273-8230-4dd4-be4f-6889d1e74167}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\59ac6bev
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\belt
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\lkmkrlj
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\abi-1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\dbi
HKEY_LOCAL_MACHINE\software\twaintec



Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended

Twain-Tech abettinternet Transponder Variant

HijackThis! Log Analyzer V1.1 

We ARE logging all submissions to this sytem to help us better serve you. We are now giving you a reference URL at the top of every log file which you can post in forums instead of reposting your complete log file. Also our staff will be sorting through these logs to add additional entries to the various databases we are searching. This means that with every new log you are contributing to these databases! We are looking for additional staff for building these DB's. If you are interested please help people in our HJT forum for a while and then PM an admin saying you'd like to help.

Databases being searched:
http://service.iamnotageek.com/
http://startup.iamnotageek.com/
http://www.iamnotageek.com/a/file_info.php
Tony Kleins BHO DB + our own additions.

Any feedback you can give us is appreciated! Please remember this is version 1.1 and we need some fresh new ideas for V2.0. Our primary goal for now will be adding as much data as we possibly can to the DB's.

Please paste your HJT log into this form. We will parse it and return some information that should help you determine what needs to be removed and what you can keep. Our DB was built to cover only the most popular filenames. Anything that appears to be a random filename is most likely bad! Anything not linked to in this system will need further investigation by you. You should always read and live by what we posted here. If you need further assistance please take your logs here.

eTrust Spyware Encyclopedia - ABetterInternet

eTrust Spyware Encyclopedia - ABetterInternet.Ceres

Here” is a link to the Cease & Desist letter, a PDF file.

Vitalsecurity.org - A Revolution is the Solution Exploring Aurora

Threats Against Spyware Detectors, Removers, and Critics

Geeks To Go - abetterinternet, ceres, apropos, etc

ABetterInternet.imGiant

Twain-Tech abettinternet Transponder Variant

Webhelper4u - Webhelper4u - The VX2 Direct Revenue-aBetterInternet Fifth Columnists Transponder Gang

Spyware-Guide.com AbetterInternet

Manual Removal

How to remove Aurora-Nailfix - TechSpot OpenBoards

Method 1) Manually.
---------------------
NOTE: this text was copied from TheJoker on the BroadbandReports Forum http://www.broadbandreports.com/forum/remark,13685446

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Please download, install, and update the free version of Ewido trojan scanner: http://www.ewido.net/en/download/

- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
- From the main Ewido screen, click on update in the left menu, then click the Start update button.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Exit Ewido. DO NOT scan yet.

Download CCleaner from http://www.ccleaner.com/ccdownload.asp and install, but do not run it yet.

Please download the Nail/Aurora Spyware Fix from http://www.noidea.us/easyfile/file....050515010747824. (Alternate download link: dknoppix mirror http://www.dknoppix.com/cgi-bin/download.cgi?Nailfix)

Unzip it to the desktop but do NOT run yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:

- Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
- Select an option when the Windows Advanced Options menu appears, and then press ENTER.
- When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

Once in Safe Mode, please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run CCleaner.

- Uncheck "Cookies" under "Internet Explorer".
- If you are running Firefox: ,then click on the "Applications" tab and uncheck "Cookies" under "Firefox".
- Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Now run Ewido again.

- Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
- If Ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
- When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then run HijackThis, click Scan, and place a checkmark by the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
ANY O2 - BHO: that has (file missing)
ANY O2 - BHO: that has (no name) AND (no file)
ANY O3 - Toolbar: that has (no name) AND (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
OR
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing).

Finally, restart your computer in normal mode and post a new HijackThis log (as an attachment with .txt extension), as well as the log from the Ewido scan.

================================================== ===================================
Method 2) Automated, paid for.
--------------------------------
If the above is too complicated, you can download a trial version of Adware Away from: http://www.adwareaway.com/ which MAY get rid of it in trial-mode.
It DOES get rid of it in one go, if you BUY their program for $29.95

This is NOT a plug for them, and I can NOT verify that the program works as declared. I have not been infected (yet).

================================================== ===================================
Method 3) Automated, free, BUT...
------------------------------------
Some forum-users have reported success, using the (free) spyware removal tool from
http://www.mypctuneup.com/evaluate.php?b=aurora
Do NOT go anywhere else on that website!

Others have used a similar (or the same?) tool, downloaded from www-abetterinternet-com, AKA DirectRevenue.

Big CAVEAT:
To the best of my knowledge, all three (mypctuneup, ABetterInternet and DirectRevenue) are one and the same dubious outfit!

DirectRevenue are the MAKERS of Aurora, for Pete's sake!!

Check this out first, before you decide to go the FREE way (I wouldn't):
http://netrn.net/spywareblog/archiv...hreatens-again/

 

Examples

SWI Forums how to remove 'abetterinternet'

twine

Apr 4 2005, 06:14 AM

hi, i have the malware 'abetterinternet' on my pc, i have been trying various things but cannot seem to remove it. I did post about this last night but the heading was very poor and also my log will be different, so here is the fresh one:

Logfile of HijackThis v1.99.1
Scan saved at 12:14:32, on 04/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\spysub.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\procexp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiny.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsf31.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099927694734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS3\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

smashcomp.gif

jw50

Apr 8 2005, 01:25 PM

Hi twine, welcome to the forums.


Run HijackThis and place checks beside each of the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsf31.dll


After you check these items, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.


Run HijackThis and post a new log.
 

twine

Apr 8 2005, 02:31 PM

Hi jw50, thanks for the help. I did what you required, only the third line you asked me to check wasnt there. this one: O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsf31.dll. Perhaps this was what i cured myself. But i did check the first two so here is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 20:30:51, on 08/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GlobeSoft\AbuseShield\NTx\AbuseShieldSrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\GlobeSoft\AbuseShield\NTX\ASTray.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\spysub.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiny.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AbuseShieldTray] "C:\Program Files\GlobeSoft\AbuseShield\\NTX\ASTray.exe"
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099927694734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS3\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AbuseShieldSrv - Globesoft AB - C:\Program Files\GlobeSoft\AbuseShield\NTx\AbuseShieldSrv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

 

jw50

Apr 8 2005, 03:07 PM

Hi twine,

That BHO was really the only thing that was bad in your log, it looks good now.

Are you still having any problems?


VERY IMPORTANT:
Your operating system and Internet browser are out of date. This can leave you seriously vulnerable to malware and hackers.
I strongly suggest you go to Windows Update and install all critical updates. To get to the Windows Update site using IE just click on Tools, Windows Update.


These are some recommendations that will significantly decrease the chances that you will have problems with malware in the future:

1) Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Microsoft Anti-Spyware

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Keeping these programs up-to-date and running them regularly can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
 

twine

Apr 9 2005, 09:28 AM

evrything seems ok now. I can resolve most issues on my pc but with this vx2 i panicked because i couldnt get rid of it, hence the submission on this forum. I already have installed all the programs you recommend, although i havent installed sp2 for xp yet. I may have to install it, all be it reluctantly. thanks for your help in this matter.

jw50

Apr 9 2005, 02:40 PM

Glad we could help. smile.gif

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

 

Home - The home of Spybot-S&D!

 

Webhelper - Direct-Revenue Transponder Gang Fifth Columnists Adware Sleeper Agents

Direct-Revenue - Vx2 Transponder Gang Fifth Columnists with Adware Sleeper Agents

|Home |
   
Updated: 05/08/2017
 
 
  Before I start, so that those reading this write up will understand why I have entitled this "Direct-Revenue - VX2 Transponder Gang Fifth Columnists Adware Sleeper Agents" below you will find two sets of difinitions, the first from the dictinary and the second is my own difinitions.  
  
Transponder:  
Transponder according to Webster Dictionary:
A radio or radar set that upon receiving a designated signal emits a radio signal of its own and that is used especially for the detection, identification, and location of objects.
  
Webhelper Transponder definition as it relates to the Transponder Gangs adware Variants
 
 
One of the transponder variant dll’s  that once installed transmits three types of signals to its controlling server.  

The first is called a ROUTIN CHECKIN. This one transmits the users information along with a unique ID given along with the product that was installed to the controlling server, which creates or updates the users profile in their online database.  

The second is called MOTTS CHECKIN which transmits the users information and checks for updates to reinstall or new objects that need to be installed. This transmission also updates the .ini files and cookies of theirs that will help the offeroptimizer.com ad server send back signals that will generate pop up ads on the users computer.  

The last type is the standard transmission that sends the users data to its controlling servers, and any third party ad servers, tracks the users surfing habits, and collects and transmits any information from online forms filled out by the user from any of the popup ads generated by the offeroptimizer or through their 3 rd party ad server partners and affiliates.
 
 

Dictionary definition of a Fifth Columists
 

Secret or subversive group: a secret or subversive group that seeks to undermine the efforts of others and promote its own ends.
 
 
Dictionary definition of Sleeper Agent:
 

Spy inactive until called into action: a spy or secret agent who lives an ordinary life until called into action.
 
Now my own definitions of Fifth Columnists and Adware Sleeper Agents
 
 
Adware Fifth Columnist:
 
Online Marketing groups that seek to underminse the efforts of users to rid themselves of unwanted infestations or the marketing groups adware.
 
 
Adware Sleeper Agents:
 
Adware files that are inactive until called into action by scripts embedded into web site pages. These files are remains of past infestations that never were detected as they were never active, usually living in temp folders or the downloaded program folders and hidden from view by the average user.
 

 
As of December 26, 2004, I ran an infestation of the Transponder gangs LocalNRD.dll
transponder BHO adware variant and I went to MyPcTuneup.com to uninstall their adware per #12 Termination and Removal of Software of their EULA (End User License Agreement) at abetterinternet.com where they state the following

From their EULA at abetterinternet.com
 
 
By entering into this Agreement
, you represent to BetterInternet that you have intentionally chosen to install the Software and that you will personally uninstall the Software from your computer if you no longer wish the application to be present on your computer by going to http://mypctuneup.com/.

While you may choose to delete the Software from your computer at anytime by following the instructions herein, some third party applications may attempt to delete, disable or modify the Software with or without notice to you. You further represent to BetterInternet that BetterInternet may store a cookie, computer file or other unique identifier on your computer to identify you and automatically repair or reinstall the Software if any third party application attempts to delete, disable or modify the Software. BetterInternet may terminate this Agreement or your right to continue to use the Software at any time.

Further, you agree that you will not initiate, permit, authorize or assist any third party or application to remove the Software from your computer, or disrupt its operation or the operation of any other user. You agree that removal of the Software from your computer will only be performed by you pursuant to the instructions set forth herein.

The above EULA entries are made even more clearer when reading the Direct Revenue’s Portfolio write up by the gangs newest software developer EnvionSoftware they have started using in the code of the transponder variants and other component files they use.
 

DirectRevenue

For this provider of contextual advertising services to Internet-based marketers, Envion Software developed a remarkable Windows application that is co-installed with Direct Revenue’s modules by users who sign up for its marketing. Our app collects data from their systems (installed hardware and software), and watches for any changes to the system configuration or any attempts to remove Direct Revenue’s modules. Our app also monitors for any ant virus or firewall programs that try to block or interfere with the modules. We are currently developing the data encryption piece for the client machines.
(12/27/2004, Envion Software, http://envionsoftware.com/portfolio/directrevenue/)

 

What the above EULA and Envion Software statements really mean is that the gang is starting to act like Fifth Columnists who place sleeper agents into users computers to later be able to re-infest those computers at a later time without the users knowledge or permission by stating it is illegal to use other 3rd party security software like Adaware, Pest Patrol, or even Anti-Virus and firewall software like that from Mcafee to help detect and remove the transponder adware and must use only their uninstaller at Mypctuneup.com. 

In fact, right now in many of the transponder files there is hidden xml code that even list the above 3rd party security software and from the statements from EnvionSoftware “…any attempts to remove Direct Revenue’s modules… monitors for any ant virus or firewall programs that try to block or interfere with the modulesthey look like they are trying to set up software that would when called from a script that would be called from a site or rotational ad server, could stop or delete users Anti-virus and firewall software to be able to insure they can re-infest users computers without being blocked and also stop or delete Adaware and Pest Patrol if the security software tries to detect and remove their infestations of their transponder adware which they state they will do per their EULA

When infesting myself with their localNRD.dll transponder variant, it registers the localNRD.dll as a BHO (Browser helper Object) and loads it as a process along with making over 10 registry entries.  They also install various other executable files that one, their Polall*.exe (Calling home) generates a 38kb executable file in the users windows folder and an entry in the HKLM Run of the registry called mnklins.exe.

As of 12/26/2004, this file called mnklins.exe which replaced their kzgasg.exe that was being created in earlier infestations and is the file that actually when it transmits calls new installs, updates, and/or re-infest users while the transponder BHO variant localNRD.dll transmits users data and handles the calls for popup ads.

Along with the LocalNRD.dll, two other executables along with a third that is downloaded during the transponders first check in transmission were their conscorr.exe (Ipinsight Sentry.exe), ln_reco.exe, and randreco.exe which was downloaded after the first transmission and each contains the hidden xml code.

These files along with the Mnklins.exe all transmit at one time or another and are used to update, install new 3rd party adware, and re-install any missing transponder adware into the users computer.

Their Mypctuneup.com uninstall process has gone through at least three changes over the past six months since they first started offering help in uninstalling their transponder adware. The first was an online submission form.  The second was a direct link to their uninstaller, and now the third being a direct download to run their uninstaller.

The first uninstall process found at Mypctuneup.com required users to fill out and submit an online form requesting the link to their uninstaller.  This usually took up to seven days before receiving an email back with a special link that had a validation code in it.  Once clicking on the link, you would then have to fill in a special form with another validation code which then would then run an online scan of the computer for any BHO registry entry of their transponder variants.  If found, users would be required to run an install of their Remall.exe that would then delete only the BHO registry entry and then drop a file named Killpol.exe that would delete any IPinsght Sentry executables in the HKLM of the RUN of the registry and the file in the windows folder.  What was bad is that if a user had the mxtarget.dll variant, it would transmit after the remall.exe was run and download a mx_reco.exe that would transmit and re-infest the mxtarget.dll variant and its file components before a user had a chance to restart their computers to unload the BHO from the processes.

 

Their second process came about only about two months ago where it dropped the emailing for their validation code and could run their scan immediately with the same results as that of their first uninstall process.  However, it was here that they added their new uninstaller file that is now being used and was offered only after the first scan was completed or a message that none of their partner’s adware was found.

 

Their latest uninstaller process uses their newest uninstaller file that still requires users to be connected and enter a validation code but this is after they have downloaded the uninstaller file and runs it. 


 

Even though the transponder gang has changed their process in the use of their uninstallers, what is scanned and actually cleaned still remains unchanged.   With all the files and registry entries made by a transponder infestation, the only two thing that their uninstaller does is scan the Internet Explorer Browser Helper Objects area of the registry and if one of their variants are found, the uninstaller file thunstall.exe deletes the registry entry and unloads the dll variant from the computers processes.  The second is the uninstaller scans the HKLM Run of the registry and if it finds their callinhome file which right now is the mnklins.exe and then delete the actual file.

 

In conclusion, all the above can be condensed to mean that the Direct-Revenue Transponder Gang are now acting like a Fifth Columnist with all their files they leave behind as adware sleeper agents so that in weeks or months after using their Mypctuneup.com uninstallers can find that they may once again be infested with the same or even a newer transponder variant and could well find that their Adaware and/or Pest Patrol or even their Anti-Virus software like Mcafee and their firewall software may be disabled, blocked, or even worse still deleted from their computers because of the Transponder Gangs #12 of their EULA and from what their software developer EnvionSoftware has stated on their website on what their modules they create for Direct-Revenue are supposed to do.

 

Example of their XML found in their Ln_reco.exe : Names in red are valid security software and the black bold are the transponder variants while all else are other 3rd party adware groups.
 
 
 

<?xml version="1.0"?>

<queryRegistry partnerID="1" partnerData="CommandLine" bundleID="102" preHost="thinstall" prePath="bi/servlet/ThinstallPre" postHost="thinstall" postPath="bi/servlet/ThinstallPost" >

<key hive="HKCR" path="Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\180solutions" subtree="no"/>

<key hive="HKLM" path=<?xml version="1.0"?>

<queryRegistry partnerID="1" partnerData="CommandLine" bundleID="102" preHost="thinstall" prePath="bi/servlet/ThinstallPre" postHost="thinstall" postPath="bi/servlet/ThinstallPost" >

<key hive="HKCR" path="Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\180solutions" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\AboutURLs" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\Lavasoft\AD-Aware" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware 5" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\BTGrab" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\BTIEIN" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\CLRSCH" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\ceres" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\DBi" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\DHost" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Gator.com" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\GatorTest" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\intexp" subtree="yes"/>

The intexp is the wupdt.exe

<key hive="HKLM" path="SOFTWARE\IPInsight" subtree="yes"/>

<key hive="HKCU" path="SOFTWARE\LocalNrd" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Main\ins" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\McAfee" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\McAfee.com" subtree="no"/>

<key hive="HKCU" path="SOFTWARE\morphacl" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\180solutions\msbb" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\MSView" subtree="yes"/>

<key hive="HKCU" path="SOFTWARE\MultiMPP" subtree="yes"/>

<key hive="HKCU" path="Software\mxtarget" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCase" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\PestPatrol" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\RespondMiter" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Run" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Search" subtree="no"/>

<key hive="HKCU" path="Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" subtree="yes" />

<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Toolbar" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\TPS108" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Twaintec" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Main\uni" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" subtree="keysOnly"/>

<key hive="HKCU" path="SOFTWARE\VB" subtree="no"/>

<key hive="HKCU" path="Software\VoiceIP" subtree="yes"/>

<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\WhenUSave" subtree="no"/>

<key hive="HKLM" path="SOFTWARE\Zserv" subtree="yes"/>

<procList checkin="both"/>

<persist />

</queryRegistry>

    

 

History

Belt.exe and Susp.exe
Belt.exe and Susp.exe is part of the Transponder Better Internet Gang
Dec 11, 2003

As of Dec 10, 2003, I now have a sample of every known transponder from the first one that appeared in 1999 (IEHelper.dll) to the two newest ones that are now being seen on the Internet which are Belt.exe and Susp.exe.

Although many think both are trojans or viruses, they are in fact programs that work in conjunction with the Bi.dll for management of the popup advertising that is foisted by offeroptimizer.com which is registered to Alan Murray. 

From inside the code of the Belt.exe and Susp.exe, they both have the same coding and information which directly links Better Internet Inc. to IPInsight.com that is not accessable but its server still is  and is registered to Daniel Kaufman that was the CEO of Dash.com with Joshua Abram who is linked to Direct-Revenue.com and aBetterInternet.com, and the rest of the transponder sites with Alan Murray. All of which can be linked to Blackstonedata and VX2.cc.

The Fies:
Belt.exe
Modified: Friday, August 15, 2003, 3:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.  

Container Belt.cab contains Belt.exe, Belt.ini, Belt.inf

Two known paths are to the Belt.cab and the Belt.exe
hxxp://69.20.5.39/download/cabs/BI5101/Belt.cab
hxxp://69.20.5.39/download/cabs/BI5101/belt.exe


 Susp.exe
Modified: Friday, August 15, 2003, 4:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.  

Container Susp.cab containing Susp.exe, Susp.ini, Sups.inf

The Code I found using NotePad:
 

Belt.exe code

 V S _ V E R S I O N _ I N F O

S t r i n g F i l e I n f o  0 4 0 9 0 4 b 0 

C o m m e n t s 

C o m p a n y N a m e     B e t t e r   I n t e r n e t   I n c

F i l e D e s c r i p t i o n

w w w . a b e t t e r i n t e r n e t . c o m   6

F i l e V e r s i o n     0 ,   1 ,   1 ,   3       

I n t e r n a l N a m e   F

L e g a l C o p y r i g h t   C o p y r i g h t   ©   2 0 0 2

L e g a l T r a d e m a r k s   

O r i g i n a l F i l e n a m e     

P r i v a t e B u i l d     

P r o d u c t N a m e     :

P r o d u c t V e r s i o n   0 ,   1 ,   1 ,   3       

S p e c i a l B u i l d   D 

V a r F i l e I n f o     $

T r a n s l a t i o n        

S e n t r y S t u b . e x e   i s   a   s t u b   i n s t a l l e r  

f o r   t h e   c o m p a n y ' s   I P - S e n t r y 

a p p l i c a t i o n   - b o t h   d i s t r i b u t e d   b y

I P - I n s i g h t   C o r p o r a t i o n , a D e l a w a r e

C o r p o r a t i o n . 

P l e a s e   s e e   h t t p : / / w w w . i p i n s i g h t . c o m   f o r   m o r e   d e t a i l s   

Susp.exe code


V S _ V E R S I O N _ I N F O   

S t r i n g F i l e I n f o   `0 4 0 9 0 4 b 0 

C o m m e n t s 

C o m p a n y N a m e     B e t t e r   I n t e r n e t   I n c .

    F i l e D e s c r i p t i o n

w w w . a b e t t e r i n t e r n e t . c o m   6

F i l e V e r s i o n     0 ,   1 ,   1 ,   3

I n t e r n a l N a m e   F

L e g a l C o p y r i g h t   C o p y r i g h t   ©   2 0 0 2  

L e g a l T r a d e m a r k s   

O r i g i n a l F i l e n a m e     

P r i v a t e B u i l d     

P r o d u c t N a m e     :

P r o d u c t V e r s i o n   0 ,   1 ,   1 ,   3 

S p e c i a l B u i l d   D 

V a r F i l e I n f o     $

T r a n s l a t i o n        

S e n t r y S t u b . exe is a  s t u b   i n s t a l l e r   f o r

the c o m p a n y ' s  I P - S e n t r y   a p p l i c a t i o n 

- b o t h   d i s t r i b u t e d   b y   I P - I n s i g h t  C o r p o r a t i o n ,
 a   D e l a w a r e   C o r p o r a t i o n .  
P l e a s e   s e e   h t t p : / / w w w . i p i n s i g h t . c o m   f o r   m o r e   d e t a i l s .

The Original Sentry.exe from IP-Insight
File Properties:
 

Company: IP-Insight Corporation

Sentry.exe

Size: 76.0 KB (77,824 bytes)

Version: 0, 0, 1, 3

Internal Name: SentryStub

Original Name: SentryStub.exe

Product Name: IP-Sentry Stub

Comments: SentryStub.exe is a stub installer for the company's

IP-Sentry application -both distributed by IP-Insight Corporation, a

Delaware Corporation. Please see http://www.ipinsight.com for more details.

NOTE: Ad-Aware 6.181 and Newer detects all!
 



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017